Cybersecurity & Data Privacy Update

When Deputy Attorney General Lisa Monaco announced in October 2021 that the Department of Justice would be pursuing a new initiative to combat cybersecurity related fraud, white-collar criminal defense attorneys took notice. DAG Monaco’s message in that announcement was clear: DOJ plans to combine its expertise in fraud enforcement and government procurement to aggressively pursue cyber threats and cybersecurity related fraud. Since that time, DOJ has secured a number of high-profile settlements that have sent the message to government contractors that misrepresenting their cybersecurity posture or failing to report a breach will result in a costly DOJ enforcement action. The […]

In the latest settlement announced by DOJ under its Civil Cyber-Fraud Initiative, Insight Global LLC (Insight), an international staffing and services company, will pay $2.7 million to resolve allegations that it violated the False Claims Act (FCA) by failing to implement adequate cybersecurity measures to protect personal health information (PHI) and personally identifiable information (PII) under its contracts with the Pennsylvania Department of Health (PADOH). The United States alleged that during the COVID-19 pandemic, PADOH hired Insight Global to provide staffing for COVID-19 contact tracing and paid Insight Global using funds from the U.S. Centers for Disease Control and Prevention. […]

In October 2021, the United States Department of Justice (DOJ) announced its Civil Cyber-Fraud Initiative. The purpose of this initiative is to combat cybersecurity vulnerabilities and cyber threats by ensuring federal contractors and grantees implement required cybersecurity standards. Whistleblowers play a critical role in the initiative. Cybersecurity fraud is often difficult for the government to detect, so the DOJ relies on insiders to report violations under the federal False Claims Act (FCA). The FCA allows whistleblowers, known as “relators,” to bring a lawsuit regarding an entity’s false claims to the United States for payment. This is known as a qui […]

On December 6, 2023, the United States Department of Health and Human Services (HHS) initiated new cybersecurity requirements for hospitals in an effort to protect the healthcare sector from cyber-attacks. Hospitals and healthcare providers are particularly attractive targets for threat actors due to their size, dependence on technology, and access to data (including sensitive health-related data). Because sophisticated hackers appreciate the massive disruption and harm that an attack could cause to a healthcare provider and their data subjects, ransomware attacks are the weapon of choice for these threat actors. Gentry Locke is an experienced cybersecurity law firm that has data […]

The Federal Trade Commission (FTC) announced on October 27th that it has expanded the scope of its financial data security rule, which will now require nonbank financial institutions – like vehicle dealers and mortgage brokers – to report data breaches. This new amendment to the FTC Safeguards Rule imposes similar reporting requirements to those already applicable to banks. Specifically, the amendment will require nonbank financial institutions to report to the FTC any data breach affecting 500 or more consumers’ data. The rule gives financial institutions 30 days to report the breach, however the FTC encourages reporting as soon as possible. […]

The Securities and Exchange Commission (SEC) announced charges against SolarWinds Corp. and its chief information security officer (CISO), accusing the publicly traded company of misleading investors as to its vulnerability to cyberattacks. SolarWinds is accused of defrauding investors by overstating its cybersecurity practices, while failing to implement appropriate internal digital safeguards and ignoring red flags for years before announcing that it was the victim of a two-year long cyber attack in December 2020. This landmark lawsuit represents the first time in an SEC cyber case that the commission has alleged that an organization intended to deceive investors. Perhaps even more […]