[BreachExchange] DOJ says it will protect whistleblowers who disclose contractor cybersecurity failures

Fri Oct 22 15:04:28 EDT 2021

https://www.fedscoop.com/doj-says-it-will-protect-whistleblowers-who-disclose-contractor-cybersecurity-failures/

The Department of Justice will use all available resources to ensure
whistleblowers that come forward to report cybersecurity failures at
federal contractors are protected, according to Deputy Attorney General
Lisa Monaco

Monaco gave the commitment Wednesday along with further details about the
department’s program to pursue federal contractors that commit major
cybersecurity failures or misrepresent their cybersecurity capabilities.

“Our new civil cyber-fraud initiative will use the False Claims Act to both
enforce civil fines on government contractors and grant recipients as well
as protect whistleblowers who bring information forward,” she said. “[T]o
those who witness irresponsibility that exposes the government to cyber
breaches, our message is this: if you see something, say something. We will
use all of the legal authorities in our reach to make sure you are
protected and compensated.”

Monaco emphasized that with the new initiative, the department is focused
on using the False Claims Act as a tool to ensure taxpayer dollars are
being used appropriately and to guard public finances and public trust.

Earlier this month, the DOJ announced the enforcement push, under which it
intends to use the False Claims Act to pursue contractors working with
federal government agencies — as well as recipients of federal grants —
that fail to report incidents in which their systems are compromised.

The FCA was first enacted in 1863 in response to defense contractor fraud
during the American Civil War. It was amended in 1986 to increase
incentives for whistleblowers to come forward with allegations of fraud.

Under the FCA any person who submits false records to the government can be
forced to pay triple the damages caused to the government from fraudulent
contract submissions. The offending entity can also be hit with a civil
penalty of up to $10,000.

While the renewed focus on improving cybersecurity standards across
government has received broad support from the technology industry, some
federal contractors have warned that clearer guidance is needed from
government agencies over the parameters of contracts.

“I have clients working with the Department of Defense, who during an audit
will be told that information stored in a certain data center is controlled
defense information – and there is no way to know this in advance,” a
defense contracting source told FedScoop.

The source added: “With this new enforcement push, contractors are worried
they are either going to be over-reporting or under-reporting.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211022/091dbae8/attachment.html>