As 2021 draws to a close, we wanted to share a recap of some of the most important cybersecurity developments we covered this past year along with some suggestions on what companies (particularly those that do business with the federal government) should expect in 2022. This is part two of a four-part series (you can read Part 1 here).

On October 6, 2021, the DOJ announced a new Civil Cyber-Fraud Initiative to enforce cybersecurity standards and reporting requirements. The Initiative will use the False Claims Act to pursue companies that do business with the government as well as federal grant recipients that “knowingly provid[e] deficient cybersecurity products or services, knowingly misrepresent[] their cybersecurity practices or protocols, or knowingly violat[e] obligations to monitor and report cybersecurity incidents and breaches.” You can read our article about the initiative here.

Putting it into Practice – What to expect in 2022: We expect DOJ will pursue enforcement actions against companies next year. As these actions progress – in addition to the possibility of companies agreeing to pay hefty amounts to settle – we hope to gain additional insight into the specific types of cybersecurity infractions the government intends to pursue. In the meantime, companies should keep this enforcement initiative in mind as they develop or enhance their cybersecurity policies or take on new cybersecurity contract clauses and seek to limit risk by ensuring they understand, and can comply with, government data security and reporting requirements.