Sound the Alarm: DOJ’s New Criminal and Civil Tools to Combat Crypto-Cyber Threats Should Prompt Investment in Cyber Compliance
As a strong signal that it intends to increase its focus on illicit crypto transactions, the Department of Justice (“DOJ”) announced the creation of an enforcement team, the National Cryptocurrency Enforcement Team (“NCET”), on October 6, 2021. NCET will tackle crimes involving cryptocurrency while increasing intra-departmental collaboration among cybercrime and money laundering divisions to try to recover the illicit proceeds from these crimes. Arriving in the wake of DOJ’s Cryptocurrency Enforcement Framework issued in October 2020 and omnipresent cybercrime involving demands for ransom payments that are delivered on virtual currency platforms, NCET represents another DOJ investment in corralling crypto activity. The formation of NCET may also mean that DOJ intends to ratchet up scrutiny of corporate compliance programs designed to guard against cyber threats that involve cryptocurrency transactions.
Supervised by the recently appointed Assistant Attorney General, Kenneth A. Polite Jr., NCET will investigate and prosecute illegal activity related to cryptocurrency, virtual currency exchanges, mixing and tumbling services, and money laundering infrastructures. A DOJ press release claims that NCET will work closely with other relevant departments. The enforcement team will “combine the expertise of the Department of Justice Criminal Division’s Money Laundering and Asset Recovery Section (MLARS), Computer Crime and Intellectual Property Section (CCIPS) and other sections in the division, with experts detailed from U.S. Attorneys’ Offices.” DOJ also claims that its cyber experts will help trace and recover assets lost to ransomware groups via cryptocurrency payments induced by fraud and extortion, in an effort to strengthen the government’s capacity to “dismantle the financial entities that enable criminal actors to flourish.” Citing the broad use of cryptocurrency in criminal activity including ransomware, money laundering, illegal operation of money services business, and “dark market” transactions for drugs, weapons, malware, and hacking tools, DOJ claims that “NCET will foster the development of expertise in cryptocurrency and blockchain technologies across all aspects of the Department’s work.”
Notably, DOJ announced the formation of NCET the same day it announced the Civil Cyber-Fraud Initiative, which — by expanding the False Claims Act (“FCA”) to enforce cybersecurity requirements—demonstrates further efforts by DOJ to enforce cybersecurity laws with every tool in its arsenal. In addition to holding accountable recipients of government funds who “knowingly provid[e] deficient cybersecurity products or services” or “knowingly misrepresent their cybersecurity practices or protocols” to the government, the Cyber-Fraud Initiative will — according to its press release — use the FCA to prosecute knowing violations of “obligations to monitor and report cybersecurity incidents and breaches.” It is still unclear what these “obligations” entail. NCET’s objectives dovetail with the Cyber-Fraud Initiative’s goal to “build broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners.”
Why This Matters
Organizations of all sizes and across industries are (rightfully) worried about suffering a cybersecurity attack. Take DOJ’s own investments as a cue to invest in your own compliance program. Daily news echoes this message in acknowledging, for example, the “BlackMatter” hacking syndicate that has targeted the agriculture sector in recent months and the Department of Commerce’s proposed rule to require a license to sell “intrusion software” due to increased hacking incidents that threaten human rights.
In light of widespread attention to cybercrime and the unregulated cryptocurrency markets, the corporate world is on notice. Illegal cryptocurrency activity and cybercrime are inextricable, and the DOJ’s investment in NCET and the Cyber-Fraud Initiative means: (1) corporate victims of cybercrime could be charged for inadequate cybersecurity controls; and/or (2) companies that publicly tout their cybersecurity controls as “strong,” “reasonable,” or “adequate” and then suffer an attack could be liable for disclosure violations. Companies also face risk related to data breach notification procedures. Reacting to cyber threats with revamped policies and procedures may not be sufficient. NCET and the Cyber-Fraud Initiative, even if slowly and indirectly, will likely define the contours of reasonable controls, appropriate disclosure language, and effective incident response protocols.
To preempt DOJ’s enhanced scrutiny, consider creating a cybercrime task force within your organization, stacked with individuals fluent in cryptocurrency-related risks (e.g., cryptojacking) and the regulatory landscape. Compile and disseminate educational materials to employees and constituents about general cyber threats and those unique to your business. Know your data breach notification and reporting obligations. Finally, at minimum, construct an incident response plan to activate in case of an emergency and revisit it at regular intervals to ensure correlation with an ever-evolving cybercrime landscape.
There could be a karmic benefit from your investment in compliance: among other goals, the Cyber-Fraud Initiative is committed to “ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.” According to Deputy Attorney General Lisa Monaco, DOJ will extract “very hefty, very hefty fines” from “those entrusted with government dollars” to adequately penalize violations, and thereby reward model entities. As the Cyber-Fraud Initiative establishes new cybersecurity precedent applicable to government contractors, it is a matter of time before the rest of the corporate world conforms. Prepare now.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.