The cyberthreat environment continues to grow more menacing. Over the last year, organizations have been faced with a weekly, if not daily, deluge of ominous cybersecurity alerts and advisories from law enforcement. Cyberattacks come in many forms – i.e., malware-based attacks, phishing, spoofing, zero-day exploits, denial-of-service attacks, supply chain attacks, and insider threats, among others – and are clearly on the rise.

No organization is immune. Indeed, over the last year, the vast majority of companies experienced some form of a cyberattack. Accordingly, it is not matter of if your organization will experience a cyberattack but when, and what you can do to minimize liability risks.

There are no shortcuts or quick solutions that can be adopted to avoid becoming a target of a federal or state enforcement action. Rather, organizations need to properly safeguard data, implement a strong cybersecurity program that complies with reasonable industry standards, provide extensive training about cyber controls, and comply with cyber incident disclosure requirements. Further, it is critical that organizations promptly respond and investigate any complaints regarding cybersecurity and privacy violations. While a cybersecurity incident by itself is unlikely to create liability under the False Claims Act, the Department of Justice (“DOJ”) has criticized government contractors for choosing silence “rather than reporting breaches.” Thus, knowingly failing to report a cyberattack or comply with cyber incident disclosure requirements may put organizations in DOJ’s crosshairs.

This is for informational purposes only and is not intended to be legal advice.