Cybersecurity

Cybersecurity is essential for protecting corporate and personal data from a variety of threats.

 As technology continues to evolve, the risks of cyberattacks, data breaches, and other malicious activities grow, making robust cybersecurity measures more critical than ever.

A failure to maintain adequate cybersecurity can have severe financial, legal, and reputational consequences for businesses of all sizes.

Key Cybersecurity Threats

• Phishing Attacks: Phishing attacks are a form of social engineering in which attackers deceive individuals into revealing confidential information, such as login credentials or financial data.

These attacks are typically carried out through deceptive emails, messages, or websites designed to appear legitimate.

• Ransomware: Ransomware is a type of malware that encrypts a company’s data and demands a ransom payment for its release.

Ransomware attacks can cause significant disruption to business operations and may result in data loss or financial losses if the ransom is paid.

• Insider Threats: Insider threats occur when an employee, contractor, or other individual with authorized access to sensitive information intentionally or unintentionally compromises data security.

Insider threats are particularly dangerous because they come from trusted individuals who have direct access to corporate systems.

• Data Breaches: Data breaches involve unauthorized access to a company’s systems, leading to the theft or exposure of sensitive information. Breaches can occur due to vulnerabilities in security systems, human error, or sophisticated cyberattacks.

The consequences of data breaches often include legal liabilities, regulatory fines, and reputational damage.

Regulatory Framework for Cybersecurity

In the United States, companies must adhere to a range of federal and state cybersecurity regulations designed to protect sensitive data and ensure accountability in data management practices.

Key regulatory requirements include:

• Federal Trade Commission (FTC): The FTC enforces data security standards for companies, ensuring they take reasonable steps to protect consumer data. Businesses that fail to meet these standards may face significant fines and legal penalties.
• Health Insurance Portability and Accountability Act (HIPAA): HIPAA sets strict cybersecurity standards for the healthcare industry to safeguard patient information. Covered entities, including healthcare providers and insurers, must implement appropriate security measures to protect health data from unauthorized access.
• Gramm-Leach-Bliley Act (GLBA): The GLBA requires financial institutions to protect the privacy of consumer financial information. Companies must establish safeguards to prevent data breaches and inform customers about how their data is protected.
• State-Specific Data Breach Notification Laws: Many U.S. states have enacted data breach notification laws that require companies to promptly inform affected individuals if their personal information is compromised. Compliance with these state-specific regulations is crucial for maintaining transparency and trust.
• Cybersecurity Maturity Model Certification (CMMC): Companies working with the U.S. Department of Defense must comply with CMMC standards to protect sensitive government data. These standards mandate specific cybersecurity practices to safeguard federal information.

Cybersecurity Best Practices

• Employee Training: Employees are often the first line of defense against cybersecurity threats. Educating employees to recognize threats such as phishing attacks is crucial for minimizing the risk of security incidents.
• Data Encryption: Encrypting sensitive data both in transit and at rest is an effective way to prevent unauthorized access. Encryption ensures that data remains secure even if it is intercepted by malicious actors.
• Access Controls: Implementing strong access controls helps ensure that only authorized personnel have access to sensitive information. This includes using multi-factor authentication (MFA) and regularly reviewing access privileges.
• Incident Response Plans: Developing and implementing an incident response plan is vital for responding quickly and effectively to cybersecurity incidents. A well-designed response plan helps to minimize damage, protect data, and ensure that normal operations can be restored as soon as possible.

Role of Whistleblowers in Cybersecurity

Whistleblowers play a crucial role in reporting cybersecurity vulnerabilities or breaches that may go unnoticed by management or regulatory authorities.

Their actions help to protect consumers, shareholders, and the broader public from the negative consequences of cyber incidents.

• Legal Protections: Whistleblowers in the cybersecurity space are protected under various laws, including the Dodd-Frank Act and other whistleblower protection statutes.

These protections are designed to prevent retaliation and encourage individuals to come forward with information.

• Financial Incentives: The SEC and other regulatory bodies offer financial rewards to whistleblowers who provide valuable information that leads to successful enforcement actions.

These incentives help to motivate individuals to report misconduct or vulnerabilities that could pose a risk to public safety.

At Dilendorf Law, we assist corporate insiders in addressing situations where they are asked to engage in unethical, unlawful, or questionable practices, or when they have concerns that their employer may be violating securities or other laws.

Whistleblower Awards

Whistleblowers may be eligible for an award when they voluntarily provide the SEC with original, timely, and credible information that leads to a successful enforcement action.

Whistleblower awards can range from 10% to 30% of the money collected when the monetary sanctions exceed $1 million.

Notable Cybersecurity Breaches

Notable cybersecurity breaches have led to significant legal cases in the United States, addressing issues such as data theft, identity fraud, and the adequacy of cybersecurity measures.

These cases often involve claims of negligence, violations of federal statutes, and the responsibilities of companies to protect sensitive information.

• In Dipierro v. Fla. Health Sciences Ctr., Inc., plaintiffs alleged that Tampa General Hospital’s failure to employ reasonable data security practices led to a data breach, resulting in the theft of private information that may have been sold on the dark web. The case was consolidated with other similar suits and stayed pending mediation Dipierro v. Fla. Health Sciences Ctr., Inc., 2024 U.S. Dist. LEXIS 107850.
• In Reetz v. Advocate Aurora Health, Inc., the appellant had standing to bring claims in a data breach identity theft case, as she showed actual damages from fraudulent charges and time spent mitigating future identity theft. The court found that the economic loss doctrine did not bar her common-law negligence claim Reetz v. Advocate Aurora Health, Inc., 2022 WI App 59.
• In FTC v. Wyndham Worldwide Corp., the FTC alleged that Wyndham engaged in unfair and deceptive practices by failing to secure its network, leading to multiple data breaches. The court upheld the FTC’s claim, emphasizing that Wyndham’s inadequate cybersecurity measures resulted in significant consumer harm FTC v. Wyndham Worldwide Corp., 799 F.3d 236.
• In Pisciotta v. Old Nat’l Bancorp, the court dismissed a case seeking compensation for credit monitoring services after a data breach, ruling that Indiana law did not recognize the harm caused by data exposure as compensable Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629.
• In Kaspersky Lab, Inc. v. United States Dep’t of Homeland Security, the court upheld Congress’s decision to remove Kaspersky’s products from federal networks due to cybersecurity risks, finding the legislative action reasonable given the potential harm Kaspersky Lab, Inc. v. United States Dep’t of Homeland Security, 909 F.3d 446.
• In In re Altaba, Inc., the court required a dissolved company to reserve $400 million for indemnification claims related to consumer data breach lawsuits, emphasizing the company’s lack of transparency and the significant number of affected customer accounts In re Altaba, Inc., 264 A.3d 1138.
• In In re SolarWinds Corp. Sec. Litig., the court addressed a cybersecurity breach at SolarWinds, focusing on the adequacy of the company’s cybersecurity measures and the scienter of its executives. The court dismissed claims against one executive but allowed plaintiffs to amend their complaint In re SolarWinds Corp. Sec. Litig., 595 F. Supp. 3d 573.
• In United States v. Agarwal, the defendant pleaded guilty to charges related to unauthorized access to protected computers and identity theft. The court noted the significant resources companies devoted to investigating and remediating the breaches caused by Agarwal’s actions United States v. Agarwal, 24 F.4th 886.
• In Walsh v. Alight Sols. LLC, the court enforced an administrative subpoena issued by the U.S. Department of Labor to investigate cybersecurity breaches at Alight Solutions, affirming the Department’s authority under ERISA and rejecting the company’s arguments against the subpoena Walsh v. Alight Sols. LLC, 44 F.4th 716.

Legal Support for Victims and Whistleblowers

Dilendorf Law offers comprehensive legal support for victims of cybersecurity breaches and whistleblowers reporting incidents.

We work with whistleblowers to bring their matters to the SEC, collaborating with a former prosecutor and securities enforcement attorney.

If we accept your case, our services are offered on a contingency basis, meaning you pay only if we succeed.

For more information, reach out to Dilendorf Law Firm at (212) 457-9797 or via email info@dilendorf.com to guide you through the process and protect your interests.