Cyber Liability

Subscribe to Cyber Liability via RSS

homedepotIn early 2014, when plaintiffs initiated data breach-related derivative lawsuits against the boards of Target Corp. (here) and Wyndham Worldwide (here), there was some speculation that these cases might be the first of what could become a wave of data-breach related D&O lawsuits. But then the Wyndham Worldwide case was dismissed (refer here) and no new data breach-related D&O lawsuits followed, even though there were several high profile data breaches after that time (including Sony Entertainment, Anthem and Home Depot). Although many predicted that more D&O lawsuits were to come, the suits themselves did not materialize. There were, however, some suggestions that a lawsuit against Home Depot might eventually arrive, as a plaintiff initiated a books and records action in Delaware Chancery Court against the company.

The wondering and waiting about whether or not there will be a Home Depot data breach-related D&O lawsuit is now over. A Home Depot data breach-related shareholder’s derivative lawsuit has been filed in the Northern District of Georgia. On September 2, 2015, a plaintiff shareholder filed a redacted complaint in a lawsuit against Home Depot, as nominal defendant, and twelve Home Depot directors and officers, alleging that the defendants breached “their fiduciary duties of loyalty, good faith, and due care by knowingly and in conscious disregard of their duties failing to ensure that Home Depot took reasonable measures to protect its customers’ personal and financial information.” The redacted version of the plaintiff’s complaint can be found here. (Please see below for further explanation about the timing of the filing of the plaintiff’s lawsuit and the redactions to the complaint.)
Continue Reading Data Breach-Related Derivative Lawsuit Filed against Home Depot Directors and Officers

micah skidmore
Micah Skidmore

As I discussed in a recent post, on July 20, 2015, the Seventh Circuit issued its opinion in the Neiman Marcus consumer data breach class action lawsuit. In its opinion (a copy of which can be found here), the appellate court ruled that the district court erred in concluding that the plaintiffs’ fear of future harm from the breach was insufficient to establish standing to pursue their claims. The court held that the impending injuries alleged were sufficient to support Article III standing.

 

In the following guest post, Micah Skidmore of the Haynes and Boone law firm takes a closer look at the decision and discusses some important insurance coverage issues that the court’s ruling about future injuries may present.

 

I would like to thank Micah for his willingness to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Micah’s guest post.

**********************************

The recent Neiman Marcus decision from the Seventh Circuit has lowered the bar for plaintiffs suing in the wake of a data breach.  In addition to actual injury, future “impending” injuries substantiated by an “objective,” “substantial risk of harm” and actual costs incurred to prevent or mitigate “imminent” harm are sufficient to support Article III standing.  While the Neiman Marcus decision may provide some clarity regarding standards of pleading and liability (at least for plaintiffs), for those defendants reliant on network security/privacy liability insurance to protect against data breach claims, the opinion prompts an urgent question: does my policy cover liability for future injuries and preventive measures?
Continue Reading Guest Post: Coverage for Future Injuries: Is Your Cyber Policy Up To The Neiman Marcus Challenge?

cyberspaceMany observers, including even this blog, have speculated whether the rising wave of data breaches and cyber security attacks will result in litigation against the directors and officers of the affected companies. Indeed, in 2014, there were two sets of lawsuits filed against the boards of companies that had experienced high-profile data breaches, Target Corp. (refer here) and Wyndham Worldwide (refer here). But the Wyndham lawsuit was dismissed in late 2014, and since that time there really have been no additional significant cyber security related D&O lawsuits filed, even though there have been a number of high profile data breaches in interim (including, for example, Home Depot, Anthem and Sony Entertainment). However, as discussed below, there have been  a couple of recent developments suggesting that the plaintiffs’ lawyers are working along the edges of this issue, and, at a minimum, looking for ways to develop D&O claims out of data breach incidents.
Continue Reading When Data Hacks Lead to D&O Lawsuits, Actual and Threatened

third circuit blueOn August 24, 2015, in a ruling that was much-anticipated because of its potential implications for the regulatory liability exposures of companies that have been hit with data breaches, the Third Circuit affirmed the authority of the Federal Trade Commission to pursue an enforcement action against Wyndham Worldwide Corp. and related entities alleging that the company and its affiliates had failed to make reasonable efforts to protect consumers’ private information. This ruling confirms that, in addition to the disruption and reputational harm that may follow in the wake of a successful cybersecurity, companies may also face a regulatory action from the FTC as well, as discussed further below. The Third Circuit’s opinion can be found here. The August 24, 2015 statement of the FTC’s Chair about the Third Circuit’s opinion can be found here.
Continue Reading Third Circuit: FTC May Pursue Data Breach Enforcement Action against Wyndham Worldwide

Stark Photo
John Reed Stark
Fontaine
David Fontaine

It is well understood by now that cyber security is a concern for every organization and that it is an issue on which every company’s board should be focused. But what specifically should boards of directors be worried about and what questions should they be asking? In the following guest post, John Reed Stark and David R. Fontaine take a look at the ten cybersecurity concerns on which every board of directors should be focused. John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm.  David Fontaine is Executive Vice President, Chief Legal & Administrative Officer and Corporate Secretary of Altegrity, a privately held company that among other entities, owns Kroll’s data breach response services. The authors’ complete biographies appear at the end of the post. This article was previously published on CybersecurityDocket.com, an online global cybersecurity and incident response report, and a division of Docket Media.

I would like to thank the authors’ for their willingness to publish their article on this site. I welcome guest posts from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. The authors’ guest post follows.

*************************************

Every board now knows its company will fall victim to a cyber-attack, and even worse, that the board will need to clean up the mess and superintend the fallout.

Yet cyber-attacks can be extraordinarily complicated and, once identified, demand a host of costly responses. These include digital forensic preservation and investigation, notification of a broad range of third parties and other constituencies,[1] fulfillment of state and federal compliance obligations, potential litigation, engagement with law enforcement, the provision of credit monitoring, crisis management, a communications plan – and the list goes on.

And besides the more predictable workflow, a company is exposed to other even more intangible costs as well, including temporary or even permanent reputational and brand damage;[2] loss of productivity; extended management drag; and a negative impact on employee morale and overall business performance.

So what is the role of a board of directors amid all of this complex and bet-the-company workflow? Corporate directors clearly have a fiduciary duty to understand and oversee cybersecurity, but there is no need for board members (many of whom have limited IT experience) to panic.

Below we compile a list of ten cybersecurity considerations that provide a solid bedrock  of inquiry for corporate directors who want to take their cybersecurity oversight and supervision responsibilities seriously.[3]  This “cybersecurity top ten list” provides the requisite strategical framework for boards of directors to engage in an intelligent, thoughtful and appropriate supervision of a company’s cybersecurity risks.
Continue Reading Guest Post: Ten Cybersecurity Concerns for Every Board of Directors

bob-bregmanThe exclusions are an important part of any liability insurance policy, but this is particularly true of cyber liability insurance polices. In the following guest post, Robert Bregman, CPCU, MLIS, RPLU, Senior Research Analyst, International Risk Management Institute, Inc., takes a look at the ten of the most common exclusions found in cyber liability and privacy insurance policies. This guest post is an excerpt taken from a longer article entitled “Cyber and Privacy Insurance Coverage” that appeared in the July 2015 edition of The Risk Report, and is copyrighted by IRMI. Learn more about The Risk Report here.

 

I would like to thank Bob for his willingness to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. Please contact me directly if you would like to submit a guest post. Here is Bob’s article.

 

******************************************************

As is the case with virtually every type of management liability insurance, the true extent of coverage that any given policy provides is a function of its exclusionary language. Accordingly, this article will analyze both the differences and similarities between 10 of the most common exclusions found within cyber and privacy policies. Its goal is to assist the reader in negotiating exclusionary wording that maximizes the scope of coverage a policy will provide in the event of a claim.
Continue Reading Guest Post: Cyber & Privacy Policy Exclusions: Analyzing Differences, Negotiating Modifications

Anderson_Roberta (1)Cyber liability insurance is a relatively new product and case law interpreting the policies is only now just developing. However, even at this relatively early stage, there have been some important coverage decisions, and more are coming, as more coverage disputes arise. In the following guest post, Roberta Anderson takes a look at the steps companies can take to decrease the likelihood of a coverage denial and of litigation. Roberta is an Insurance Coverage partner in the Pittsburgh office of K&L Gates LLP and co-founder of the firm’s global Cybersecurity, Privacy and Data Protection practice group. A version of this article previously appeared on Law 360.

 

I would like to thank Roberta for her willingness to publish her article on my site. I welcome guest posts from responsible authors on topics of interest to readers of this blog. Please contact me directly if you would like to publish a guest post. Here is Roberta’s article.

*********************************************

Many insurance coverage disputes can be, should be, and are settled without the need for litigation and its attendant costs and distractions.  However, some disputes cannot be settled, and organizations are compelled to resort to courts or other tribunals in order to obtain the coverage they paid for, or, with increasing frequency, they are pulled into proceedings by insurers seeking to preemptively avoid coverage.  As illustrated by CNA’s recently filed coverage action against its insured in Columbia Casualty Company v. Cottage Health System,[i] in which CNA[ii] seeks to avoid coverage for a data breach class action lawsuit and related regulatory investigation,[iii] cyber insurance coverage litigation is coming.  And in the wake of a data breach or other privacy, cybersecurity, or data protection-related incident, organizations regrettably should anticipate that their cyber insurer may deny coverage for a resulting claim against the policy.

Before a claim arises, organizations are encouraged to proactively negotiate and place the best possible coverage in order to decrease the likelihood of a coverage denial and litigation.  In contrast to many other types of commercial insurance policies, cyber insurance policies are extremely negotiable and the insurers’ off-the-shelf forms typically can be significantly negotiated and improved for no increase in premium.  A well-drafted policy will reduce the likelihood that an insurer will be able to successfully avoid or limit insurance coverage in the event of a claim.

Even where a solid insurance policy is in place, however, and there is a good claim for coverage under the policy language and applicable law, insurers can and do deny coverage.  In these and other instances, litigation presents the only method of obtaining or maximizing coverage for a claim.
Continue Reading Guest Post: Five Tips for Success in Cyber Insurance Litigation

neimanmarcusIn a ruling that could provide an important boost future consumer data breach class action litigation, the Seventh Circuit has reinstated the Neiman Marcus data breach lawsuit, ruling that the district court erred in concluding that the plaintiffs’ fear of future harm from the breach was insufficient to establish standing to pursue their claims. As Alison Frankel said about the appellate court’s ruling in her July 21, 2015 post on her On the Case blog entitled “The Seventh Circuit Just Made it A Lot Easier to Sue Over Data Breaches” (here), “this is a really consequential decision.” The Seventh Circuit’s July 20, 2015 opinion in the Neiman Marcus case can be found here.
Continue Reading O.K., This Is a Big Deal: 7th Cir. Reinstates Neiman Marcus Consumer Data Breach Class Action

homedepotAfter claimants filed shareholders’ data breach-related derivative suits against the boards of Target (here) and Wyndham Worldwide (here), a number of commentators (including me) asked whether we could see a wave of cybersecurity related D&O lawsuits. Interestingly, since these two lawsuits were filed more than a year ago, there have been

david danaAmong the many concerns that arise whenever unauthorized appropriation or use of consumer data occurs is the possible violation of the consumers’ privacy that the access may represent. In numerous cases, aggrieved parties have tried to assert claims for these alleged privacy violations, but by and large these attempts have not been successful. However, as