Michael Bahar, Garrett Gibson, Jay Patel and Ronald Zdrojeski, Eversheds Sutherland
This is an extract from the 2023 Edition of GIR's The Americas Investigations Review. The whole publication is available here.
This article highlights the growing enforcement of cybersecurity and data privacy requirements by US federal agencies. It examines how the FTC, DOJ, SEC and others are ramping up investigations into data privacy and cybersecurity and increasing scrutiny of disclosures – and what companies can do to be prepared.
- Cybersecurity breaches are among the very top concerns for chief legal officers. In addition to the public relations fallout, business interruption and litigation costs, a breach can invite intense regulatory scrutiny, and even enforcement actions, from a growing number of federal agencies, not just state attorneys general.
- Attribution in cyberspace is notoriously difficult, and while the government insists it treats companies as victims, it does hold companies accountable for their cybersecurity practices.
- As cybersecurity and data privacy laws mature – or even come into being – we would anticipate seeing more cross-jurisdictional investigations and an uptick in internal whistleblowers’ reporting of cyber incidents.
- Companies need to ensure they are keeping up with cybersecurity best practices, which continue to evolve rapidly in light of new regulatory requirements and worsening cyberthreats.
Referenced in this article
- Federal Trade Commission
- US Department of Justice
- Federal Bureau of Investigation
- National Cyber Investigative Joint Task Force
- US Securities and Exchange Commission (SEC)
- SEC Whistleblower Program
Cybersecurity and data privacy consistently rank as among the most pressing concerns for general counsel and chief legal officers across industries – and while state attorneys general continue to ramp up their enforcement activity and private plaintiffs continue to aggressively file data breach class actions, the US government is also increasing its enforcement tempo as well.
With the key phrase being ‘as well’.
The US is an ever-expanding patchwork of privacy and cybersecurity requirements. For example, California is already amending its California Consumer Privacy Act via the California Privacy Rights Act, which provides for a dedicated privacy-specific regulator. Many other states, such as Connecticut, Utah, Colorado and Virginia, are also passing enhanced privacy laws, providing their attorneys general with enforcement authority to regulate data privacy. Meanwhile, many federal agencies are looking to engage more heavily in privacy and cybersecurity enforcement, including the FTC, SEC, DOJ and DHS, in addition to HHS (which enforces HIPAA).
This article focuses on federal agency efforts, which importantly will add to, not displace, state-based investigations and enforcement action. One federal agency’s investigation will likely not even displace another’s at the federal level.
President Biden’s May 2021 Executive Order, issued in the wake of the Colonial Pipeline ransomware attack, called on the federal government to step up its efforts ‘to work more closely with the private sector to share information, strengthen cybersecurity practices, and deploy technologies that increase resilience against cyberattack’.  Many federal departments and agencies picked up the charge, including the Transportation Security Administration, which quickly put out detailed requirements for critical oil and gas pipeline operators;  the SEC, which issued draft cybersecurity regulations  stating the regulations will help ‘better inform investors about a registrant’s risk management, strategy, and governance and . . . provide timely notification to investors of material cybersecurity incidents’;  and the DOJ, which indicated its intent to hold government contractors liable under the False Claims Act for cybersecurity breaches.
Not to be outdone by the Executive Branch, Congress, in March 2022, passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, requiring critical infrastructure to report significant cyber incidents and ransomware payments to DHS’s Cybersecurity and Infrastructure Security Agency.  On 5 May 2022, President Biden signed into law the Better Cybercrime Metrics Act – an Act that encourages local law enforcement to report incidents of cybercrime to the Federal Bureau of Investigation (FBI) to build a cybercrime database.
These draft regulations, statements of intent and new federal laws point with eye-watering intensity towards not just increased disclosure requirements for many companies, but also to greater regulatory investigations and enforcement activity for those who struggle to maintain a comprehensive, coordinated and strategic approach to cybersecurity across all regulators.
Key players in investigations: who should be keeping you awake at night?
Companies in the US can no longer treat privacy as an ancillary concern but rather as a concern of executive-level importance requiring a proactive, strategic response. Aside from the legal action and fines associated with cyber investigations, businesses risk reputational harm associated with such investigations – sending a message to consumers that they are inadequately safeguarding consumer personal data. Managing the public relations fallout from a breach and the subsequent investigation and potential enforcement action can impose a massive burden on companies.
The US’s regulatory approach makes managing data privacy concerns even more fraught. Unlike what Europe and the UK have done (or tried to do) with the General Data Protection Regulation,  in the US, there is no single point of contact for privacy regulation and no unifying privacy or cybersecurity law applicable to all companies and for all categories of personal information. As a result, the lack of uniformity makes navigating the cybersecurity landscape complex; and adding to this complexity is the fact that every federal agency approaches the issue from a different angle, largely because their enabling legislation could not have conceived of the need for data privacy and cybersecurity regulation when implemented decades ago.
Thus, the authorities are having to stretch their powers, either through enacting new rules and regulations, or piggy-backing off existing laws, to cover these privacy and cybersecurity issues from their unique lens. For example, the FTC examines data-breach concerns through competition and consumer-protection angles. The DOJ, in turn, may look for criminal violations, including false claims. The SEC looks at the issue from the investment disclosure angle. The point is that each entity has different compliance requirements, and there is no single regulator to satisfy. Accordingly, when companies craft their approach to regulatory engagement, they should consider tailored yet coordinated and consistent approaches.
The FTC – leading the federal charge on enforcement
To date, the FTC has been the primary federal watchdog for privacy in the US. With the 11 May 2022 confirmation of Alvaro M Bedoya as Commissioner, it is anticipated that the FTC will pursue even more privacy reforms and enforcement actions. Last summer, the FTC further changed its policies, making it easier for the agency to bring investigative actions in certain areas, all of which strongly presage an impending wave of FTC investigations and enforcement actions.
The FTC’s enabling statute provides the agency with a road map for regulating consumer privacy.  Under section 5 of the FTC Act, ‘the FTC has pursued privacy and data security cases in myriad areas, including against social media companies, mobile app developers, data brokers, ad tech industry participants, retailers, and companies in the Internet of Things space’.  Since 2002, the FTC has brought more than 80 cases against companies that have engaged in unfair or deceptive practices that, in the FTC’s view, failed to adequately protect consumers’ personal data.  Most, if not all, of these cases resulted in settlements and, among other things, required the company to ‘implement a comprehensive security program, obtain robust biennial assessments of the program, and submit annual certifications by a senior officer about the company’s compliance with the order’.  In other words, companies are required to hold themselves accountable – by implementing adequate privacy and cybersecurity safeguards voluntarily – before the FTC comes knocking. Privacy policies, in particular, are akin to checks that a business must be sure it can cash. If it cannot, it risks FTC enforcement action.
As a consequence, after major data breaches or cyberattacks, an FTC investigation usually soon folows. These investigations are costly to undergo, and the fines (or settlements) can be enormous. One high-profile breach – which exposed the personal information of more than 147 million individuals – resulted in a global settlement of US$425 million.  More recently, in an investigation of a social media company for failure to protect user data privacy in violation of a prior agreement with the FTC, the company was hit with a US$150 million civil penalty.  These investigations and accompanying fines highlight the key prevention tasks that companies should be considering to get ahead of the FTC – starting with developing and maintaining comprehensive privacy and information security programmes, conducting written privacy reviews before implementing any new products or services that collect users’ private information and conducting regular testing of data privacy safeguards – before being mandated to do so by the FTC.
The DOJ and FBI – looking for lax security and misrepresentations about data privacy
The DOJ, through the FBI and National Cyber Investigative Joint Task Force, is the lead agency responsible for investigating and attributing cyber activities to bad actors as well as facilitating intelligence and information sharing. But increasingly, they are using pre-existing laws to target businesses for lax cybersecurity, particularly those companies that contract with the federal government.
More specifically, the DOJ regularly investigates cyberattacks and breaches ranging from cyber activities that diminish national security to the stealing of economic assets. The DOJ has long recognised that the threat of cyberattacks ‘demands ready and fluid means of sharing information and coordinating actions’ – and as such, has regularly partnered with other agencies, including the Interpol Global Complex, to ‘enhance its operational and investigative cyber capabilities through international cooperation and innovative technical solutions and systems’.
An example of the DOJ’s broad investigative power to investigate cyberattacks is illustrated by the Lichtenstein case – an investigation into the 2016 cyberattack on Bitfinex.  In February 2022, the DOJ was able to seize more than US$3.6 billion worth of bitcoin – the largest seizure of assets in the agency’s history. More importantly, this case shows that the DOJ has the power not only to initiate and conduct cyber investigations but also has the skills necessary to decrypt complex data related to cyberattacks.
But the DOJ does not merely prosecute the perpetrators of cybercrime, it also targets companies that fail to have adequate cybersecurity and fall victim to cyberattacks. To this end, the DOJ launched the Civil Cyber-Fraud Initiative in October 2021 in an attempt to enhance and expand its role in fighting cyberthreats by working with the US attorneys office’s and using the False Claims Act and related ‘civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards’.  The Initiative aims to hold accountable entities receiving taxpayer funding that put US government information or systems at risk by ‘knowingly providing deficient cybersecurity products or services, knowingly failing to comply with cybersecurity standards, knowingly misrepresenting their cybersecurity practices or protocols, and knowingly violating obligations to monitor and timely report cybersecurity incidents and breaches’.  Any government contractor, government grant recipient, and similarly situated entity doing business with the federal government is essentially held to heightened standards for data protection and could be the target of an investigation and prosecution if lax or non-compliant security policies lead to a data breach.
The DOJ has wasted little time in enforcing the Initiative. In fewer than six months after the launch, the DOJ investigated and settled its first case against a health service provider that failed to implement adequate cybersecurity protections for medical records improperly stored outside the medical records system. Notably, there was no allegation or finding that medical record security services were non-compliant – only that data replicated outside the system was not given an appropriate level of cybersecurity protection. More importantly, this investigation was initiated without any cyberattack trigger. The matter was settled for US$930,000 but shows the importance of implementing adequate security measures or else running the risk of being subject to an investigation. In addition, it is critical to note that the costs and fees associated with defending against a DOJ investigation and the ensuing reputational damage can often outweigh the monetary cost of the fine.
Last, it is important to note that the DOJ has consistently encouraged the importance of companies self-reporting cyberattacks. In an October 2021 speech, Deputy Attorney General Lisa A Monaco stressed this point and listed the potential benefits of self-reporting:
We make arrests; we hold people to account; we get money back; we will go after keys and get them to the victim; and victims can help avoid liability through working with law enforcement, and those companies that stand with us and work with us will see that we stand with them in the aftermath of an incident. 
This message, along with the history of FTC and DOJ-led cyber investigations, only goes to show that businesses need to start implementing adequate privacy and cybersecurity protocols and management systems, particularly if involved in federal contracting or receiving taxpayer funds.
In short, the DOJ is taking a dual-pronged approach by pursuing both the perpetrators of cyberattacks and companies who have weak cybersecurity and leave themselves vulnerable to attack. It is often more difficult and time-consuming to track down the perpetrators, so we should expect that companies who fall victim to a breach and have insufficient cybersecurity standards could face a DOJ-led investigation into their practices.
The SEC – focusing on disclosures of cyber incidents
Cybersecurity breaches can have a significant impact on public companies, and if they can affect share prices or impact the financial system as a whole, the SEC expects public disclosures. In March 2022, the SEC released a proposed rule that, upon effect, would mandate initial and periodic reporting about ‘material cybersecurity incidents’ and ‘periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk’.  If adopted, these regulations would bring about clear lines of reporting public company data breaches.
But, even without the proposed rule being enacted yet, the SEC has already been relying on interpretative guidance regulations that require the reporting of ‘material cybersecurity risks and incidents in a timely fashion’.  Based on these requirements, the SEC has not shied away from aggressive enforcement of public company non-disclosure of cyber incidents. For example, in June 2021, the SEC levied a US$500,000 fine against First American Financial Corporation, which had failed to adequately and promptly inform its senior executives of the extent of a massive data breach. The SEC’s press release stated that:
First American’s senior executives were not informed that the company’s information security personnel had identified the vulnerability several months earlier, but had failed to remediate it in accordance with the company’s policies. The order finds that First American failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerability was analyzed for disclosure in the company’s public reports filed with the Commission. 
The SEC’s clear trend is towards examining and cracking down on inadequate public company disclosure of cybersecurity events, and of failing to live up to their cybersecurity commitments and best practices. Truthful, prompt reporting is key to preventing the company from experiencing being both a victim of a cyberattack and also a potential target of an SEC investigation. Maintaining a clear cybersecurity incident response plan that includes proper information channels to senior executives and preparing accurate disclosure forms is critical to avoiding an SEC penalty.
Scanning the horizon for future trends
As discussed, data privacy laws and cybersecurity investigations are still developing. To try to understand how laws and regulations around these issues might evolve, it is worth reviewing analogous regulatory and enforcement regimes that, similar to cybersecurity, requires comprehensive and strategic planning and enactment of preventive measures.
Possibilities of transnational cybersecurity investigations and prosecutions
Increasingly, data breaches are taking on a global aspect, raising the question of whether we will see more cross-border investigations and enforcement actions. On technical regulations, US, Canadian, EU and UK regulators often share knowledge and best practices and track closely what their counterparts are doing. The global push for data privacy regulations is likely to lead to cross-border coordination of enforcement actions when data privacy regulations are breached across multiple jurisdictions.
The Foreign Corrupt Practices Act (FCPA) offers a potential preview of cross-border enforcement actions. FCPA enforcement is a top priority of the DOJ and SEC. In recent years, US authorities have aggressively investigated and charged corporations and individuals for foreign bribery and related conduct. FCPA investigations can be extremely expensive, and resolving enforcement actions is often very costly in terms of direct fines and penalties, as well as collateral consequences (reputational damages, costly monitorships, etc). In May 2022, a large mining and commodities conglomerate paid almost US$1 billion to settle a coordinated FCPA enforcement brought by the DOJ and the DOJ’s counterparts in the UK and Brazil. The matter demonstrated that global coordination can bring about a concerted penalty for global violations.
The FCPA has been around for 45 years – much longer than recent data privacy laws and task forces. It has developed into a formidable law enforcement tool that is applied across borders and in coordination with law enforcement agencies in other jurisdictions. As companies continue to expand internationally, we should expect to see coordinated cross-border enforcement, potentially between the FTC and EU deferred prosecution agreements, to crack down on large-scale international data breaches.
Will the number of whistleblowers increase?
It is not always obvious when data breaches occur. Sometimes they are only discovered by alert employees or contractors. One potential item of concern is whether such employees might be rewarded as whistleblowers. Implementing such a programme could dramatically increase investigations into data breaches. The SEC’s Whistleblower Program offers a look into a potential existing programme that could be leveraged by employees. Since the SEC’s 2011 Whistleblower Program – offering awards to eligible whistleblowers who provide original information that leads to successful SEC enforcement actions and related actions brought by other regulatory or law enforcement authorities – over 50 per cent of all investigations arise from people closest to the company, disgruntled employees, etc. Although this same trend has not yet developed in the case of cyber investigations, it is certainly possible that it is on the horizon, particularly as federal authorities ramp up enforcement of data-breach disclosure violations.
Recall that whistleblowers can reap significant rewards for the information provided. For instance, since the inception of the SEC Whistleblower Program in 2011, the SEC has paid more than US$1.3 billion in awards to whistleblowers – the largest awards being US$114 million, US$110 million and US$50 million.  And because cyber incidents are likely to yield similar, if not greater, monetary damages, a new trend in increased cyber investigations is likely to surface.
Recently, a number of federal agencies have proposed protection and new incentives for cyber whistleblowers. The DOJ is among the first federal agencies that have taken active steps to encourage cybersecurity whistleblowing. In October 2021, the DOJ launched the Civil Cyber-Fraud Initiative aimed to ‘combat new and emerging threats to the security of sensitive information and critical systems’ through its use of civil enforcement actions. The Initiative utilises the False Claims Act to pursue cybersecurity-related fraud and, more importantly, includes a whistleblower provision, which allows private parties who provide information relevant to an investigation to a share in any of the assets recovered.
Although the SEC has not explicitly added an extension to cyber whistleblowing, in January 2022, it disclosed a variety of cyber initiatives involving cyber hygiene and preparedness, cyber incident reporting to the government, and disclosure to the public.  Three short weeks later, the SEC announced it was proposing an amendment to its existing whistleblower programme rules to ‘help ensure that whistleblowers are both incentivized and appropriately awarded for their efforts in reporting potential violations of the law to the Commission’ – thereby potentially extending the scope to cyber whistleblowers.
Notably, the US is not alone in extending cyber whistleblower protections and incentives. In December 2021, the EU Whistleblower Directive added a new whistleblowing reporting category for the ‘protection of privacy and personal data, and security of networks and information systems’ and prohibits retaliation against those who report these matters.  Such incentives from regulators are likely to drive an increase in cyber whistleblowing in the near future, especially if the reward payments are similar to the current SEC whistleblower payouts and if anonymity is permitted.
Cybersecurity and data privacy concerns cut across all companies and across all industries. Nearly every company is the custodian of reams and reams of highly sensitive, personal data. Whether through the actions of a sophisticated, well-resourced hacking group or the inadequate implementation of data protection safeguards, a data breach or failure to protect consumer personal information can lead to instant reputational damage, loss of business, litigation and scrutiny from numerous regulators at both the federal and state levels. A large-scale cyber investigation can quickly become a veritable nightmare for any company to manage successfully.
Recent investigations are beginning to map out the important considerations for companies to establish best practices for data security: develop and regularly maintain a ‘comprehensive privacy and information security program’ that starts at the top of the organisation and permeates through it, conduct written privacy reviews before implementing new products or services that collect users’ private information, institute cybersecurity and privacy by design, conduct regular testing of data privacy safeguards, and err on the side of transparency when issues arise. By implementing these tasks and meaningful cybersecurity protocols, companies can mitigate their potential exposure to government enforcement actions.
But we are only at the beginning of data privacy enforcement actions. Each year, the amount of data collected increases exponentially, and more and more jurisdictions are enacting laws to protect privacy and data. As the public becomes more sensitive to protecting personal data, we would expect that government resources spent on cybersecurity enforcement actions could rival or even exceed other major areas of criminal enforcement. Given that the true perpetrators are difficult to catch, we would expect to see an increasing crackdown on companies who fail to maintain proper cybersecurity in the form of coordinated agency investigations and potentially cross-border investigations.