Cybersecurity Risks

July 2025

The world of cybersecurity is rapidly evolving. So are the business risks associated with data breaches and protection of personal information. And as businesses continue to collect and process more personal information from consumers, the risks associated with that data will only continue to grow over time.

There are five key legal issues that have recently been the focus of courts and attorneys grappling with cyber risks. Reviewing and becoming familiar with these five issues can help reduce the risk of unauthorized access to your business’s proprietary and sensitive information and any personal information it may collect—and the legal consequences that may follow.

1. All businesses need to understand that the legal and ethical use of technology requires information governance. As a starting point for any cybersecurity framework, information governance helps identify which technologies are appropriate and safe to use.
2. The dismissal of data breach class actions is on the rise because plaintiffs have struggled in establishing the existence of legally-acknowledged damages that were caused by the specific data breach at issue.
3. Bug-bounty programs are an extremely effective cybersecurity tool currently at risk of being dismantled by courts. These programs provide businesses with important information about existing network vulnerabilities.
4. Despite rejecting various damages and causation theories, courts recently accepted the proposition that directors and officers of companies may be held personally liable for cybersecurity failures. Courts now are comfortable concluding that directors and officers should be aware of cyber risks, and, accordingly, owe fiduciary duties to their companies to protect against those risks.
5. Finally, there has been an increase in cyberfraud, where individuals compromise the network of a business involved in digital transfers of large cash payments, such as escrow companies. Businesses should understand how these crimes occur and implement safeguards against them.

Issue 1: Information Governance

Information Governance refers to a business’s approach to managing information that is collected and processed throughout its lifecycle. It is the necessary starting point for identifying and reducing all risks from collecting and securing personal information. When beginning any information governance process, businesses should undertake the following assessments:

• Analyzing whether technology is appropriate for a specific business purpose, can be competently used by employees, and can be transparently understood.
• Determining how to maintain the confidentiality, integrity, and availability of information assets.
• Identifying who should have access to data and limiting access to only those who need it.
• Identifying risks to the information, and defining the business’s risk appetite and tolerance.
• Meeting all legal and regulatory obligations, which includes ensuring the integrity of collected data.
• Ensuring the business can manage the data it collects efficiently and pursuant to a clear retention policy, which includes discarding data that no longer has value.
• Limiting retention to only that information needed to support the business’s strategies and goals while meeting any regulatory requirements.

To maintain the requisite knowledge and skill about cybersecurity risks, businesses must find and rely on experts—such as an external cybersecurity vendor or in-house Chief Information Security Officer—who fully understand and own the information governance process.

Issue 2: Damages and Causation in a Data Breach

Although the number of data breach class actions filed by plaintiffs has increased over the last few years, many have been dismissed in favor of the defendant. That, primarily, is because plaintiffs cannot prove the data breach at issue caused any harm, or that they suffered any damages that are recognized under the law. For example, courts regularly dismiss cases where the plaintiff’s information was never fraudulently used after a breach. However, once such fraud has occurred, courts likely will allow the lawsuit to proceed on those damages.

Because data breaches have been a regular occurrence for over a decade, it is very difficult to prove that harm was caused by any one breach. At this point, most personal information on most people is available somewhere on the internet as a result of some past data breach. Because of that, attributing the alleged harm in a lawsuit to a single data breach now is difficult for plaintiffs.

Businesses should understand the personal information they collect and how that information could be used to harm others. If that harm is analogous to one of the legally recognized categories of damages in a data breach, that information should be subject to greater cybersecurity protections.

Issue 3: The Use of Bug-Bounty Programs

Under a bug-bounty program, an external cybersecurity researcher uncovers a new vulnerability, and informs the relevant company about the bug. The company then needs to determine the value of the information being brought to it (i.e., what the vulnerability is, how serious it is, and any solutions provided by the researcher), the motivations of the researcher, and whether it is appropriate—as a matter of company policy—to pay that researcher a bounty. If it is appropriate, the company will pay the researcher for their work, and the researcher does not have to worry about criminal liability.

Bug-bounty programs are beneficial because they shift the incentives for everyone (both black- and white-hat hackers) exploring the internet for vulnerabilities. For example, in the absence of any bug bounty, individuals can only monetize a discovered vulnerability in a way that harms a company. That option, however, carries with it a strong possibility of failure and no financial return, as well as a risk of criminal liability under the federal Computer Fraud and Abuse Act and other laws. In contrast, bug bounties create a more certain beneficial option for these individuals.

Courts have started to attack the use of bug-bounty programs in a way that undermines their efficacy. Recently, the Ninth Circuit held that a business must inform a researcher that the researcher is allowed to explore the business’s computer network before that exploration occurs. United States v. Sullivan, 131 F.4th 776, 785 (9th Cir. 2025). But that discounts the reality that businesses are facing: External security researchers are individuals who explore the internet for hidden vulnerabilities, most effectively by entering a business’s computer network unannounced. Preventing them from doing so—or increasing their risk of criminal liability—will result in fewer public disclosures of security vulnerabilities, and possibly push beneficial security researchers into more nefarious activities such as a data breach.

Businesses should stay abreast of the benefits, consequences, and limitations of bug-bounty programs, and adopt them as appropriate.

Issue 4: Personal Liability for Third Parties in a Data Breach

Other than the common law tort for invasion of privacy, most liability related to the collection and other processing of personal data is created by statute. Typically, under those statutes, the company alone is directly liable if there is a mishandling of personal information resulting in damages. Recently, however, plaintiffs also have started naming individual company executives and board members in lawsuits for their roles in any mishandling of personal data, in an attempt to impose direct personal liability.

To avoid or reduce the risk that individual executives and board members will be personally named and held liable in a personal-data lawsuit, companies should adopt the following general steps:

• Review and monitor all applicable data and cybersecurity laws to help ensure that the company is not affirmatively violating them.
• Review and revise corporate governance documents to help ensure proper oversight and monitoring of personal-data risks.
• Ensure proper cyber-risk training for all management and board members; ideally, have at least one board member with cyber expertise.
• Review D&O (Directors & Officers) and other insurance policies to ensure that, to the extent possible, all executives and directors are indemnified for actions applicable to personal-data and cybersecurity incidents.

Taking these steps will help ensure that the company and its executives and directors provide sufficient data protections under the law, while also helping to protect those officers and directors from being exposed to individual and personal liability.

Issue 5: Fraudulent Money Transfers

Over the last few years, there has been increased activity in the world of cyber fraud. This refers to the practice of using the internet to illegally obtain money or goods from individuals or businesses through deceptive practices. Businesses that are involved in direct electronic transfers of money over the internet are most at risk. As an example, real estate escrow companies recently have been a massive target because the industry historically has not heavily invested in cybersecurity, there are a lot of different parties involved in their transactions, and the transactions often involve a single transfer of a large amount of money.

This crime most often occurs over email: The threat actor will compromise the email account of one of the parties involved in the transaction, pretend to be that party over email, and then eventually insert fraudulent wire-transfer instructions into the transaction. In that instance, the money often ends up in a bank account outside of the United States, and everyone involved in the transaction will have some risk and responsibility.

To reduce the risk associated with cyber fraud, businesses should take the following steps:

• If you are experiencing one of these crimes, immediately file a complaint with law enforcement. That usually is the FBI, and its complaint form is located at https://complaint.ic3.gov/.
• Quickly involve sophisticated cyber counsel, someone who has a strong relationship with the FBI. Combined with the step above, this action provides the best opportunity to retrieve or clawback the original fraudulent transfer.
• Before any incident, create robust policies for all transfers of money. Those policies should include multiple processes to verify and approve a transfer. Ensure those processes include an actual conversation with a human, as opposed to electronic verifications only.

Recommendations

In sum, although the world of cybersecurity is rapidly evolving, there are concrete steps that businesses can create and adopt, which will reduce much of that risk. Right now, there are five key issues in cybersecurity that are important and rapidly evolving. Familiarizing yourself and your business with these five issues, and how to approach them, will put you in the best position to protect against the time, money, energy, and loss of reputation that comes from being an unprepared cyber victim.