[BreachExchange] U.S. govt to sue contractors who hide breach incidents

[Inga Goddijn]

https://www.bleepingcomputer.com/news/security/us-govt-to-sue-contractors-who-hide-breach-incidents/

Under the new Civil Cyber-Fraud Initiative that the U.S. Department of
Justice announced today, government contractors are accountable in a civil
court if they don’t report a breach or fail to meet required cybersecurity
standards.

The initiative gives the DoJ the necessary leverage to fight digital
threats to sensitive information and critical systems stemming from
collaborators of federal agencies.

Boosting defenses

Deputy Attorney General Lisa O. Monaco said that the initiative allows the
DoJ to pursue government contractors that keep silent about a breach
incident or don’t comply with cybersecurity standards.

“Well that changes today. We are announcing today that we will use our
civil enforcement tools to pursue companies, those who are government
contractors who receive federal funds, when they fail to follow required
cybersecurity standards” - Deputy Attorney General Lisa O. Monaco

Led by the Civil Division’s Commercial Litigation Branch, Fraud Section,
the initiative will use the False Claims Act (FCA), which makes liable
anyone who knowingly submits false claims to the government.

A whistleblower provision in the Act allows private parties to identify and
pursue fraudulent conduct. Whistleblowers benefit from protection and
receive a significant part of any recovered funds.

The Civil Cyber-Fraud Initiative aims to strengthen defenses and minimize
the risk of intrusion on government networks due to poor cybersecurity
practices from external partners.

"The initiative will hold accountable entities or individuals that put U.S.
information or systems at risk by knowingly providing deficient
cybersecurity products or services, knowingly misrepresenting their
cybersecurity practices or protocols, or knowingly violating obligations to
monitor and report cybersecurity incidents and breaches"  - U.S. Department
of Justice

Benefits expected from this initiative range from increasing the security
of information systems in both the private and public sector to improving
overall cybersecurity practices:


   - Building broad resiliency against cybersecurity intrusions across the
   government, the public sector, and key industry partners
   - Holding contractors and grantees to their commitments to protect
   government information and infrastructure
   - Supporting government experts’ efforts to timely identify, create and
   publicize patches for vulnerabilities in commonly-used information
   technology products and services
   - Ensuring that companies that follow the rules and invest in meeting
   cybersecurity requirements are not at a competitive disadvantage
   - Reimbursing the government and the taxpayers for the losses incurred
   when companies fail to satisfy their cybersecurity obligation
   - Improving overall cybersecurity practices that will benefit the
   government, private users, and the American public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211008/4fa8511b/attachment.html>