The US Department of Justice (DoJ) has officially launched its new Civil Cyber-Fraud initiative. It enacted the legislation to strengthen cybersecurity standards among contractors undertaking government projects and receiving federal funds and other grant recipients such as universities. Such organizations and beneficiaries need to address cybersecurity risks and report breaches to comply with the latest legislation and regulatory guidelines
The new Cyber Fraud Initiative from the US Department of Justice brings together the department’s expertise in civil fraud enforcement, government contracting, and cybersecurity to counteract existing and growing cybersecurity risks to confidential material and safety infrastructure. The Department of Justice is working to improve the resilience of the country and its critical information infrastructure (CII) against increasingly sophisticated cybersecurity threats via new reforms was much needed to ensure the protection of trade secrets, Intellectual Property (IP), proprietary knowledge, trademarks, and copyrights, protecting the privacy of all stakeholders involved, and preventing sensitive and confidential information from falling into the hands of threat actors. This will ensure that taxpayers’ money is used diligently and will also help build public trust in the system in safeguarding their valuable information assets.
Cyber Fraud: Some Key Statistics
According to AtlasVPN, the damages to organizations by cybercrimes from 2019 to the current time have increased by 37.4% with each passing year. Further, the rate of cybercrimes will increase by over 40%.
Some of the vital cybercrime statistics in the US and around the globe shows how threatening and challenging cybercrime has become:
- FBI’s IC3 reported complaints in 2020 contained over 241,342 phishing, 76,741 extortion, and over 45,000 personal data cyber breaches.
- Malicious actors attack 1/5th of educational institutions and universities, with 65% of data breaches targeting higher-education centers.
- 2022 will be the year for misinformation campaigns surrounding cybercrimes, which will become the new attack vector.
- Cybercrimes are ever-increasing and are estimated to cost $10.5 trillion per annum to businesses by 2025.
The New Civil Cyber-Fraud Initiative By The US DoJ
The new Civil Cyber-Fraud Initiative will use the False Claims Act to investigate cybersecurity-related misconduct by government contractors and those receiving federal grants and funds. The Act also incorporates the “whistleblower” clause that permits individuals who volunteer evidence pertinent to an inquiry to benefit from any assets seized. The Department of Justice will utilize the FCA (False Claims Act) to hold primary liability for failure to satisfy cybersecurity criteria, including prosecutions for:
- Offerings and services that aren’t up to par in terms of cybersecurity within the organization or for knowingly providing deficient cybersecurity products or services.
- Cybersecurity-related information, cybersecurity protocols, and processes that are misrepresented or falsified.
- Negligence by management or the organization in managing, tracking, and notifying cybersecurity incidents and data breaches.
While the DOJ’s approach is novel, the use of the False Claims Act to compel cybersecurity adherence is not. Still, due to the current Civil Cyber-Fraud Initiative, it has become more crucial than ever for institutions to be ready to deal with constitutional issues relevant to cyber intrusions. On a high level, the Civil Cyber-Fraud Initiative:
- Holds the government contractors and grantees to their commitments to protect government information and infrastructure.
- Ensures that government contractors recognize and develop strategies to comply with contract terms, statutes, and federal requirements.
- Provides an opportunity for reimbursement of taxpayers’ and governments’ money if there is a compromise at the organization’s end.
- Drives organizations receiving government grants and funds also work to build a strong cybersecurity posture.
Industries to be Impacted by The New Civil Cyber-Fraud Initiative
The Department of Justice’s Civil Cyber-Fraud Initiative may impact almost all private, public, or government organizations receiving government funds or grants, but let’s look at its impact on some of the critical sectors in detail:
- Health Care and Life Sciences: The Cyber Fraud Initiative would target federal employees and federally funded beneficiaries. Therefore, medical and life sciences organizations that partner with or receive support from the legislative branch may be susceptible to FCA inspection.
- Educational Institutions: Failure to comply with the Cyber-Fraud Initiative may have far-reaching ramifications for universities and higher education institutions receiving government funds and grants but who lack adequate cybersecurity safeguards. In consideration of federal requirements, every university or college that retains critical or privileged information must carefully evaluate the forms and the efficacy of its security controls and procedures.
- Banking and Financial Industry: Banking and financial organizations are a significant target for malicious actors because of the scale and sensitivity of data that they store. Following the Cyber Fraud Initiative, all monetary regulators will need sufficient documentation and reporting structures, cybersecurity policies, and incident response strategies since any violation of rules would hold them accountable and liable.
- Defense Industry: The initiative brings in the DOJ’s expertise and experience in various government procurement and civil fraud enforcement to combat emerging cybersecurity threats and risks. This helps protect confidential and sensitive information and critical information systems. For instance, if a defense contractor misuses trade secrets stored digitally in the form of government intellectual property n, the contractor could become liable, especially if the contractor fails to report the breach.
Risks of Non-Compliance
Non-Compliance with the new Civil Cyber Fraud Initiative opens organizations and individuals to various risks, such as:
- Increased Liability Risks: The Department of Justice announced that it intends to hold organizations and individuals liable for various actions, including intentionally offering inadequate cybersecurity services, deliberately mischaracterizing their cybersecurity practices or procedures, and knowingly failing to report data breaches and infringements. Contractors may be held liable for failure to cooperate with cyber breach reporting terms in government contracts within the Cyber Fraud Initiative.
- Penalties on Enterprises and Individuals: NIST 800-171 applies to any organization or agency that deals with Controlled Unclassified Information (CUI). Those who do not adhere to statutory cybersecurity requirements could be prosecuted using the FCA clause in the Cyber Fraud Initiative and face a penalty. Furthermore, besides enterprises, DoJ can hold civilians legally responsible for cybersecurity-related fraud.
- Increased Litigation Risks: The Department of Justice notably emphasizes relying on whistleblowers to help the government restore order in its announcement. After determining their cybersecurity basis, organizations should consider implementing an internal review with counsel to compare their declarations to the federal government. The FCA cyber-risk exposes the organization to litigation if any disparities with the legal framework are identified.
Recommendations: Here is What Organizations Can Do!
Organizations can protect themselves better and ensure compliance with the Department of Justice’s new law with the help of:
- Internal Audits and Assessments: Organizations should continue to identify their key information assets and evaluate their readiness for a cyber breach, and internal audits and assessments play a critical role in it. Based on the internal assessment, organizations can prioritize actions and processes to protect their information assets before, during, and after a security incident or data breach.
- Continuous Monitoring and Reviews: Organizations must implement changes to continuously monitor changes within the technology environment, vulnerability management, and activities to anticipate various infringements with federal regulatory frameworks, processes, and policies. They may use whistleblowers to help with the process.
- Documentation: Clearly written standards, plans, and policies are essential for ensuring the organization’s compliance with the cybersecurity requirements as per the government. Robust documentation will also help resolve internal issues and potential leaks eliminating questions regarding the standard operating procedures (SOPs) to be followed to effectively identify and address a security incident.
- Internal Discussions: The Management should ensure that all policy conformity discussions with the government are correctly recorded and readily available. They must also collaborate with individuals who identify issues to analyze risk exposures.
The Department of Justice’s Cyber Fraud Initiative seeking compliance with the False Claims Act is the government’s official legal remedy for for cybersecurity negligence and fraud. The strategy raises the bar for adherence initiatives for federal contractors or federal grant beneficiaries, such as universities. The latter are far more at risk concerning adopting essential cybersecurity precautions and deciding whether or not to disclose a violation because of the False Claims Act.
Expect increased FCA litigation against organizations that fail to mitigate the risk of cyber breaches. Attentive cybersecurity compliance procedures will ensure protect sensitive data an minimize the risk of significant fines under the FCA.
- Krotoski, M., Baruch, D., & Fan, S. (2021, December 08). Are you prepared for DOJ’s Civil Cyber-Fraud Initiative? Morgan Lewis.
- Department of Justice. (2021, October 6). Deputy Attorney General Lisa O. Monaco announces new Civil Cyber-Fraud Initiative.
- Gersh, D., Moundas, C., O’Connor, A., Darch, J. & Hardy, G. (2021, November 24). DOJ Civil Cyber-Fraud Initiative may impact health care and life sciences companies. Mondaq.
- Shaheen, M., Bartle, S., & Trujillo, G. (2022, January 19). Cybersecurity compliance requirements may surprise higher ed. University Business.
- Ross, R., Pillitteri, V., Dempsey, K., Riddle, M., & Guissanie, G. (2020). Protecting controlled unclassified information in nonfederal systems and organizations. Gaithersburg, MD: National Institute of Standards and Technology.
- The false claims act. (2019, June 17). Retrieved February 20, 2022, from Justice.gov website: https://www.justice.gov/civil/false-claims-act