0
DOJ Cyber-Fraud InitiativeUnder New Cyber-Fraud Initiative, DOJ Will Sue Federal Contractors For Failure to Maintain Cybersecurity Standards and Report Incidents

Under New Cyber-Fraud Initiative, DOJ Will Sue Federal Contractors For Failure to Maintain Cybersecurity Standards and Report Incidents

The Department of Justice has announced a new “Civil Cyber-Fraud Initiative” in which the Department will pursue civil actions for damages against federal contractors that fail to maintain cybersecurity standards and fail to report cybersecurity incidents and breaches.

 

What Is the Civil Cyber-Fraud Initiative?

On October 6, 2021, Deputy Attorney General Lisa Monaco declared that the DOJ will use its existing authority under the False Claims Act to bring civil litigation against entities or individuals that put U.S. information or systems at risk by either:

  • Knowingly providing deficient cybersecurity products or services;
  • Knowingly misrepresenting their cybersecurity practices or protocols; or
  • Knowingly violating obligations to monitor and report cybersecurity incidents and breaches.

Monaco explained that “for too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it.  Well that changes today … because we know that puts all of us at risk.”

 

How Will Enforcement Work?

Under the False Claims Act, the government can recover treble damages, plus a penalty amount that is linked to inflation, against companies that make false statements in connection with work that is funded by the government.  The new initiative will apply to federal government contractors, federal grant recipients, and other recipients of federal funding.  The statute of limitations for False Claims Act litigation is three years.

 

The Cyber-Fraud Initiative will be conducted by the Civil Division’s Commercial Litigation Branch, Fraud Section.  The False Claims Act also authorizes Qui Tam litigation, a type of whistleblower activity in which private parties can initiate litigation on behalf of the government and receive a percentage of the government’s recovery if the claim is successful.  The DOJ’s press release announcing the Cyber-Fraud Initiative indicated that qui tam litigation would apply to the new initiative.

 

The new initiative is part of the DOJ’s ongoing comprehensive cyber review, which was ordered by Deputy Attorney General Monaco in May 2021 and follows a recent series of cybersecurity attacks that has motivated the Biden administration to bolster cybersecurity resiliency and pursue threat actors.

 

What Should Federal Contractors Do Next?

While cybersecurity incidents and breaches always exposed companies to considerable litigation risk, and the DOJ’s new initiative only increases that risk.  The DOJ’s new initiative demonstrates the increasing importance of developing and maintaining resilient cybersecurity protocols.  Beckage closely monitors developments in laws and regulations governing cybersecurity. Beckage’s team of highly skilled attorneys and technologists are uniquely situated to assist clients as they navigate these changes.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

Identity TheftEleventh Circuit Adds to Circuit Split on Whether Future Risk of ID Theft Can Support Data Breach Class Claims

Eleventh Circuit Adds to Circuit Split on Whether Future Risk of ID Theft Can Support Data Breach Class Claims

Courts across the United States continue to struggle with whether individuals impacted by a company’s data breach have suffered harm that is concrete enough to support their claims in court. 

After they are notified of a data breach involving their personal data, impacted individuals often join together to bring class action claims against the business for its alleged failure to safeguard their data, breach of privacy promises regarding that data, and under applicable state consumer laws.

Data Breach Class Actions & Standing Requirements

One area that courts have shown a willingness to scrutinize is the question of whether these individuals have alleged, or can show they have experienced, actual harm from the data incident, to satisfy the Constitutional Article III requirement known as standing. 

Plaintiffs continue to present novel theories of why access to their data by an unauthorized third party harmed them in a way that a court may remedy, especially in instances where no facts exist to show that their data has actually been misused.  Plaintiffs will often allege that they lost some value associated with their data, or associated with the use of their data.  By far the most prominent theory submitted by data breach plaintiffs is that these individuals are now at a higher risk of future identity theft and that future relief, such as credit monitoring, should be offered to them to prevent against this risk.

But how great is this risk of future identity theft, really? According to a recent Eleventh Circuit decision, not substantial enough to support Article III standing.

The I Tan Tsao Decision

In affirming the dismissal of a customer’s proposed class action against Florida-based fast-food chain, PDQ, over a data breach that allegedly exposed plaintiffs’ credit and debit card information, the Eleventh Circuit held that the plaintiff I Tan Tsao did not present a sufficient injury claim as a basis for bringing the suit.  There, Mr. Tsao alleged that he and members of his class were at an elevated risk of future identity theft due to the restaurant chain’s breach, and that he had to take certain mitigative steps to reduce this risk, such as cancelling his credit cards.  Plaintiff Tsao relied primarily on a 2007 GAO Report on Data Breaches in support of his theory.

The Eleventh Circuit did not find Mr. Tsao’s hypothetical future risk of identity theft compelling enough for Article III standing purposes.

“We hold that Tsao lacks Article III standing because he cannot demonstrate that there is a substantial risk of future identity theft — or that identity theft is certainly impending — and because he cannot manufacture standing by incurring costs in anticipation of non-imminent harm,” the three-judge panel said.

In relying on the U.S. Supreme Court’s decision in Clapper v. Amnesty International USA, the Eleventh Circuit concluded that a plaintiff alleging a hypothetical harm does not have standing unless that harm is either “certainly impending” or represents a “substantial risk” of harm.  And if the alleged risk does not rise to those levels, a plaintiff cannot “conjure standing by inflicting some direct harm on itself to mitigate a perceived risk.”

The Eleventh Circuit also rejected Mr. Tsao’s use of the GAO Report, holding that the Report’s findings actually supported that the limited data potentially exposed here – credit and debit card numbers – alone, did not lead to a higher incidence of future identity theft.

Nor could Mr. Tsao’s mitigative steps – to cancel his credit card, which he alleged led to a period of restricted access to his account and lost reward points – manufacture a harm for standing purposes.  “It is well established that plaintiffs cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending” the Circuit court held, citing to Clapper.

The Court’s decision in I Tan Tsao v. Capitva MVP Restaurant Partners LLC aligns it with the Second, Third, Fourth and Eighth Circuit Courts of Appeal who have rejected the theory, while the Sixth, Seventh, Ninth and D.C. circuits have accepted it.

The Supreme Court has yet to hear an Article III standing case in the data breach context, leading legal spectators to wonder if the I Tan Tsao decision now presents the high Court with an opportunity to provide such guidance.

Beckage is monitoring developments in this case and other data breach class actions that may provide guidance for future litigation.  Our Litigation team has worked on some of the largest data breach and privacy class actions in the country and can help your business develop a litigation strategy that will result in a successful outcome and minimal disruption to your everyday work.  Learn more about our Litigation Practice Group here.

Subscribe to our newsletter.

*Attorney advertising. Prior results do not guarantee future outcomes.