B. Stephanie Siegmann, partner and co-chair of the Cybersecurity, Privacy & Data Protection Group, will be a featured speaker at the American Bar Association’s (ABA) upcoming webinar, Cybersecurity: The Evolving Threats and Increased Enforcement Challenges for the Construction Industry and Government Contractors. To learn more or register, visit the ABA website.
2024 was a record-breaking year for cyberattacks impacting the personal information of hundreds of millions of people in the United States. Cyberthreats will likely only continue to grow due to the geopolitical threats and advancements in AI. Cybercriminals have used AI tools to automate large-scale ransomware and phishing campaigns. As a result of the increasing threat environment, we have seen the number of cybersecurity requirements, disclosure obligations, and the importance of cybersecurity compliance grow exponentially over the last few years. Indeed, in December 2024, the U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program became effective, which will now require defense contractors working with controlled unclassified information to meet one of three levels of CMMC compliance to be eligible to receive new DOD contracts. On January 15, 2025, the Federal Acquisition Regulation (FAR) Council proposed a new rule that would amend the FAR to impose robust cybersecurity standards, training, and incident reporting requirements for government contractors and subcontractors.
The enforcement landscape has clearly become more ominous for organizations and individuals, especially government contractors. The U.S. Department of Justice (DOJ) intends to hold government contractors and grant recipients accountable for cybersecurity noncompliance using the False Claims Act, and has even brought criminal charges against a corporate officer for his handling of a data breach. The Securities and Exchange Commission and the Federal Trade Commission have also launched numerous investigations of cyberattacks and data breaches. For instance, in August 2024, in an unprecedented move, DOJ sued Georgia Tech for failing to comply with cybersecurity requirements in its DOD contracts and violating the False Claims Act sending shockwaves throughout the Defense Industrial Base and government contractor community. Based upon the current cyber threat environment, it is therefore not a matter of if your organization will experience a cyberattack or data breach but when, and what you can do to minimize your organization’s criminal and civil liability risks.