For some time now, many commentators, including me, have been predicting that cybersecurity-related litigation could become an important part of the D&O litigation environment. And that may yet happen. For now, however, the results in the recent cybersecurity-related cases have been, from the plaintiffs’ perspective, not particularly promising. On July 7, 2016, in the latest of these cases to hit the skids, District of Minnesota Judge Paul Magnuson, in reliance on the report of the special litigation committee appointed to investigate the claims and in the absence of opposition from the plaintiff, granted the motions of the special litigation committee and of the defendants and dismissed the consolidated cybersecurity-related derivative litigation that had been filed against Target Corporation’s board. As discussed below, the plaintiffs’ track record in this type of litigation has been poor, which does raise the question whether this type of litigation will become a significant phenomenon. A copy of Judge Magnuson’s order in the Target Corp. case can be found here.
Continue Reading Target Corporation Cybersecurity-Related Derivative Litigation Dismissed
Guest Post: Key Takeaways From the SEC Morgan Stanley Cybersecurity Case
As I noted in a recent post, on June 8, 2016, the SEC, in what one commentator called “the most significant SEC cybersecurity-related action to date,” announced that Morgan Stanley Smith Barney LLC had agreed to pay a $1 million penalty to settle charges that as a result of its alleged failure to adopt written policies and procedures reasonably designed to protect customer data, some customer information was hacked and offered for sale online. In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a look at the circumstances at the company that led to this enforcement action and reviews the important lessons that can be learned from what happened. A version of this article originally appeared on CybersecurityDocket. I would like to thank John for his willingness to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s guest post.Continue Reading Guest Post: Key Takeaways From the SEC Morgan Stanley Cybersecurity Case
Federal Agencies Joining the Data Security Enforcement Action Bandwagon
Until now, the primary federal agency regulating data security has been the Federal Trade Commission. Indeed, in August 2015, the Third Circuit in the Wyndham Worldwide case affirmed the FTC’s regulatory enforcement authority against companies failing to take appropriate action to protect consumer financial information. However, other federal regulatory agencies are now increasing asserting their authority with respect to data security issues, including in particular, the Consumer Financial Protection Bureau (CFPB), which recently brought its first data security enforcement action. These developments underscore the fact that companies face a growing regulatory exposure relating to cybersecurity issues. The specific recent developments also highlight the expectations regulators are asserting with respect to board responsibility for cybersecurity issues and establish that companies can face data security enforcement action even if the companies have not themselves experienced a data breach.
Continue Reading Federal Agencies Joining the Data Security Enforcement Action Bandwagon
Guest Post: Cyber-Liability Insurance and the Retroactive Date Exclusion
Cyber liability insurance is a relatively new product and many of the terms and conditions found in cyber-liability policies are as yet untested in the courts. In this guest post, Stephen O’Donnell of the Steptoe & Johnson law firm takes a look at two particular standard features of the cyber liability insurance policies, the retroactive date and policy inception date exclusions, and the potential for these exclusions to preclude coverage for the very kind of exposures that are the reasons most purchasers buy the insurance.
I would like to thank Stephen for his willingness to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Stephen’s guest post.
Continue Reading Guest Post: Cyber-Liability Insurance and the Retroactive Date Exclusion
Guest Post: Fidelity Bonds and Cybercrime Insurance: 2016 First Quarter Update
In the following guest post, David Bergenfeld, a Senior Associate in D’Amato & Lynch, LLP’s Fidelity Bond Practice Group, takes a look at key court decisions during the first quarter of 2016 analyzing cybercrime insurance. I would like to thank David for his willingness to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is David’s guest post.
Continue Reading Guest Post: Fidelity Bonds and Cybercrime Insurance: 2016 First Quarter Update
Guest Post: Law Firms and Cybersecurity: A Comprehensive Guide for Law Firm Executive Committees
There have been several very high profile news reports of significant law firm data breaches. It is not a mere coincidence that law firms increasingly are targeted in data breach attacks. Law firms have a trove of information that makes them highly attractive to cybercriminals. In the following guest post, John Reed Stark takes a look at the reasons for the rise in the number of cyber attacks as well as the steps that law firms can take to try to defend themselves and their clients. John is the President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. A version of this article originally appeared on CybersecurityDocket.com. I would like to thank John for his willingness to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: Law Firms and Cybersecurity: A Comprehensive Guide for Law Firm Executive Committees
Guest Post: Grading Global Boards of Directors on Cybersecurity
In the following guest post, Paul Ferrillo of the Weil Gotshal law firm and Christophe Veltsos, CISSP, CISA, and CIPP, and an Associate Professor at Minnesota State University, Mankato, take a look at a recent NASDAQ survey of corporate officials in multiple countries on the topic of cybersecurity accountability. As Paul and Christophe detail, there is reason to be concerned about the apparent lack of cybersecurity literacy, awareness and risk assessments among corporate officials surveyed. The authors also take a look at the steps companies can take to address these concerns.
I would like to thank Paul and Christophe for their willingness to publish their guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul and Chrisophe’s guest post.
Continue Reading Guest Post: Grading Global Boards of Directors on Cybersecurity
The Growing Risk of Payment Instruction Fraud and Related Insurance Coverage Problems
There recently has been a “dramatic rise” in the incidence of business e-mail compromise (BEC) scams, according to an April 4, 2016 alert from the Federal Bureau of Investigation (here). In these schemes, which are also often referred to as “social engineering fraud” or “payment instruction fraud,” scammers using official seeming email communications induce company employees to transfer company funds to the imposters’ account. According to the FBI, during the period October 2013 through February 2016, law enforcement agencies have received reports of this type of fraud involving 17,642 victims. Complaints involving these kinds of fraudulent schemes have arisen in every U.S. state and 79 different countries and amount to over $2.3 billion losses. As discussed below, these types of schemes are not only a growing concern, but they are increasingly the source of insurance coverage disputes, as well.
Continue Reading The Growing Risk of Payment Instruction Fraud and Related Insurance Coverage Problems
Guest Post: Next-Level Cybersecurity Incident Response Trends 2016
In the following guest post, Paul A. Ferrillo and Christophe Veltsos take a look at the next-level concepts companies should adopt to improve their data breach detection and response time, perhaps allowing them to kick attackers off their networks before bad things happen. Paul Ferrillo is a member of the Cybersecurity, Data Privacy & Information Management practice at Weil, Gotshal & Manges LLP, and a featured speaker at the upcoming Incident Response Forum on March 31, 2016, in Washington, D.C. Christophe Veltsos, PhD, CISSP, CISA, CIPP, GCFA, regularly teaches Information Security and Information Warfare classes at Minnesota State University. I would like to thank Paul and Christophe for their willingness to publish their article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul and Christophe’s guest post.
Continue Reading Guest Post: Next-Level Cybersecurity Incident Response Trends 2016
Guest Post: Fidelity Bonds and Cybercrime Policies: 2015 Year in Review
This past year was a very eventful one in the world of fidelity bond, commercial crime, and cybercrime coverages. In the following guest post, David Bergenfeld of the D’Amato & Lynch law firm’s Fidelity Bond Practice Group, and Laura Lang, Esq., take a look at the important developments during 2015 regarding these coverages. I would like to thank David and Laura for their willingness to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors of topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is David and Laura’s guest post.
Continue Reading Guest Post: Fidelity Bonds and Cybercrime Policies: 2015 Year in Review