The White House has now released its National Cybersecurity Strategy Implementation Plan to outline next steps for the strategy it first released in March. Read the update here.
The update promises the feds will release by the end of the year findings on the need for and potential structure for federal involvement in cyberinsurance for catastrophic events (see bottom).
We weren’t surprised the White House continues to kick details of a federal cyberinsurance backstop down the road, but we were interested the plan calls for the use of the False Claims Act (FCA) against cybersecurity vendors (see below) and others. The FCA, first created to go after Civil War profiteers, allows the government to collect treble damages and a penalty for false claims made by federal contractors to the US government. The current law, see more here, also allows whistleblowers to file suit against contractors and collect part of the government’s recovery.
The White House strategy update notes its “Civil Cyber-Fraud Initiative” (CCFI) will enable False Claims Act suits against “entities or individuals that put U.S. information or systems at risk by knowingly “providing deficient cybersecurity products or services;” “misrepresenting their cyber practices or protocols” or violating monitoring and reporting obligations.
Given the large number of cybersecurity software and service providers to the government; federal cyber notification regulations (such as those imposed by the SEC) and related elements of the Strategy intended to force cyber vendors to make their products more secure, it seems to us large numbers of companies, and their insurers, need to start worrying about their exposure to the FCA/CCFI. Let’s hope it improves America’s cybersecurity, because it will certainly increase work for the lawyers and regulators.
