Federal agencies and lawmakers move to enforce disclosure of contractor data breaches

lock icon cybersecurity privacy

The Department of Justice (DOJ) is cracking down on federal government contractors that fail to adequately disclose data breaches. In an aggressive new enforcement initiative, the DOJ will levy severe fines and penalties based on US False Claims Act (FCA) enforcement policies.

In determining fines and penalties, the DOJ will establish the damages, the number of violations, and the penalty per violation. Damages can be assessed at up to three times the amount of the false claim, and penalties per individual violation count range from $11,665 to $23,331 per violation. While it is unclear how the DOJ will quantify damages of inadequate breach disclosure, it is likely that amounts demanded from contractors will be significant. In part, that’s because damages that involve breaches are often widespread and will be subject to the FCA damage multiplier.

While the DOJ’s policy statement favors the use of civil enforcement, rather than criminal enforcement, to pursue contractors who fail to adequately disclose breaches, the financial liabilities can be substantial. The FCA can hold defendants responsible for three times the amount of damages the government sustains, plus a civil penalty for each false claim. The FCA can also expose businesses to the risk of suspension and debarment from government programs. Employees and other knowledgeable parties who cooperate with federal law enforcement are covered under the whistleblower protection provisions of the False Claims Act. In part, that’s because the DOJ expects that informants will play a “significant role” in exposing misconduct.

This stringent enforcement of breach notifications has emerged at the nexus of a global pandemic, economic turbulence, and a massive shift to remote work models. At the same time, unprecedented attacks — the SolarWinds and Colonial Pipeline hacks, in particular — have amplified the need to better secure our sensitive data and enforce reporting rules.

Another catalyst is a recent wave of malware attacks, which account for 70% of all system-intrusion incidents each year. These attacks are as pricey as they are prosaic; Consider that cybersecurity incidents cost the Department of Defense (DoD) up to $600 billion a year. Many of these intrusions originate with government contractors, which may have inadequate or unequal security capabilities to detect and prevent against security threats. Often, government contractors don’t know they have been breached and it is not unusual for a government agency to notify the contractors they are a victim of a security incident.

And then there is the escalating overall price of breaches. The average cost per cybersecurity incident climbed to $4.24 million in 2021, a 10% jump over the year before. Conversely, the ability to detect breaches seems to have dulled. On average, it took businesses 287 days to identify and contain a data breach in 2021 — up seven days over the year before. Time is money because the longer an intrusion goes undetected, the more damage it can cause.

Introducing new notification legislation

In addition to the DOJ’s deeper scrutiny of contractors, new legislation has been introduced that would set new requirements for reporting. The proposed Cyber Incident Notification Act of 2021 specifically targets reporting requirements for government contractors and critical infrastructure owners and operators.

The legislation would require that companies report real or potential cybersecurity incidents to the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of detection. The legislation would also mandate that organizations report to CISA within 72 hours of any new threat information discovered during cybersecurity investigations.

To promote information sharing, the act would offer informants limited immunity. For example, information provided to CISA would be exempt from disclosure under the Freedom of Information Act.

Getting started

When planning to get ahead of evolving cybersecurity requirements, the best course is to ensure that foundational cybersecurity capabilities are in place, including a robust breach incident response plan and disclosure process, both of which would be the focus of a DOJ inquiry in the wake of a data loss incident. A great place to start is with cybersecurity frameworks like the National Institute of Standards and Technology (NIST) Cybersecurity Framework, CIS Top 20 or the ISO 27001 / 27002 standards.

From our perspective, a shortlist of essential cybersecurity capabilities includes:

  • A thorough data-governance framework that classifies company and third-party data, including data that is classified as controlled unclassified information (CUI)
  • What type of data is in the organization’s environment and the value of such data
  • Up-to-date access controls
  • Implementing/enforcing multi-factor authentication
  • Documented and tested incident response plan for expedited handling, response, and disclosure
  • Processes to quickly disclose breaches
  • Real-time reporting
  • Formal processes and technologies for information sharing
  • Ongoing cybersecurity training and awareness
  • Frequent regular backup and recovery tests
  • Implementing endpoint detection and response (EDR) or managed detection and response (MDR) solutions
  • Regular risk assessments to assess control effectiveness and anticipate potential impacts to operations 
  • Identification and prioritization of cyber-risks

While damages and penalties for reporting security breaches have not been formally established, the False Claims Act is part of a well-established enforcement channel within the federal government that has mature capabilities for helping protect governments from fraud. Organizations should get started now to make sure that a holistic end-to-end cybersecurity program is in place. Financially, tougher enforcement of disclosure requirements and expanded costs of security incidents may prove so steep that organizations will need to rethink how they report breaches. To get started, we recommend a review of updated cybersecurity frameworks and consideration of the list of actions above to help lessen exposure to material risks and meet government requirements.

Contact

Bhavesh Vadhani, Principal, National Leader, Cybersecurity, Technology Risk, and Privacy

703.847.4418

Rich Meene, Principal, Government Contracting Practice

862.245.5122

Subject matter expertise

  • Bhavesh Vadhani
    Contact Bhavesh Bhavesh+Vadhani bhavesh.vadhani@cohnreznick.com
    Bhavesh Vadhani

    CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy

  • richard meene
    Contact Richard Richard+Meene rich.meene@cohnreznick.com
    Richard Meene

    Principal

  • Close

    Contact

    Let’s start a conversation about your company’s strategic goals and vision for the future.

    Please fill all required fields*

    Please verify your information and check to see if all require fields have been filled in.

    Please select job function
    Please select job level
    Please select country
    Please select state
    Please select industry
    Please select topic
GovCon360

Access Our Government Contracting Topic Page for Key Insights & Powerful Tools

This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. Neither CohnReznick LLP or its personnel provide legal advice to third parties. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees, and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.