Justice Official Dangles Liability Protections to Encourage Private-Sector Breach Reports

Companies could shield themselves from legal challenges in the event of a cyberattack if they disclose such events to the Justice Department, a leading official told private-sector representatives.

“Victims can help avoid liability through working with law enforcement,” Deputy Attorney General Lisa Monaco said. “Those companies that stand with us and work with us will see that we’ll stand with them in the aftermath of an incident.”

Monaco was addressing a roundtable the department held Wednesday to advance collaboration from the private sector in the fight against ransomware. Her remarks highlighted both the benefits of coming forward and the consequences of withholding information when companies are attacked.

“When you're in discussions with your clients and they ask, ‘why should we go to law enforcement, what are the benefits?’ Well, here are the benefits: We make arrests. We hold people to account. We get money back. We will go after keys and get them to the victim,” Monaco said.

The FBI has been able to point to its recovery of a significant portion of the $5 million ransom Colonial Pipeline paid to hackers after an attack in May restricted fuel supplies along the East Coast. But bureau chief Christopher Wray also took heat from lawmakers for not sharing decryption keys in the agency’s possession with victims of the ransomware attack on IT management software provider Kesaya. The FBI was reportedly reserving the keys for use in an offensive maneuver. 

Monaco’s remarks to the private sector Wednesday stressed the role of nation-state adversaries in the ransomware epidemic and appealed to a sense of patriotism.

“The bottom line is, I believe it is bad for companies. It's bad for America and it hurts our efforts to uphold the values that we try to demonstrate, as a country, if companies are attacked, and don't partner with law enforcement, and thereby help disrupt these activities and prevent future victims,” she said.

She also reminded companies of the department’s Oct. 6 announcement that it would pursue hefty financial penalties from government contractors and grant recipients who fail to disclose breaches or implement appropriate protections.

“On the flip side, we need to make sure that there's tough enforcement, where it's appropriate,” Monaco said. “Where those who are entrusted with government dollars, who are trusted to work on sensitive government systems, where they fail to follow required cybersecurity standards or misrepresent their cybersecurity practices or capabilities, we're going to go after that behavior.”

Monaco also promised to protect and reward whistleblowers who come forward with information to enforce the False Claims Act under the new civil cyber fraud initiative.

“To those who witness irresponsibility that exposes the government to cyber breaches, our message is this: if you see something, say something. We will use all of the legal authorities in our reach to make sure you're protected and compensated,” she said.