How organizations can respond fast to data breaches and avoid investigations

Dec. 16, 2024
In today’s menacing cyber threat environment, the challenge of mitigating crippling attacks multiply.

The last two years have demonstrated that no organization is immune from cyberattacks.  Indeed, numerous studies have reported that most businesses have been impacted by at least one cyberattack over the past year.  No organization is too small to be hacked.  Even federal government agencies with substantially more resources than most businesses have been penetrated by our adversaries.  Data breaches have affected companies of all sizes and sectors, costing the United States billions of dollars in damages.

Thus, it is not a matter of whether your organization will experience a data breach but when.

As the threat of cyberattacks has increased, so too have the costs of data breaches.  According to IBM’s 2024 Cost of Data Breach Report, the global average total data breach cost is $4.88 million. Still, in the United States, the average cost of a data breach is far steeper, exceeding that of any other country, with an average data breach cost of $9.36 million, which likely stems from the fact that U.S. companies are targeted more frequently for ransomware attacks than companies in other countries.  According to a study of ransomware shame/leak sites conducted in 2024, 59% of all ransomware attacks involved U.S. victims.  Significantly, the costs of data breaches are the highest in the healthcare and financial industries.  The average healthcare breach costs a whopping $9.77 million.  These numbers are staggering, but your organization can significantly reduce the impact of a data breach or cybersecurity incident and reduce the threat of criminal and civil liability by implementing a cyber incident response plan (IRP) and creating a culture of cyber resilience and preparedness.

See a checklist of how organizations can prevent cyberattacks and minimize liability risks is available here.

As detailed below, the liability risks for mishandling your cybersecurity obligations have grown exponentially over the last few years.  Federal agencies, especially the U.S. Department of Justice (DOJ) and U.S. Securities and Exchange Commission (SEC), are aggressively scrutinizing cybersecurity compliance and disclosures concerning data breaches and the use of artificial intelligence (AI).  They conduct numerous investigations in these areas, bringing civil enforcement proceedings and criminal prosecutions.  Further, these enforcement actions have been far-reaching and have demonstrated that corporate executives and the corporation could be liable for mishandling cyberattacks, failing to implement adequate internal controls, and complying with cybersecurity regulations.

The Current Cyber Threat Landscape

Our country's unprecedented cyber threats will likely only worsen as AI can accelerate cyberattacks while increasing potential vulnerabilities.  Cyberattacks represent not only an immediate threat to the national security of the United States but also a long-term erosion of U.S. competitive advantage in the global economy when nation-state actors steal our technology and data.  Intellectual property theft costs the U.S. economy $225 to $600 billion annually.  According to the Office of the Director of National Intelligence’s 2024 Annual Threat Assessment, “China remains the most active and persistent cyber threat to the U.S. Government, private sector, and critical infrastructure networks.”  Over the last year, several Chinese state-sponsored cyber campaigns involving Advanced Persistent Threat (APT) groups, including Volt Typhoon, Flax Typhoon, and Salt Typhoon. Volt Typhoon compromised numerous IT networks in the US and was prepositioning itself to cause mass destruction to critical infrastructure in the event of a conflict with the U.S.  The damage caused by Salt Typhoon’s infiltration of U.S. broadband providers AT&T, Verizon, and Lumen Technologies has been described as “potentially catastrophic” as it allowed the Chinese hackers to assess court-authorized wiretapping data, which may have provided the Chinese Government insight on U.S. national security investigations.

Unfortunately, 2023 was a record-breaking year for ransomware and supply chain attacks, and the pace of cyberattacks in 2024 has been relentless, causing significant disruptions, especially in the healthcare sector.  The major 2024 cyberattacks have ranged from crippling ransomware attacks — the most critical healthcare data breach of Change Healthcare, owned by UnitedHealth Care, affecting at least 100 million individuals, and software maker CDK Global that affected thousands of car dealerships across the U.S.– to the exploitation of a high severity zero-day vulnerability in Ivanti’s VPNs affecting thousands of users, the hijacking of hundreds of routers by both Russian and Chinese government-sponsored hackers, and the massive theft of data from Snowflake customer accounts using stolen credentials.  Artificial intelligence (AI) tools have supercharged cyberattacks, allowing threat actors to scan, identify, and weaponize vulnerabilities in target networks far more quickly than ever.  AI tools have also been used to craft more persuasive phishing emails, create voice clones and deepfake videos to orchestrate fraud schemes, and develop malicious code and new variants of malware that are less likely to be detected by cybersecurity tools.

The major 2024 cyberattacks have ranged from crippling ransomware attacks — the most critical healthcare data breach of Change Healthcare, owned by UnitedHealth Care, affecting at least 100 million individuals, and software maker CDK Global that affected thousands of car dealerships across the U.S.

 Why Is an IRP Critical Now?

Companies that have an Incident Response Plan (IRP) have instituted comprehensive cybersecurity training, conduct table-top exercises of their IRP, and employ endpoint detection and response security solutions as well as AI-powered detection tools to greatly reduce and minimize the damages resulting from cyberattacks or accidental/negligent cybersecurity incidents caused by corporate insiders or vendors.  Less than half of companies have an IRP and 20% have no cybersecurity practices.  Now is the perfect time to implement or re-evaluate your organization’s CIRP.  The first 24 hours after you discover a data breach are critical to (1) restoring your network security, (2) obtaining and preserving evidence for the cyber investigation, and (3) complying with your legal and contractual obligations.

The framework of an IRP has changed because of the frequency of cyberattacks and the damage caused by cyberattacks.  Incident Response is now considered a critical part of cybersecurity risk management. It needs to be integrated across an organization’s operations and governance to ensure the following vital functions are being performed:

  • Taking Steps to Prepare and Protect the Organization: Establish, communicate, and monitor the organization’s cybersecurity risk management strategy, expectations, and policy for the entire organization. Identify the organization's current cybersecurity risks and ensure safeguards are implemented to protect the organization.
  • Detect cybersecurity incidents: Identify and analyze cybersecurity incidents and compromises by continuously monitoring and analyzing unauthorized activity across all assets (e.g., networks, network services, computing hardware and software, data, personnel activity and technology usage, the physical environment, and external service provider activities). Monitor log events for known malicious and suspicious activity using Security Information and Event Management (SIEM) products, Endpoint Detection and Response (EDR) tools, and cyber threat intelligence to quickly identify vulnerabilities and mitigate risks.
  • Respond to Cybersecurity Incidents: Quickly evaluate and initiate CIRP for reported and confirmed cybersecurity incidents that involve a potential compromise to an organization’s assets, data loss, and disruption to its operations, including a data breach, execution of ransomware/malware, exfiltration of data, and account takeover. Take all necessary actions to respond to a detected cybersecurity incident by preserving and analyzing forensic evidence; quickly containing the incident and identifying the root cause of the incident and entry points; mitigating the exploited vulnerabilities and effects of the incident; and coordinating with internal and external stakeholders as required by laws, regulations, and company policies.  Establishing a “privileged” reporting and communication channel during a cybersecurity investigation is essential.  Further, your organization’s lawyers should retain and use independent cybersecurity and forensic experts to secure your organization’s networks, stop data loss, and investigate cyberattacks.
  • Recover and Restore Operations: Organization assets and operations are restored after a cybersecurity incident by confirming that systems are functioning normally, and any restoration assets are checked for indicators of compromise, file corruption, and other integrity issues before they are used on the network.

See National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61 Rev.3 at 5 (Initial Draft 2024)

Penalties for Failure to Adhere to Evolving Federal Cybersecurity Requirements

To counter national security threats, the U.S. Government has taken a whole-of-government approach by increasing the number of regulations and enforcement activities at a feverish pace over the last two years, targeting cyber threats, foreign influence and investments, exports of U.S. technology and U.S.-origin goods, and protection of sensitive U.S. data. DOJ “surged resources” and expanded corporate crime investigations related to national security and emerging technologies, hiring 25 white-collar prosecutors and a Chief Counsel for Corporate Criminal Enforcement to DOJ’s National Security Division.

Through its settlements, prosecutions, and public statements, the DOJ has made clear that cybersecurity and data security compliance are top priorities.  Liability for submitting false claims to the government is not limited to civil liability under the False Claims Act (FCA). Still, it could also give rise to criminal liability under numerous federal criminal statutes, including 18 U.S.C. §§ 286-287 (making false or fraudulent claims and conspiracy to defraud the government concerning claims), 1001 (making materially false statements to the government or concealing material information from the government), 1343 (wire fraud), 1349 (conspiracy to commit wire fraud), and 1519 (obstruction of justice).  Indeed, in May 2023, the DOJ sought a 15-month prison sentence against Uber’s former Chief Security Officer, Joseph Sullivan, the first corporate executive to be criminally prosecuted for concealing a data breach that compromised the sensitive personal information of more than 600,000 Uber drivers.

To counter national security threats, the U.S. Government has taken a whole-of-government approach by increasing the number of regulations and enforcement activities at a feverish pace over the last two years, targeting cyber threats, foreign influence and investments, exports of U.S. technology and U.S.-origin goods, and protection of sensitive U.S. data.

 In October 2022, a federal jury convicted Sullivan of obstructing justice and misprision of a felony by failing to report a new data breach of Uber while it was being investigated by the U.S. Federal Trade Commission for a prior one and taking actions to hide the data breach from the government.  Although the Court declined to imprison Sullivan as the DOJ requested, this case should serve as a warning that the DOJ will seek stiff penalties, including imprisonment, for any corporate insiders who cover up or conceal embarrassing cybersecurity mistakes and lie to federal officials.

DOJ’s Civil Cyber-Fraud Initiative

As the cyber threat landscape has grown more menacing, the government has increased its enforcement efforts against defense and government contractors. In October 2021, the DOJ established the Civil Cyber-Fraud Initiative and its intent to use the FCA to hold government contractors accountable for putting U.S. information and systems at risk by knowingly (1) providing deficient cybersecurity products or services, (2) misrepresenting cybersecurity practices or protocols, or (3) failing to monitor and report cybersecurity incidents and breaches.  DOJ’s decision to use the FCA to enforce cybersecurity compliance was significant, as it provides the government the means to recover treble damages while incentivizing company insiders to report any cyber-related fraud.  The FCA contains a unique provision that entitles a whistleblower to recover 15-30% of any recovery of funds by the United States.

Beginning in December 2017, the Department of Defense (DOD) has required contractors to comply with cybersecurity requirements outlined in Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.  DFARS Section 7012 requires contractors and subcontractors to safeguard certain defense information on their networks by implementing, at a minimum, the 110 controls contained in NIST SP 800-171 rev. 2, and rapidly report cyber incidents within 72 hours of discovery.  DOD has thus far relied upon self-representations and affirmations of compliance. Still, beginning in December 2024, the final Cybersecurity Maturity Model Certification Program (CMMC) will go into effect after nearly a five-year rulemaking process.  The CMMC is a verification framework designed to ensure that “defense contractors are compliant with existing protections for federal contract information and controlled unclassified information and are protecting that information at a level commensurate with the risk from cybersecurity threats, including advanced persistent threats.”  The CMMC will be phased in over several years, but it comes with the requirement to file annual affirmations of compliance with the DOD at all three CMMC levels, even if the company has obtained a third-party assessment.  Such affirmations could give rise to civil liability under the FCA or criminal liability for making a false statement to the federal government.

Since October 2021, DOJ has announced eight settlements (Comprehensive Health Services, Aerojet, JellyBean Communications, Verizon, Insight Global, Guidehouse, Nan Kay & Assoc., ASRC Federal Data Solution LLC and Pennsylvania State University) totaling nearly $30 million under the Civil Cyber Fraud Initiative.  To date, DOJ’s investigations and settlements under this initiative have focused on compliance with cybersecurity requirements contained in federal contracts and subcontracts and failing to secure personally identifiable information (PII) properly. The two most recent settlements have followed this same trend:

  • On October 15, 2024, ASRC Federal Data Solutions LLC agreed to pay $306,722 to settle allegations that it failed to properly secure Medicare beneficiary data under its contract for Medicare support services with Centers for Medicare and Medicaid Services (CMS), which resulted in unencrypted PII and personal health data of Medicare beneficiaries being compromised during a breach in 2022; and
  • On October 22, 2024, Penn State agreed to pay $1.25 million to resolve allegations that it violated cybersecurity requirements in 15 DOD and NASA contracts.

Since October 2021, DOJ has announced eight settlements (Comprehensive Health Services, Aerojet, JellyBean Communications, Verizon, Insight Global, Guidehouse, Nan Kay & Assoc., ASRC Federal Data Solution LLC and Pennsylvania State University) totaling nearly $30 million under the Civil Cyber Fraud Initiative. 

On August 22, 2024, the DOJ filed its first civil complaint under this initiative — a 99-page civil complaint-in-intervention against Georgia Institute of Technology (Georgia Tech) and Georgia Tech Research Corp. (GTRC) for failing to comply with cybersecurity requirements in its DOD contracts and violating the FCA.  Earlier this year, DOJ’s Principal Deputy Assistant Attorney General issued a warning that more cyber fraud cases would be coming, and this case signals that cybersecurity noncompliance will not be tolerated.  According to DOJ, Georgia Tech “failed to heed [DOD’s] warnings” about cyber threats and disregarded cybersecurity requirements contained in DOD contracts. DOJ took over a whistleblower FCA lawsuit brought by two former senior members of Georgia Tech’s cybersecurity team and is seeking millions of dollars in damages for violations of the FCA as well as breach of contract, fraud, negligent misrepresentation, unjust enrichment, and payment by mistake claims.

Georgia Tech, however, strongly disputes these claims and, on October 21, 2024, filed a motion to dismiss DOJ’s entire complaint.  The thrust of its arguments is that the cybersecurity rules do not apply to the university because it does not handle sensitive or controlled unclassified information.  Georgia Tech argues that the government’s FCA claims are flawed and “must be dismissed because they are premised on purported failures to comply with regulations that do not apply to university systems used to carry out fundamental research.”  Under its government research contracts, Georgia Tech claims it purely performed fundamental research, which is widely shared within the scientific community and not subject to any restrictions or controls, and it was therefore not subject to DOD’s cybersecurity rules.

Regardless of what happens in this litigation, DOJ’s decision to file suit against Georgia Tech underscores the importance of understanding and complying with all cybersecurity requirements in government contracts.  Government contractors and subcontractors, including academic institutions, should prepare now for additional scrutiny of their cybersecurity compliance to limit FCA liability risks.

SEC’s Cyber-Related Enforcement Activities

Similarly, the SEC has become highly aggressive in cybersecurity compliance.  It has launched numerous investigations of corporate victims of cyberattacks.  In December 2023, the SEC’s new cybersecurity incident disclosure rules required organizations to report “material” cyber incidents within four business days.  In October 2023, the SEC brought unprecedented securities fraud charges against SolarWinds and its CISO, Timothy Brown, concerning Russia’s highly sophisticated supply chain cyberattack of SolarWinds’ Orion software (SUNBURST).  This enforcement action sent shockwaves through corporate security departments.  Never had the SEC brought charges for cybersecurity lapses or inaccurate cybersecurity disclosures associated with a cyberattack or charged an individual for their alleged role in cybersecurity deficiencies. 

Although U.S. District Court Judge Paul Engelmayer of the United States District Court for the Southern District of New York dismissed a large portion of the SEC’s unprecedented complaint against SolarWinds, finding the charges “impermissibly” relied upon “hindsight and speculation” in July 2024, the SEC appears undeterred in its aggressive stance towards victims of cybercrime.  On October 22, 2024, the SEC announced charges against four companies, Unisys Corporation, Avaya Holdings Corp., Check Point Software Technologies Ltd., and Mimecast Limited, for issuing misleading disclosures following SUNBURST.  The SEC faulted these companies for minimizing this cybersecurity incident's impact and true scope in their public disclosures.  In its press release, the SEC stated that these companies intentionally “downplayed” material cybersecurity risks and the impact of the SolarWinds’ Orion hack on their operations.  Such disclosures constituted illegal “half-truths” and left “investors in the dark about the true scope of the incidents.”  As a result, the companies paid nearly $7 million in civil penalties to settle these charges.

Key Takeaways

  • Regardless of whether Georgia Tech’s motion to dismiss DOJ’s civil complaint is successful, one thing is unmistakenly clear – DOJ intends to aggressively scrutinize cybersecurity compliance and hold any organizations responsible for any failures to protect sensitive information. Lax cybersecurity and cybersecurity violations typically come to light when a breach occurs.  Thus, when an organization is already dealing with a highly stressful situation and the aftermath of being the victim of a cyberattack, which typically involves having to make rapid decisions based upon limited and incomplete information, their disclosures and internal investigation might also form the basis for a government enforcement action or criminal prosecution.
  • Public companies should avoid using generic or hypothetical terms to describe cybersecurity risks in their SEC filings if they know that a cyberattack has already occurred and that those risks have already materialized. Additionally, companies should update their cybersecurity disclosures as new information is learned from their internal investigations.
  • Organizations of all sizes face significant cybersecurity risks that should not simply be delegated to your IT department. The entire C-suite needs to take this seriously.  Failing to invest in cybersecurity preparedness and a robust cybersecurity compliance program could result in significant civil and criminal liability.  Federal agencies are looking to send a message by imposing substantial fines and bringing criminal charges to deter others from engaging in activity that could potentially harm U.S. national or economic security.  The number of data breach class action lawsuits has also exploded over the last two years, and a single cyber incident could result in hundreds of complaints.
  • The best defense to a data breach lawsuit is demonstrating that your organization implemented reasonable cybersecurity standards consistent with industry practice and complied with all federal and state data breach requirements.
  • No matter how strong your cybersecurity ecosystem is, your network will likely be breached due to the ever-expanding threat landscape. When a breach occurs, it is imperative to have a well-designed IRP to help guide your organization through a stressful situation with step-by-step instructions rather than making your business panic.  When a breach occurs, your business must quickly determine whether personal or sensitive data has been compromised and create legal and contractual notifications within the required time frames. An organization’s failure to do this may result in substantial and avoidable liability and penalties.

Please contact Hinckley Allen's cybersecurity lawyers  if your organization needs assistance developing an IRP, responding to a data breach, or representing itself in data breach litigation.

Note: this publication is not meant to constitute legal advice and is provided for educational purposes only.

About the Author

B. Stephanie Siegmann | litigation partner, Chair of the International Trade & National Security Group, and Co-Chair of the Cybersecurity, Privacy & Data Protection group at Hinckley Allen

Leveraging her extensive and vast trial experience as a former Navy JAG and national security prosecutor, B. Stephanie Siegmann at Hinckley Allen specializes in handling high-stakes criminal and civil litigation matters, sensitive internal investigations, government enforcement proceedings, and cyber-related incidents. Stephanie is a litigation partner, Chair of the International Trade & National Security Group, and Co-Chair of the Cybersecurity, Privacy & Data Protection group.