SecureWorld News

U.S. Initiative: Fines for Failing to Report a Data Breach

Written by Drew Todd | Fri | Oct 8, 2021 | 10:30 AM Z

Governments and organizations around the world are trying their best to keep up with the increasingly sophisticated attack methods used by malicious threat actors in cyberattacks.

It's not easy, but despite the record number of cyber incidents in the last year, progress is being made.

The United States is one country leading the charge in this defense. So far this year, the U.S. government has implemented a wide variety of measures focused on improving the nation's cybersecurity infrastructure, including the Cybersecurity and Infrastructure Security Agency's (CISA) new Vulnerability Disclosure Platform (VDP) and Joint Cyber Defense Collaborative (JCDC), the National Security Agency's (NSA) Cybersecurity Collaboration Center, and recently forming "The Quad," a new cybersecurity alliance between the U.S., Australia, India, and Japan.

Now, the Department of Justice (DOJ) has announced a new Civil Cyber-Fraud Initiative, which will "combine the department's expertise in civil fraud enforcement, government procurement and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems."

New Civil Cyber-Fraud Initiative

The new initiative aims to pursue cybersecurity-related fraud by government contractors and grant recipients, specifically those who knowingly use deficient cybersecurity protocols or misrepresent cybersecurity practices.

It will also put an emphasis on those who fail to report cybersecurity breaches and incidents when required. 

Reporting a data breach can be a very difficult decision for CISOs and executives. You want to protect the perception of your organization, but also make sure your customers' information is safe.

Jeremy Sheridan, Assistant Director for the U.S. Secret Service and a SecureWorld keynote speaker, discusses why this should be an easy decision:

"There's sometimes a hesitancy to call law enforcement because the perception is we have a role in that—our role is really focused on catching the bad guy."

Sharing information and reporting cyber incidents are key steps in improving defense against cyberattacks, Sheridan explains:

"We feel that if a payment decision is made, and again, [that's an] individual organization decision, it should be accompanied with reporting to law enforcement. And one of the biggest challenges we have: It's well known that the ransomware crimes that occur, even those that we know, are vastly underreported. The latest estimates are around 20% of actual ransomware instances get reported to law enforcement or insurance or regulators."

Here is what Deputy Attorney General Lisa Monaco says of the new initiative:

"For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it. Well, that changes today.

We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards—because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc [treasury] and public trust."

The DOJ provides six specific benefits of the initiative:

  • "Building broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners."
  • "Holding contractors and grantees to their commitments to protect government information and infrastructure."
  • "Supporting government experts' efforts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services."
  • "Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage."
  • "Reimbursing the government and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligations."
  • "Improving overall cybersecurity practices that will benefit the government, private users and the American public."

For more information, you can read the DOJ's statement on the New Civil Cyber-Fraud Initiative.

You can also register for upcoming SecureWorld virtual conferences to learn more about cybersecurity best practices and earn CPE credits.