Will cybersecurity-related enforcement efforts by the U.S. Department of Justice increase in the coming years? The answer is yes. How do we know? Two reasons. First, DOJ has been telling us to expect increased efforts, both generally and specifically as to cybersecurity. Second, they have backed up their words with action.
As a general matter, U.S. Attorney General Merrick Garland and Deputy Attorney General Lisa Monaco, have been explicit that they are prioritizing the investigation and prosecution of financial and corporate malfeasance. Early last year, for example, AG Garland told the American Bar Association that he “had seen the Justice Department’s interest in prosecuting corporate crime wax and wane over time. Today, it is waxing again.” His remarks reinforced those of DAG Monaco in the fall of 2021, when she announced the Biden administration’s intention “to better combat corporate crime.”
In addition to remarks like these, in October 2021 the DAG issued one memorandum and, in September 2022, a second memorandum, announcing revisions to corporate criminal enforcement policies, which apply very nearly across the entire Department and, as explained in further detail, include significant policy changes that favor stronger corporate enforcement.
More specific to cybersecurity, DOJ late last year entered uncharted waters when it tried, and the jury convicted, Uber’s former Chief Security Officer, on charges of obstruction of proceedings of the Federal Trade Commission and misprision of felony, in connection with his attempted cover-up of a 2016 hack of Uber. The case represents what is believed to be the first federal prosecution of a corporate executive for the handling of a data breach.
It is not just criminal cases; it is civil case as well. In a noteworthy development, DOJ announced in late 2021 its “Civil Cyber-Fraud Initiative,” seeking to hold accountable individuals or entities that put U.S. information or systems at risk. Though the initiative, DOJ made clear its intention to utilize the False Claims Act (FCA) to pursue cybersecurity-related cases against government contractors, subcontractors, and grant recipients. The FCA is the U.S. federal government’s primary civil tool to combat fraud against the government, as it imposes financial liability on persons and companies (typically federal contractors and subcontractors, to include Medicare, TRICARE, and Medicaid health care providers) who defraud governmental programs. In essence, DOJ is sending a message that it will not be afraid in certain circumstances to pursue even victims of cybercrime. As part of this initiative, DOJ last year announced significant settlements in two False Claims Act cases (Aerojet Rocketdyne and Comprehensive Health Services) related to cybersecurity deficiencies or misrepresentations, and more are expected.