The government’s announcement of renewed emphasis on cybersecurity enforcement has spawned recent million-dollar enforcement actions. Continued government attention on cybersecurity promises a treacherous enforcement environment in 2023 and beyond.
Several recent government initiatives have focused on cybersecurity enforcement. Towards the end of 2021, the Department of Justice announced a Civil Cyber-Fraud Initiative to use the False Claims Act (“FCA”) to hold companies and individuals accountable for: 1) deficient cybersecurity; 2) misrepresentations of cybersecurity; and/or 3) insufficient monitoring or reporting of cybersecurity incidents. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) now requires the Cybersecurity and Infrastructure Security Agency to develop and implement regulations requiring covered entities to report covered cybersecurity incidents. The FTC Safeguards Rule requires non-banking financial institutions, including mortgage brokers and automobile dealerships, to develop, implement, and maintain a comprehensive cybersecurity program to protect customer information. Most concerning is that the deadline for compliance with the FTC Safeguards Rule is now June of 2023.
In July of 2022, as part of the Civil Cyber-Fraud Initiative, the Department of Justice announced a $9 million Aerojet settlement to resolve cybersecurity fraud claims brought pursuant to the FCA by a whistleblower who was the former Senior Director of Cyber Security, Compliance, and Controls for Aerojet. The whistleblower claimed that Aerojet’s contracts with the government mandated specific cybersecurity standards, and despite knowing that its systems did not meet these standards, Aerojet pursued and fraudulently obtained the contracts.
The Aerojet qui tam and resulting settlement forecasts how use of this enforcement mechanism in the cybersecurity space might play out. The government has now specifically promised that when contractual cybersecurity standards are not satisfied, the government will attempt to utilize the FCA to enforce cybersecurity fraud claims. And, as the deadline for compliance with the FTC Safeguards Rule quickly approaches, companies must be prepared for certification requests to potentially incorporate various cybersecurity requirements, including compliance with the FTC Safeguards Rule. To avoid potential FCA liability, companies and individuals need to be absolutely aware of any cybersecurity requirements in government contracts, including how compliance is certified, and how to monitor and report any cybersecurity incidents. Often, organizations are not aware of what they have agreed to contractually regarding cybersecurity or privacy. A company employee may receive an email link from a customer and merely click boxes certifying compliance in order to earn the work, without ever reading the terms to which they’re binding the company.
Companies may not be prepared for the consequences of cybersecurity requirements and certifications in contracts—but they should be. This year promises to be an even more active year for cybersecurity enforcement.
For more information and other updates and alerts regarding privacy law developments, subscribe to Bradley’s privacy blog Online and On Point.