US Cybersecurity Enforcement Actions and Penalties

Federal and state agencies pursue cybersecurity enforcement actions against organizations that fail to meet statutory security requirements, violate data protection mandates, or cause reportable harm through inadequate controls. Penalties range from civil monetary fines to criminal prosecution, consent decrees, and mandatory remediation programs. The structure of enforcement varies by sector, regulator, and the nature of the underlying violation — making classification of the applicable authority a necessary first step before any compliance posture can be assessed. The Cyber Compliance Standards Overview provides the foundational framework context within which these enforcement mechanisms operate.

Definition and scope

Cybersecurity enforcement actions are formal regulatory, civil, or criminal proceedings initiated by a government authority against an entity that has violated an enforceable cybersecurity or data protection obligation. The scope of such actions in the United States spans federal agencies with sector-specific jurisdiction, state attorneys general operating under consumer protection and breach notification statutes, and the Department of Justice prosecuting criminal violations under statutes including the Computer Fraud and Abuse Act (18 U.S.C. § 1030).

Enforcement is not uniform across sectors. The Federal Trade Commission (FTC) exercises general authority over unfair or deceptive practices, including deceptive security representations, under Section 5 of the FTC Act (15 U.S.C. § 45). The Department of Health and Human Services Office for Civil Rights (HHS OCR) enforces the Health Insurance Portability and Accountability Act (HIPAA) Security Rule against covered entities and business associates. The Securities and Exchange Commission (SEC) enforces cybersecurity disclosure requirements under rules adopted in 2023 (SEC Cybersecurity Disclosure Rules, 17 CFR Parts 229 and 249). The Federal Financial Institutions Examination Council (FFIEC) member agencies — including the OCC, FDIC, and Federal Reserve — supervise financial institutions under the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule.

At the state level, all 50 states maintain breach notification statutes, and enforcement authority typically rests with the state attorney general. California's Consumer Privacy Rights Act (CPRA), enforced by the California Privacy Protection Agency (CPPA), adds a private right of action for data breach claims involving unencrypted personal information (Cal. Civ. Code § 1798.150).

How it works

Cybersecurity enforcement proceedings typically follow a structured sequence, though the precise procedure varies by agency:

1. Trigger event — A breach notification, complaint, audit finding, self-disclosure, or media report initiates regulatory attention. For HHS OCR, breach reports filed under 45 CFR § 164.408 for incidents affecting 500 or more individuals automatically trigger review.
2. Investigation phase — The regulator issues document preservation demands, information requests, or civil investigative demands (CIDs). The FTC's CID authority under 15 U.S.C. § 57b-1 compels production of records and testimony.
3. Findings and determination — The agency issues a preliminary finding of violation, often accompanied by a notice of proposed rulemaking, notice of apparent liability, or a complaint.
4. Resolution — Cases resolve through consent orders, settlement agreements, corrective action plans, or adjudicated civil penalties. Criminal referrals proceed through the Department of Justice under applicable statutes.
5. Monitoring and remediation — Consent decrees and corrective action plans typically require third-party assessments, implementation timelines, and periodic reporting — often spanning 10 or 20 years.

Penalty ceilings are set by statute and differ substantially across regimes. HIPAA civil penalties are tiered by culpability, with a maximum of $1.9 million per violation category per calendar year (HHS, HIPAA Enforcement Rule, 45 CFR Part 160). FTC penalties for violations of final orders reach $51,744 per violation per day (adjusted annually under the Federal Civil Penalties Inflation Adjustment Act). New York's SHIELD Act imposes civil penalties of up to $5,000 per violation (N.Y. Gen. Bus. Law § 899-bb).

Common scenarios

Four enforcement patterns account for the majority of resolved US cybersecurity actions:

Inadequate access controls leading to breach — Regulators including HHS OCR and the FTC have resolved enforcement actions where entities failed to implement multifactor authentication, least-privilege access policies, or encryption — resulting in unauthorized access. HHS OCR's 2023 settlement with Lafourche Medical Group over a phishing attack resulting in exposure of 34,862 patient records illustrates this pattern (HHS OCR Settlement, 2023).

Deceptive security representations — The FTC has pursued enforcement where organizations publicly claimed compliance with security frameworks while operating materially deficient programs. The 2012 FTC consent order against Wyndham Worldwide, upheld by the Third Circuit in FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015), established the FTC's authority to regulate cybersecurity under Section 5.

Failure to report breaches within statutory windows — State attorneys general have assessed penalties for delayed breach notification. Under California's breach law, notifications must occur "in the most expedient time possible and without unreasonable delay" (Cal. Civ. Code § 1798.82). The SEC's 2023 disclosure rules require material incident disclosure as processing allows of a materiality determination.

Third-party vendor failures attributed to covered entities — HIPAA enforcement extends liability to covered entities for the acts of business associates when adequate business associate agreements were not in place or contractual security obligations were not monitored.

Decision boundaries

The threshold questions that determine whether and how enforcement is applied differ across regimes and distinguish one enforcement pathway from another.

Federal vs. state jurisdiction — Federal agency enforcement applies within sector boundaries. HHS OCR jurisdiction is limited to HIPAA covered entities and their business associates; it does not extend to employers outside healthcare. State attorneys general may assert jurisdiction over any entity that collects data on state residents, regardless of sector, under applicable breach notification statutes.

Civil vs. criminal — Civil enforcement addresses regulatory violations and seeks monetary penalties, injunctive relief, or corrective action. Criminal prosecution under 18 U.S.C. § 1030 (Computer Fraud and Abuse Act) requires proof of intent and applies to unauthorized access, fraud, and damage to protected computers. The DOJ Cybercrime Section handles criminal referrals; civil enforcement remains with sector regulators.

Negligence vs. willful neglect — HIPAA's four-tier penalty structure distinguishes violations where the covered entity was unaware and could not have known ($100–$50,000 per violation) from willful neglect that is not corrected ($10,000–$50,000 per violation, and up to $1.9 million per category annually). This tiering directly affects settlement posture and whether the agency pursues corrective action plans or monetary penalties alone (45 CFR § 160.404).

Materiality threshold under SEC rules — The SEC's 2023 cybersecurity disclosure rules require public companies to disclose incidents determined to be "material" — a standard assessed under existing securities law doctrine, not a fixed data-volume threshold. This creates a judgment-intensive boundary that separates reportable from non-reportable incidents and is distinct from the breach notification thresholds used by HHS OCR or state laws. Understanding where the cyber compliance limitations of any single framework apply is essential when navigating multi-regulator exposure.