The Docket: DOJ Is Done Playing Nice With Cybersecurity Failures

The Justice Department just sent a message to every CISO in America: your security posture is no longer just a civil liability question. It's a criminal one.

Two recent cases confirm what many of us have been watching build for the past 18 months. DOJ is escalating cyber enforcement, and the pattern is clear. They're not going after hackers anymore. They're going after the people who let them in.

Here are the three signals every operator needs to understand.

Signal 1: Negligence Is the New Standard

DOJ used to prosecute fraud and obstruction. Now they're prosecuting failure to patch, failure to log, and failure to respond.

The standard is shifting from "did you lie" to "did you try." If you knew about the vulnerability and did nothing, that's enough. If you had the budget and chose not to spend it, that's enough. If you disabled logging because it was "too noisy," that's enough.

This is not about perfection. It's about reasonableness. And DOJ is defining reasonableness by what you didn't do, not what you did.

(Source: Federal News Network)

Signal 2: Individual Liability Is Back

The second signal is who they're charging. Not just the company. Not just the board. The people who made the decision.

CISOs. CIOs. CTOs. The people who signed off on deferring the patch. The people who decided MFA was "too hard for users." The people who knew the detection gaps and chose not to fill them.

This is the Uber playbook all over again, but wider. If you're in the decision chain and you chose wrong, you're in scope. Personal criminal liability is no longer theoretical.

(Source: ClassAction.org)

Signal 3: The Evidence Is Already There

The third signal is what DOJ is using as evidence. Not some elaborate sting. Not a whistleblower. Your own ticketing system.

Jira tickets that sat in backlog for 18 months. Slack threads where someone said "we should patch this" and got no response. Risk registers that documented the threat and showed no mitigation. Audit findings that leadership acknowledged and then ignored.

Your internal comms are the prosecution's case file. If you documented the risk and did nothing, you documented the crime.

(Source: Top Class Actions)

What Companies Will Copy

Every GC is going to read these cases the same way. Here's what they'll tell their boards:

1. Patch timelines are now legal timelines. If you can't articulate why a critical patch waited 90 days, you can't defend it in court.
2. Risk registers are evidence. If you identify a risk and don't mitigate it, you're building the prosecutor's timeline. Either fix it or remove it from the register.
3. Communication hygiene matters. Every Slack message, every email, every ticket comment is discoverable. If you wouldn't say it in a deposition, don't say it in Slack.

(Source: Regulatory Oversight)

What Leaders Should Do This Week

If you run security or legal, here's your checklist:

1. Audit your risk register. If something is on there and you're not fixing it, take it off or fix it. You can't afford the middle ground.

2. Review your patch SLAs. Can you defend your timelines to a prosecutor? If not, change them.

3. Talk to your GC about individual liability insurance. D&O policies don't always cover criminal defense. If you're a named decision-maker, you need coverage.

4. Clean up your comms. Train your team on what goes in writing and what doesn't. "We can't afford that right now" is not a legal defense. It's an admission.

5. Document your decisions. If you chose not to patch because you're waiting for a maintenance window, write it down. If you're deferring because you're testing compatibility, write it down. Silence looks like negligence. Documentation looks like process.

(Source: Fox Carolina)

The Bottom Line

DOJ is done treating cybersecurity as a compliance checkbox. They're treating it as a public safety issue. And when something becomes a public safety issue, negligence becomes a crime.

If you're a CISO, this is your new baseline. Reasonable care is no longer "industry standard." It's "what a jury will understand."

The breach is not the crime. The decisions before the breach are.

If you want the legal translation of what "reasonable" means in court, subscribe. Next week I'm breaking down what happens when your patch timeline becomes Exhibit A.

Question for readers: If you're running security, what's the one decision you've deferred that would look terrible in a deposition?

Sources:

Sources

• Federal News Network: DOJ escalating cyber enforcement
• ClassAction.org: $4.02M ApolloMD breach settlement
• Disney $2.75M CCPA settlement
• Clearview AI $51.75M biometric privacy settlement
• County BEC fraud: $1.5M to criminals
• Outcomes One $1.7M breach settlement