In the November 26, 2025 edition of The Legal Intelligencer, Edward Kang writes, “From Vulnerability to Liability: Understanding Today’s Cyber Claims and Enforcement.”

On Oct. 31, mass spam emails were sent from multiple university-affiliated accounts to members of the University of Pennsylvania community. The messages, sent from compromised “@upenn.edu” addresses, criticized the university’s data security practices and its institutional purpose, and suggested that internal systems had been infiltrated. Although UPenn’s Office of Information Security quickly disabled the compromised accounts and initiated a forensic investigation, the extent of any unauthorized access to personal information remained uncertain.

Only three days later, a class action was filed in the U.S. District Court for the Eastern District of Pennsylvania by a putative class of students, applicants, alumni and employees. The complaint alleges that UPenn failed to maintain reasonable cybersecurity measures despite collecting and storing personally identifiable information. Plaintiffs further allege that UPenn disregarded known cyber risks, failed to implement adequate monitoring and intrusion-detection systems, and did not act with sufficient urgency once the unauthorized access was discovered. The lawsuit seeks damages and injunctive relief, requiring UPenn to strengthen its data security practices. Several other class action lawsuits soon followed within a few days.

While the factual investigation is ongoing, the speed with which the lawsuits followed the incident illustrates how rapidly cybersecurity events now trigger litigation and how strongly plaintiffs view institutional cybersecurity as an affirmative legal obligation rather than a technical aspiration.

When a Cybersecurity-Related Claim May Be Brought

Whether a cybersecurity incident becomes actionable depends on when plaintiffs can demonstrate that a lapse in these duties resulted in a concrete injury or created a substantial risk of imminent harm. Recent U.S. Court of Appeals for the Third Circuit and U.S. Supreme Court decisions provide a clear framework for this threshold.

The Supreme Court’s decision in TransUnion v. Ramirez, 594 U.S. 413 (2021), reshaped the standing landscape for data-related harm. In Ramirez, the putative class action against TransUnion alleged violations of the Fair Credit Reporting Act, including the defendant’s failure to follow reasonable procedures to ensure credit files were accurate. The court held that the plaintiffs seeking damages must demonstrate a concrete injury. Without demonstrating the likelihood that their information would be disseminated, that the risk of harm materialized, or that the risk of harm itself independently harmed them, the plaintiffs whose information was not disseminated, therefore, did not meet the concrete injury requirement. Although the case did not involve a cyber breach, its reasoning has become the foundation for evaluating modern data-security claims.

The Third Circuit has built on this framework in Clemens v. ExecuPharm, 48 F.4th 146 (3d Cir. 2022), which clarifies how the concreteness of a data-related injury can be assessed and when cyber-related harms become actionable within the circuit. Clemens involved a ransomware attack in which a criminal hacking group exfiltrated a trove of highly sensitive information, including Social Security numbers, bank-account details, and tax records, and then posted that information publicly on the dark web. The trial court dismissed the plaintiff’s complaint, reasoning that allegations of any speculative identity theft due to a data breach are insufficient to establish standing. The Third Circuit reversed, holding that the plaintiff had standing to sue because the publication of her data created a substantial risk of identity theft. The court emphasized that the nature of the compromised information, its availability to criminal actors, and the plaintiff’s mitigation efforts together satisfied the requirement of injury-in-fact.

Importantly, misuse is not always required. Plaintiffs may also pursue claims where an institution has made specific cybersecurity commitments, such as promises in admissions materials, donor communications, privacy policies, research data management plans, or federal grant certifications, and has failed to honor them. In these circumstances, claims based on breach of contract, negligent misrepresentation, or deceptive practices can attach even in the absence of confirmed misuse. The key question becomes whether the institution represented that it would implement certain controls and whether its actual practices fell short of these representations.

In practice, a cybersecurity claim becomes viable when unauthorized access is paired with any combination of: actual misuse or publication of data; demonstrable, nonspeculative mitigation efforts; emotional or reputational harm resulting from the breach; or the breach of specific, identifiable promises regarding cybersecurity practices. Courts are increasingly sophisticated in evaluating these elements, treating cybersecurity duties as enforceable components of institutional governance.

The False Claims Act and Cybersecurity: An Expanding Enforcement Frontier

While private plaintiffs increasingly turn to negligence and consumer-protection theories in the wake of cyber incidents, federal enforcement trends indicate that cybersecurity lapses are increasingly carrying implications far beyond private civil litigation. In particular, the Department of Justice’s civil cyber-fraud initiative has brought cybersecurity to the forefront of False Claims Act (FCA) enforcement—a development with significant implications for universities that receive federal funding.

Formally launched to address systemic underinvestment in cybersecurity among government contractors and grantees, the civil cyber-fraud initiative targets entities that knowingly misrepresent their cybersecurity practices or compliance with federal requirements; fail to implement cybersecurity controls that are express conditions of payment; or fail to report cyber incidents as required by federal regulations or contract terms.

Crucially, a breach is not required for there to be an FCA violation. Under the DOJ’s theory, the core wrong is the misrepresentation: if an institution certifies compliance with cybersecurity requirements, such as NIST SP 800-171 for controlled unclassified information or federal reporting requirements for cyber incidents, but has not actually implemented those measures, the certification itself may be a false claim.

Recent cases illustrate how this theory is applied in practice. In 2025, Illumina, Inc. paid nearly $10 million to resolve allegations that it had misrepresented compliance with federal cybersecurity requirements for medical device software, despite no breach having occurred. Earlier cases involving defense contractors similarly turned not on the theft of data but on failures to implement required controls under Department of Defense contracts.

This enforcement posture has sweeping implications. Any organization that contracts with the federal government or receives federal funds, whether in healthcare, defense, manufacturing, research, technology, or public services, may be subject to cybersecurity-related FCA scrutiny. Even complex, decentralized organizations must ensure that their internal practices align with the cybersecurity commitments outlined in contracts, bids, compliance certifications, or grant submissions. A gap between policy and practice, or between what is certified and what is actually implemented, can expose the organization to significant financial penalties and reputational harm.

Unlike class actions, which are made public, an FCA action is filed under seal. Such an action is kept under seal for months and sometimes years. That means, given the number and speed of class actions filed against the University of Pennsylvania, it would not be surprising that an FCA action has already been filed against the university.

Conclusion

Viewed together, the UPenn incident, the court’s standing jurisprudence, and DOJ’s expanding FCA enforcement signal that cybersecurity is now a critical legal and governance obligation. Underinvestment can quickly translate into legal exposure.

Incident response has also taken on heightened legal significance. The speed and clarity with which institutions detect, escalate, investigate, and disclose cyber incidents directly influence the trajectory of litigation and regulatory scrutiny. Delays, ambiguities, or false or even incomplete notifications often become focal points in class-action claims, undermining institutional credibility.

Ultimately, these developments underscore the need for proactive oversight. Effective cybersecurity now requires coordinated action across IT, legal, compliance, and administrative domains. Budgeting, staffing, vendor management, and periodic audits are no longer technical concerns; they are components of an institution’s legal risk profile.

Edward T. Kang is the managing member of Kang Haggerty. He devotes the majority of his practice to business litigation and other litigation involving business entities. Contact him at ekang@kanghaggerty.com.

Reprinted with permission from the November 26, 2025 edition of “The Legal Intelligencer” © 2025 ALM Global, LLC. All rights reserved. Further duplication without permission is prohibited. Request academic re-use from www.copyright.com. All other uses, submit a request to asset-and-logo-licensing@alm.com. For more information visit Asset & Logo Licensing.

Several years ago, my insurance broker suggested I get cybersecurity insurance for my firm. It seemed a cybersecurity insurance policy was unnecessary, not much different from having an undercoating for a new car. That was then. Now, the benefits of having a cybersecurity insurance policy are not reasonably in dispute these days. In addition to having the security of insurance, another (and more important) benefit of getting a cybersecurity insurance policy was the requirement that I have an IT security and breach policy that deals with how to prevent a security breach and what to do if there is a security breach. While getting a cybersecurity insurance policy may still remain an option for many, having an IT security policy describing detailed procedures to protect against a cybersecurity attack (and what to do when the system is breached) is a must.

Need for Cybersecurity Measures

Companies seeking to improve efficiency and employee interaction for work purposes have slowly begun to implement policies allowing employees to use laptops, tablets, and mobile devices in the work place.  One issue that arises with BYOD policies is with regard to the employee’s compensation.  First, who will pay for the actual device?  The monthly service fee?  If the employer will pay, in whole or in part, for the device, how will payments be made (or allocated, where necessary)?  Moreover, what about the time the employee spends working from his or her mobile device?

Introduction

The workplace has witnessed many changes and a shifting landscape in the last decade.  Ten years ago, the idea of introducing Wi-Fi technologically rocked businesses nationwide and yet, today, you are disappointed if your local café does not offer free and fast Wi-Fi.  In 2013, technology is evolving faster than businesses can keep up, and one rapidly developing phenomenon is the introduction of personal mobile devices—smartphones, tablets, and the like—into the workplace.

Companies seeking to improve efficiency and employee interaction for work purposes have slowly begun to implement policies allowing employees to use laptops, tablets, and mobile devices in the work place.  The ability to use mobile devices for instant access into work files, to communicate with coworkers and clients from anywhere, and to encourage prompt responses to work requests and emails are all incentives for companies to embrace mobile devices in businesses.

The intriguing but sometimes troubling issue, however, arises in many cases where employees have been permitted to use personal devices in these instances, a policy cleverly coined as “BYOD” or “Bring Your Own Device.  Business owners across the country are voicing concerns with such policies; specifically, how to properly and efficiently implement them.

Employee Payment

One issue that arises with BYOD policies is with regard to the employee’s compensation.  First, who will pay for the actual device?  The monthly service fee?  If the employer will pay, in whole or in part, for the device, how will payments be made (or allocated, where necessary)?  Moreover, what about the time the employee spends working from his or her mobile device?  The Fair Labor Standards Act maintains rigorous policies for the payment of all hourly paid workers and thus, any work done under such standards would necessitate strict timekeeping.    In the case of an hourly employee, employers must ensure that employees log their time with accuracy and review their device logs before submission each pay period.  For the stated reason, many experts beginning to familiarize themselves with BYOD policy suggest that employers limit mobile devices for work solely to salary-paid employees to which the Fair Labor Standards Act (or similar laws) does not apply.  Otherwise, employers must put in place policies that provide for strict and accurate monitoring and regulation of all activity and logging by employees who bring a device to work.

Cyber Security

One worldwide issue under increasing scrutiny also applies here in the realm of Cyber Security.  (See previous blog posting about Wyndham Worldwide regarding cyber security and its intricate workings in business)  Obviously, the possibility for employees to use their own devices for work related activity raises a plethora of concerns over both private and professional security.  Can an employer limit an employee’s use of his own device?  What company access permissions are granted to a BYOD employee?  How can the employer ensure its private or confidential information remains that way while allowing a bring your own device policy?  Vast measures must be taken in order to educate employees on how to safeguard the potentially valuable information on a device being brought back and forth between home and work.  Needless to say, password protection, firewall protection, and consistently updated virus software are minimal security requirement, and an IT expert should be enlisted when BYOD is being implemented and used.  Employers should also be aware, and speak with legal experts, regarding their own local or state laws that could protect employees’ privacy in different scenarios.  One such instance is in the matter of a lost or stolen device, as a company may not have control over the data on the device without the employee’s written consent.  This is an issue that an employer would benefit from having set into writing before the policy would go into effect.

Conclusion

These are highlights of just a few issues that require any business considering a BYOD program to first speak with a legal expert.  At Kang Haggerty LLC, we can walk business owners through the questions, concerns, and pitfalls that accompany implementing any new employee policy, including BYOD.   We are able to assist business owner and management in drafting sound policies that allow companies to utilize and benefit from BYOD, while also protecting themselves.  The lawyers at Kang Haggerty LLC are sensitive to the unique needs of each of its clients, and for that reason, can provide insightful and efficient solutions..

A large part of society’s current foundation in the 21^st century is unquestionably built upon the storage of billions of pieces of data that can be found and transferred in mere seconds.  With this great power comes the burden of developing and implementing tight forms of cyber security to hinder the effort of a new generation of criminals whose aim it to exploit cyber security to obtain precious stored data such as consumer financial information.  This very process was put on display in one specific instance as Parsippany, New Jersey based hotel company, Wyndham Worldwide, saw itself hit with three separate hacking attacks over the last three years.  The end result was over $10.6 million in fraudulent charges from the theft of hundreds of thousands of customers’ payment information.

In a case pending in the U.S. District Court for the District of New Jersey, Newark Vicinage (docket no. 2:13-cv-01887-ES-SCM),[1] the Federal Trade Commission responded by filing suit against Wyndham Worldwide for “engaging in unfair and deceptive practices” by telling its customers that it used “standard industry practices” to protect their private information, when its maintenance of cyber security measures, according to the FTC, fell below par.  Wyndham, in its Motion to Dismiss, challenged the FTC’s authority, claiming that the FTC exceeded its enforcement powers in the realm of cyber security

Specifically, Wyndham claims that the government has not set formal expectations for cyber security and thus, it is impossible to have not adhered to such standards.  The FTC counters that Wyndham’s failure to take reasonable measures to encrypt the data they had on file and establish appropriate firewalls squarely indicates Wyndham’s violations.

The Court’s decision could impact the future of security of private companies—i.e., if the Court agrees that the FTC maintains discretion in determining what is considered adequate cyber security, companies would be forced to review—and potentially overhaul—their cyber protection measures.  On the other hand, a decision finding that the FTC exceeded its authority may cause lackadaisical measures to persist, at least until appropriate legislation regulates the industry.

The United States Chamber of Commerce recently filed an amicus brief in support of Wyndham, while a consumer group, Public Citizen, sided with the FTC.  With cyber security at the forefront in the private sector (and a buzzword in the Obama Administration), cases such as these could determine the future of American companies’ cyber security measures.

[1] The case was originally filed in the U.S. District Court for the District of Arizona but, upon a Motion to Transfer Venue by Wyndham, was transferred to New Jersey, and is now pending before the Honorable Esther Salas.