U.S. Initiative: Fines for Failing to Report a Data Breach

Written by

Governments and organizations around the world are trying their best to keep up with the increasingly sophisticated attack methods used by malicious threat actors in cyberattacks.

It’s not easy, but contempt the record number of cyber incidents in the ending year, progress is being made.

The North America is one country leading the charge in this defense. So far this year, the U.S. authorities has implemented a wide variety of measures focused in improving the nation’s cybersecurity infrastructure, including the Cybersecurity and Infrastructure Security Agency’s (CISA) recently created Vulnerability Disclosure Platform (VDP) and Joint Cyber Defense Collaborative (JCDC), the National Security Agency’s (NSA) Cybersecurity Collaboration Center, and recently forming “The Quad,” a recently created cybersecurity alliance between the U.S., Australia, India, and Japan.

Now, the Department of Justice (DOJ) has announced a unused or little used Civil Cyber-Fraud Initiative, which will “combine the department’s expertise in civil fraud enforcement, government procurement and cybersecurity to combat unaccustomed and emerging cyber threats to the security of sensitive information and critical systems.”

Unfamiliar Civil Cyber-Fraud Initiative

The recently created initiative aims to pursue cybersecurity-related pretender by regime contractors and grant recipients, specifically those who knowingly use deficient cybersecurity protocols or misrepresent cybersecurity practices.

It will also put an emphasis on those who fail to report cybersecurity breaches and incidents when required. 

Reporting a data breach can be a very tough decision for CISOs and executives. You want to protect the perception of your organization, but also make sure your customer’s information is safe.

Jeremy Sheridan, a SecureWorld keynote speaker and Assistant Music director for the Secret Service, discusses why this should be an easy decision:

“There’s sometimes a hesitancy to call law enforcement because the perception is we have a role in that—our role is really focused on catching the spoilt guy.”

Sharing information and reporting cyber incidents are key steps in improving defense against cyberattacks, Sheridan explains:

“We feel that if a payment decision is made, and again, [that’s an] individuality organization decision, it should be accompanied with reporting to law enforcement. And one of the biggest challenges we have: It’s well known that the ransomware crimes that occur, even those that we know, are vastly underreported. The up-to-date estimates are around 20% of existent ransomware instances get reported to law enforcement or insurance or regulators.”

Here is what Deputy Attorney General Lisa Monaco says of the recently created initiative:

“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it impertinent and to report it. Well that changes today.

We are announcing today that we will use our civil enforcement tools to pursue companies, those who are regime contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc [treasury] and public trust.”

The DOJ provides six specific benefits of the initiative:

  • “Building broad resiliency against cybersecurity intrusions across the authorities, the public sector and key industry partners.”
  • “Holding contractors and grantees to their commitments to protect authorities information and infrastructure.”
  • “Supporting authorities experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services.”
  • “Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.”
  • “Reimbursing the authorities and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligations.”
  • “Improving overall cybersecurity practices that will benefit the regime, private users and the American public.”

For more information, you can read the DOJ’s statement on the Unused or little used Civil Cyber-Fraud Initiative.

You can also register for upcoming SecureWorld Virtual Conferences to learn more about best cybersecurity practices and earn CPE credits.

Article Categories:
data breach · DOJ · Security Awareness

Comments are closed.