Federal agencies and lawmakers move to enforce disclosure of contractor data breaches
The Department of Justice (DOJ) is cracking down on federal government contractors that fail to adequately disclose data breaches. In an aggressive new enforcement initiative, the DOJ will levy severe fines and penalties based on US False Claims Act (FCA) enforcement policies.
In determining fines and penalties, the DOJ will establish the damages, the number of violations, and the penalty per violation. Damages can be assessed at up to three times the amount of the false claim, and penalties per individual violation count range from $11,665 to $23,331 per violation. While it is unclear how the DOJ will quantify damages of inadequate breach disclosure, it is likely that amounts demanded from contractors will be significant. In part, that’s because damages that involve breaches are often widespread and will be subject to the FCA damage multiplier.
While the DOJ’s policy statement favors the use of civil enforcement, rather than criminal enforcement, to pursue contractors who fail to adequately disclose breaches, the financial liabilities can be substantial. The FCA can hold defendants responsible for three times the amount of damages the government sustains, plus a civil penalty for each false claim. The FCA can also expose businesses to the risk of suspension and debarment from government programs. Employees and other knowledgeable parties who cooperate with federal law enforcement are covered under the whistleblower protection provisions of the False Claims Act. In part, that’s because the DOJ expects that informants will play a “significant role” in exposing misconduct.
This stringent enforcement of breach notifications has emerged at the nexus of a global pandemic, economic turbulence, and a massive shift to remote work models. At the same time, unprecedented attacks — the SolarWinds and Colonial Pipeline hacks, in particular — have amplified the need to better secure our sensitive data and enforce reporting rules.
Another catalyst is a recent wave of malware attacks, which account for 70% of all system-intrusion incidents each year. These attacks are as pricey as they are prosaic; Consider that cybersecurity incidents cost the Department of Defense (DoD) up to $600 billion a year. Many of these intrusions originate with government contractors, which may have inadequate or unequal security capabilities to detect and prevent against security threats. Often, government contractors don’t know they have been breached and it is not unusual for a government agency to notify the contractors they are a victim of a security incident.
And then there is the escalating overall price of breaches. The average cost per cybersecurity incident climbed to $4.24 million in 2021, a 10% jump over the year before. Conversely, the ability to detect breaches seems to have dulled. On average, it took businesses 287 days to identify and contain a data breach in 2021 — up seven days over the year before. Time is money because the longer an intrusion goes undetected, the more damage it can cause.
Introducing new notification legislation
In addition to the DOJ’s deeper scrutiny of contractors, new legislation has been introduced that would set new requirements for reporting. The proposed Cyber Incident Notification Act of 2021 specifically targets reporting requirements for government contractors and critical infrastructure owners and operators.
The legislation would require that companies report real or potential cybersecurity incidents to the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of detection. The legislation would also mandate that organizations report to CISA within 72 hours of any new threat information discovered during cybersecurity investigations.
To promote information sharing, the act would offer informants limited immunity. For example, information provided to CISA would be exempt from disclosure under the Freedom of Information Act.
When planning to get ahead of evolving cybersecurity requirements, the best course is to ensure that foundational cybersecurity capabilities are in place, including a robust breach incident response plan and disclosure process, both of which would be the focus of a DOJ inquiry in the wake of a data loss incident. A great place to start is with cybersecurity frameworks like the National Institute of Standards and Technology (NIST) Cybersecurity Framework, CIS Top 20 or the ISO 27001 / 27002 standards.
From our perspective, a shortlist of essential cybersecurity capabilities includes:
- A thorough data-governance framework that classifies company and third-party data, including data that is classified as controlled unclassified information (CUI)
- What type of data is in the organization’s environment and the value of such data
- Up-to-date access controls
- Implementing/enforcing multi-factor authentication
- Documented and tested incident response plan for expedited handling, response, and disclosure
- Processes to quickly disclose breaches
- Real-time reporting
- Formal processes and technologies for information sharing
- Ongoing cybersecurity training and awareness
- Frequent regular backup and recovery tests
- Implementing endpoint detection and response (EDR) or managed detection and response (MDR) solutions
- Regular risk assessments to assess control effectiveness and anticipate potential impacts to operations
- Identification and prioritization of cyber-risks
While damages and penalties for reporting security breaches have not been formally established, the False Claims Act is part of a well-established enforcement channel within the federal government that has mature capabilities for helping protect governments from fraud. Organizations should get started now to make sure that a holistic end-to-end cybersecurity program is in place. Financially, tougher enforcement of disclosure requirements and expanded costs of security incidents may prove so steep that organizations will need to rethink how they report breaches. To get started, we recommend a review of updated cybersecurity frameworks and consideration of the list of actions above to help lessen exposure to material risks and meet government requirements.
InsightSEC proposes new rules on public company cybersecurity incident reporting, risk management disclosuresBhavesh VadhaniPublic companies could face a tight new timeline for disclosing material incidents, plus mandates to detail how they manage cyber risk. Read more.
InsightNew law requires ‘critical infrastructure’ organizations to report cybersecurity incidents, ransomware paymentsBhavesh Vadhani, Daryouche Behboudi, Deborah NitkaThe Cyber Incident Reporting for Critical Infrastructure Act requires certain entities to report attacks within 72 hours, ransomware payments within 24.
InsightFuture of cannabis – Cannabis Quarterly insights, Q1 2022Read our team’s perspectives on taxation, data strategy, and data privacy (including California’s CPRA) in CohnReznick’s CannaQuarterly newsletter.
InsightSEC proposes cybersecurity rules, incident disclosure for investment funds and advisorsIn addition to strengthening threat management, information protection, and other key areas, the SEC aims to boost board oversight. Read more.
InsightProtect your organization against nation-state cyberattacksAmid federal warnings to boost cybersecurity vigilance, take these steps to understand your capabilities and implement further safeguards.