Nobody likes admitting they have been hacked. It can scare away customers and investors, invite lawsuits, and lead to regulatory scrutiny. For years, a patchwork of federal and state rules governed when and how organizations disclose cyber breaches. Layered atop those rules, for government contractors and program participants, have been the specific and evolving standards in contracts and rules for reporting cyber incidents and implementing safeguards. But law enforcement has lamented the low levels of reporting and asked the business community to come forward and report breaches, so that law enforcement can better understand and assess cyber threats.

Now, the federal government is changing its approach. The U.S. Department of Justice is turning to threats of severe financial repercussions, expensive litigation, and reputation-busting press releases—in other words, the False Claims Act. On Oct. 6, 2021, the Justice Department’s number two official, Deputy Attorney General Lisa Monaco, announced a new Civil Cyber-Fraud Initiative. “For too long,” Monaco declared, “companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it.” Monaco announced, “[T]hat changes today” because, as part of the initiative, the Justice Department “will use [its] civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards—because we know that puts all of us at risk.”