DOJ Fires Shots Across the Bow; Announces Two Major Cyber Initiatives
On October 6, 2021, Deputy Attorney General (“DAG”) Lisa Monaco announced two major Department of Justice (“DOJ”) initiatives—involving both DOJ’s Civil and Criminal Divisions—confirming the DOJ’s commitment to finding and prosecuting cybercrime.
Civil Division Launches Crackdown on Non-Compliant Cybersecurity Programs
The first announcement is that the DOJ will be launching its own Cyber-Fraud Initiative and will pursue civil charges against companies that act as government contractors and fail to meet cybersecurity requirements. DAG Monaco stated: “For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it. … Well that changes today.” To crack down on such noncompliance, the Civil Division will actively target, and prosecute through the False Claim Act (“FCA”), companies contracting with the government who fail to follow required cybersecurity standards. The FCA is one of the DOJ’s primary civil enforcement tools, allowing the DOJ to bring actions against persons and companies who defraud governmental programs. Companies will face civil enforcement for making false claims that they have experienced no cyber breaches—or by attempting to hide or minimize breaches—and that they comply with cybersecurity regulations when they do not.
Civil liability for cybersecurity and cyberbreaches is not new. Numerous government agencies and several states already require companies to maintain robust cybersecurity and reporting programs. As we have noted in a separate post, the White House has recently—and significantly—raised the bar in terms of cybersecurity practices it requires from its contractors. The Cyber-Fraud Initiative, however, brings a new enforcement actor to the table, and one able to wield the power of the FCA. Among other things, the FCA includes a unique whistleblower provision and the ability for the DOJ to seek reimbursement for losses suffered when companies fail to satisfy their cybersecurity obligations.
In fact, two recent cases brought under the FCA could serve as models for such actions. In U.S. ex rel. Markus v. Aerojet Rocketdyne Holdings Inc., a whistleblower brought an action under the FCA against a Department of Defense and NASA contractor, alleging that the company failed to adhere to DoD cybersecurity policy.[1] While the DOJ declined to intercede, the District Court in California refused to dismiss the whistleblower’s case, finding that the case could proceed under the FCA. Similarly, Cisco Systems Inc. agreed to pay a $8.6 million FCA claim that it knowingly sold video surveillance products with vulnerabilities, thereby violating federal cybersecurity standards. Both cases could serve as harbingers of what is to come under the DOJ’s new Initiative.
These cases highlight the need for companies to have standard protections in place for potential whistleblowers, including providing internal opportunities for employees to voice concerns. These were not typically the concerns of information security departments. That should now change. With increasing sources of potential liability for poor cybersecurity, it is more important than ever for senior executives and board members to have a fulsome, accurate, and privileged assessment of how their organization manages this risk.
Criminal Division Creates Task Force to Hunt Down Crypto Fraud
DAG Monaco’s second announcement concerned the creation of a National Cryptocurrency Enforcement Team. With increasingly widespread trading of cryptocurrency and other digital assets, incidents of fraud—and enforcement actions—involving such digital assets are on the rise, as well. For example, the Securities and Exchange Commission recently announced charges against global crypto lending platform BitConnect in connection with an alleged $2 billion fraud. Similarly, in August, the Commodity Futures Trading Commission and Treasury’s Financial Crimes Enforcement Network (“FinCEN”) obtained a $100 million consent decree against five companies charged with illegally operating the BitMEX cryptocurrency derivatives trading platform, as well as for anti-money laundering violations. Treasury’s Office of Foreign Assets Control (“OFAC”) has also contributed, announcing sanctions against Russia-based cryptocurrency exchange Suex for facilitating ransomware payments. Following a familiar theme, OFAC’s guidance noted that good cybersecurity is a factor in assessing whether sanctions are warranted.
According to DAG Monaco, the new Cryptocurrency Team will aim to tackle “complex investigations and prosecutions of criminal misuses of cryptocurrency” including focuses on virtual currency exchanges, mixing and tumbling services, and money laundering infrastructure actors. The Cryptocurrency Team will combine elements of the DOJ’s Money Laundering and Computer Crimes sections, as well as local U.S. Attorney’s Offices, demonstrating a DOJ Criminal Division-wide effort to develop strategic priorities for investigations and prosecutions in this ever-evolving realm.
Conclusion
Overall, this double-pronged, civil-criminal enforcement approach demonstrates the DOJ’s commitment to being a major force in policing the cyber world, especially in developing fields such as cryptocurrency and digital assets and defense against cyberbreaches. These announcements sound a renewed call for actors involved in cutting-edge cyber initiatives to be mindful of their actions and cybersecurity-related compliance obligations, lest they face investigation and enforcement by the DOJ.
[1] United States v. Aerojet Rocketdyne Holdings, Inc., 381 F. Supp. 3d 1240 (E.D. Cal. 2019).