The coronavirus pandemic poses a host of threats and challenges for every organization. The outbreak also presents a number of serious challenges for boards of directors as well. In the following guest post, Paul Ferrillo, a partner in the McDermott, Will & Emery law firm, considers the challenges that boards are facing and the litigation threats that may arise as a result. I would like to thank Paul for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
We are writing this article from home this week, principally because NYC is essentially “closed.” No NCAA events. No Madison Square Garden events. Schools are closed and probably for a long time. Museums closed. Stores closing or laying off employees. People getting sick left and right, and dying with far too great a frequency. Our world right now is badly out of alignment.
We have been through this sort of chaos before, and unfortunately “the bad guys” seem to also view the chaos as an opportunity to prey on the innocent. In the last week there have been several significant developments affecting corporations and their directors and officers. Lots of litigation and a bunch of cyber-attacks, both in the private sector and the US government. The old expression “and the hits keep on playing” is truly reflective of things today.
Of course none of us were ready for a pandemic or its potential impact, including litigation effects. Cyber attackers are always a problem, but faking and infecting the Johns Hopkins COVID-19 chart with malware? Totally not cool as people are panicking and looking for updated information constantly on the progression of the virus. See Live Coronavirus Map Used to Spread Malware.
This article is meant to be the primer for directors and officers. What are we seeing? What’s next? And what maybe you can do to help yourself and your company stem the potential tide of litigation. Lastly, we finish with some insurance advice.
COVID-19 affects everything. Every business. Every airline. Everybody. The problem for public companies is disclosures, both press releases and periodic filings. Statements are made. Guidance gets published. And then bad things happen.
At least 150 companies have warned investors that earnings will not be good; many have publicly withdrawn guidance. Indeed, two major companies pulled their guidance stating that “the coronavirus pandemic disrupts global trade patterns and economic activity.” For reference, read this article and this article.
Those companies that have attempted to minimize the potential effects of COVID-19 have suffered. One cruise line was recently sued for securities fraud. In the press release, the company said that “despite the current known impact” from the coronavirus outbreak, as of the week ending February 14, 2020, “the Company’s booked position remained ahead of prior year and at higher prices on a comparable basis.” The press release also stated that the company “has an exemplary track record of demonstrating its resilience in challenging environments” and that the company has “proactively implemented several preventive measures to reduce potential exposure and transmission of COVID-19.” Obviously, as COVID-19 spread across the US, and because of other cruise line “failures,” plaintiffs claim the statements made by the company were false and misleading. Potentially damaging emails from customer service agents will help plaintiffs’ scienter allegations.
We expect more of these lawsuits where companies appear to remain confident about their general prospects or the sufficiency of their supply chain, see CEOs: Do Not Misstate Your Coronavirus Supply Chain Difficulties, in the face of dismal news about the economy and the global impacts of COVID-19. Another company was recently sued for promising an actual vaccine. As it turned out, the Company later disclosed that it had only developed a “precursor” to a vaccine. That disclosure caused a huge stock drop and a securities fraud lawsuit to be filed against a firm that promised coronavirus vaccine.
The SEC is in the mix here too monitoring the effects of the virus on business, and providing guidance to issuers on disclosure issues. Chair Jay Clayton recently noted in a public statement:
We recognize that such effects [of COVID-19] may be difficult to assess or predict with meaningful precision both generally and as an industry- or issuer-specific basis. This is an uncertain issue where actual effects will depend on many factors beyond the control and knowledge of issuers. However, how issuers plan for that uncertainty and how they choose to respond to events as they unfold can nevertheless be material to an investment decision.
As COVID 19 and its effects march across the US, there will certainly be more securities disclosure developments for businesses to consider.
Our best advice: if you know you are going to be adversely affected by the economic impacts of COVID-19, say so as soon as you know the facts just like the other 150 companies have already reported the business effects of the virus on their company. Otherwise, plaintiffs may attempt to exploit stock drops related to COVID-19 similar to other forms of event driven litigation (see Avoiding Event Driven Litigation through Good Cybersecurity Governance) by framing them as the materialization of a known but previously undisclosed risk that the company was under a duty to warn about. Even if plaintiffs cannot argue that a company failed to predict the impact of COVID-19 in actuality, they could also argue that a company’s past disclosures failed to adequately warn of the risks from other virus or epidemic like events.
More corporate litigation
With any sort of propagated illness or virus, you can expect there will be some sort of personal injury litigation, especially with a pretty standard three-year statute of limitations. Of course, COVID-19 does not disappoint. Several passengers of the Golden Princess have brought suit against the parent company alleging that the company dropped its duties overboard by allowing a sick passenger to board the ship, which later resulted in other passengers getting sick, with the rest being forced to quarantine. Other corporate litigation around alleged failures to keep workers and employee safe are also expected. Of course, we have yet to see how business insurance policies will respond to these sorts of pandemic-related claims and lawsuits. If your business hasn’t already been affected adversely by COVID-19, it would be a good time to check your insurance coverage.
Cybercriminals are taking advantage of COVID-19
Already we have seen attempted breaches (not yet fully defined as of now) on the US Government’s Department of Health and Human Services potentially seeking healthcare and infection rate information. Though apparently nothing was stolen, it is a good lesson that healthcare PHI or PII remains a high value target for both nation-states and cyber criminals. It is also a prime asset for attackers to try to lock up the data in a ransomware attack. See Suspicious cyber activity targeting HHS tied to coronavirus response, sources say.
Aside from the government attack, there have been several other campaigns launched to attempt to steal both corporate and personal information using the virus as a “hook”:
- Attackers have “adopted” the Johns Hopkins COVID-19 infection rate map and laced it with suspicious malware, waiting for an anxious person looking for information to click on the map. Read more here.
- Multiple instances where ransomware attacks were generated by fake statements regarding the spread of coronavirus in other countries. One recent report noted, “One of the most recent coronavirus hoaxes to come to light is an Android app available at coronavirusapp[.]site. It claims to provide access to a map that provides real-time virus-tracking and information, including heat map visuals and statistics. In fact, a researcher from Domain Tools said, the app is laced with ransomware.” Read the article here. There has even been one ransomware attack against a Czech Republic hospital treating COVID-19 infected patients, readt the article here.
- Multiple COVID-19 phishing scams are out there seeking to steal your information. Some of the more severe (and tricky):
- Sites that are seeking charitable donations for COVID-19 patients
- Sites that are imitating the World Health Organization, or other ministries of health around the globe offering updates on the virus (these are likely nation-state instigated)
- Emails allegedly coming from colleges and universities offering students information on how the virus is affecting classes and student housing
Here is what you can do to potentially avoid these cyber scams
The US Department of Homeland Security’s Cyber and Infrastructure Security Agency (CISA), confirms that malicious actors are using COVID-19 as a pretext to send emails with attachments or links to fraudulent websites to trick victims into downloading malware, revealing sensitive information or donating to fraudulent charities or causes.
Companies should consider sending a security reminder or bulletin to personnel to remain vigilant against potential cyber-attacks and scams by:
- Not clicking on links or opening attachments contained in unsolicited emails
- Using trusted sources, such as hospitals and government websites, to obtain up-to-date, fact-based information about COVID-19
- Not providing personal or financial information when responding to online solicitations
- Consider whether or not a managed service provider might help you in this time of dwindling employee resources. If your IT employees get sick, who will be watching the network? An MSP would provide a great back up to any organization’s cybersecurity incident response plan.
Employees, like others, may be susceptible to targeted phishing, fraud and other cybercriminal actions based on their interest or concern about COVID-19. While messaging used to entice individuals to click malicious links may be COVID-19 related, methods to execute these attacks will remain largely the same. Companies may effectively use this attention to COVID-19 for security awareness by alerting employees, contractors or others to these risks.
To drive the point home, companies may consider conducting a phishing simulation with a faux phishing email related to COVID-19. Companies could use the results of the phishing simulation to provide supplemental training to those employees who fell victim to the simulated phish.
To minimize the success rate of potential attacks of this sort, companies should consider providing consistent updates about COVID-19 and creating an internal resource center that employees and others can use to receive current and accurate information.These may include a trusted email address, known trusted subject line or known trusted websites (CDC, CISA or otherwise) that can be checked for up-to-date COVID-19 information.
For more information on how to avoid these sorts of attacks see Privacy, HIPAA, Security and GDPR – COVID 19 considerations. See also our recent webinar on key cybersecurity and privacy considerations related to COVID-19.
A Brave New (and Remote) World
Each of the above scams is potentially exacerbated by the nature of today’s March 2020 workforce. Being home can be great. But it’s also different and in some sense busier, with kids out of school. Dogs incessantly barking at Amazon and Fed Ex trucks don’t help either. The same security adages always hold true regardless.
Rule 1: Don’t click on the link or attached document
Rule 2: Update and patch your computers to the latest update
Rule 3: #backitup daily if you can
Rule 4: See rule 1.
What COVID-19 is teaching us is that good health hygiene (like washing your hands frequently) works very well. So does good cyber hygiene.
Stay safe and healthy!