Cybersecurity threats are on the rise. Companies that find themselves hit with data breaches face a number of challenges, including in particular the challenge of responding to strict breach disclosure and notification requirements. In the following guest post, Paul A. Ferrillo, a shareholder in the Greenberg Traurig law firm’s Cybersecurity, Privacy, and Crisis Management Practice, takes a look at the steps the companies can take before they are breached to be better positioned to respond to the notification requirements in the event of a breach. I would like to thank Paul for allowing me to publish his article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
Continue Reading Guest Post: Beat the Clock: 5 Important Steps to Deal with Today’s Complicated Cyber Breach Disclosure World

John Reed Stark

As cybersecurity has become an increasingly important consideration for all corporate operations, one of the most pernicious problems has been the rise of so-called “ransomware” attacks – that is, systems breaches in which hackers take control of corporate networks and demand ransom payments as a condition of unlocking the systems. In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a look at the ransomware phenomenon, how companies are responding, and why. A version of this article previously was published on Securities Docket. I would like to thank John for allowing me to publish his article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: Ransomeware’s Dirty Little Secret: Most Corporate Victims Pay

In recent years, plaintiffs’ lawyers have filed a number of management liability lawsuits against the executives of companies that have experienced high-profile data breaches. These lawsuits have either been filed as shareholder derivative lawsuits or securities class action lawsuits. By and large, the cases filed as shareholder derivative lawsuits have been unsuccessful. However, in a development that represents a milestone in several different respects, the parties to the Yahoo data breach-related derivative lawsuit have agreed to settle the case for $29 million. As discussed below, this settlement may have important implications for future data breach-related derivative litigation. The Court’s January 4, 2019 order approving the settlement can be found here (see calendar Line 5 in the order).
Continue Reading Yahoo Data Breach-Related Derivative Suit Settled for $29 Million

John Reed Stark

Lost amidst all of the turmoil surrounding the dramatic swings in the value of digital currencies is that the original idea for these digital assets is that  they might actually be used as exchange media, in place of traditional currencies. Whether or not someone might use cryptocurrency to, say, buy a cup of coffee at Starbuck’s, Ohio residents, at least, may now use bitcoin to pay their state taxes. In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a look at Ohio’s recent bitcoin move and reviews what it might mean – for Ohio, and in general. A version of this article previously was published on CybersecurityDocket.com. I would like to thank John for allowing me to publish his guest article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: Ohio Now Accepts Bitcoin for Tax Payments; No Problem, Right?

When the European Union’s updated General Data Protection Regulation (GDPR) went into effect on May 25, 2018, media reports focused on the potentially massive fines that the regulation authorizes – the regulation authorizes fines of up to €20 million or 4 percent of a company’s annual worldwide revenue, whichever is higher, for noncompliance with the regulation’s strict data collection and use requirements. The possibility of regulatory fines of this magnitude immediately raised the question of whether or not insurance is available to protect companies against the huge financial exposure. The answer to this question, it turns out, is complicated.
Continue Reading Are GDPR Fines and Penalties Insurable?

In February 2018, the SEC updated its cybersecurity disclosure guidelines for reporting companies, emphasizing the importance to investors and markets for prompt and robust disclosure relating to cyber issues. Indeed, in April, the agency brought its first enforcement action relating to cybersecurity enforcement issues. In its recent annual report, the agency’s enforcement division emphasized that cybersecurity disclosure is a priority issue. Clearly, public company’s cybersecurity-related disclosure practices are receiving a great deal of attention and scrutiny.

But what are public companies actually doing in terms of cybersecurity disclosures? A recent study by EY took a look at the actual cybersecurity disclosure practices. Their analysis shows that cybersecurity-related disclosure practices “vary widely,” suggesting there is an “opportunity for enhancement.” The October 22, 2018 report, entitled “Cybersecurity Disclosure Benchmarking,” can be found here.
Continue Reading Cybersecurity Disclosure Practices and Standards

The threat of cyberscams in the form of what has been called “social engineering fraud” or “payment instruction fraud” has become pervasive. In these swindles, imposters posing as senior corporate executives or company vendors direct company personnel to transfer funds to accounts that the imposters control. Losses from these frauds can be substantial, and, as I have noted on prior posts on this site, the insurance coverage questions these losses present can be challenging. Earlier this week, the SEC released an investigative report taking a look at what the agency called “business email compromises” at nine different public companies. The report underscores the need for companies to take cyber threats into account when implementing internal accounting controls. The report has some interesting insurance underwriting implications as well. The SEC’s October 16, 2018 press release about the report can be found here.
Continue Reading SEC Warns of Need for Internal Controls to Prevent Cyberscams

One of the most-watched corporate and securities litigation trends in recent years has been the incidence of D&O claims after companies experience data breaches. Although there have been a number of high profile claims along the way, the volume of data breach-related D&O claims has never quite lived up to the hype. Just the same, these kinds of claims have continued to be filed. The most recent case is a securities class action lawsuit that has now been filed against educational services company Chegg, Inc., after its recent announcement of a data breach involving customer data. The Chegg lawsuit, filed on September 27, 2018 in the Northern District of California, can be found here.
Continue Reading Educational Services Company Hit With Data Breach-Related Securities Suit

 For any organization experiencing a data breach, the organization’s response to the incident remains one of the most important and yet one of the most challenging next steps. In the following guest post, Paul Ferrillo, a partner in the New York office of the Greenberg Traurig law firm, examines the ways that an organization can respond well to a cyber incident. I would like to thank Paul for his willingness to allow me to publish his article as a guest post on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
Continue Reading Guest Post: The Speed of Breaches and Other Bad News in Cybersecurity Incident Response

In the second policyholder-favorable federal appellate court decision on the issue in a matter of days, the Sixth Circuit has held that the Computer Fraud provisions of a commercial crime policy cover a company’s losses from an email payment instruction fraud scheme. Just last week, the Second Circuit ruled in the Medidata case that Computer Fraud coverage applied to losses incurred in a similar email scam. However, the Sixth Circuit’s decision may be even more helpful for policyholders as, unlike the Second Circuit’s decision, the policyholder-favorable ruling is not as dependent on very specific factual determinations about the way the fraudster manipulated the harmed company’s email program. The Sixth Circuit’s July 13, 2018 decision in the American Tooling Center (ATC) opinion can be found here.
Continue Reading 6th Circ.: Crime Policy’s Computer Fraud Section Covers Email Scheme Losses