The error and omission of not enforcing mandatory security training covering posting plaintext passwords to public sites for CISA contractors is itself an act of gross negligence.

So much so the contracting company’s insurer would cite it as the reason why the claim is not covered by their policy.