In recent years, plaintiffs’ lawyers have filed a number of management liability lawsuits against the executives of companies that have experienced high-profile data breaches. These lawsuits have either been filed as shareholder derivative lawsuits or securities class action lawsuits. By and large, the cases filed as shareholder derivative lawsuits have been unsuccessful. However, in a development that represents a milestone in several different respects, the parties to the Yahoo data breach-related derivative lawsuit have agreed to settle the case for $29 million. As discussed below, this settlement may have important implications for future data breach-related derivative litigation. The Court’s January 4, 2019 order approving the settlement can be found here (see calendar Line 5 in the order).
Continue Reading Yahoo Data Breach-Related Derivative Suit Settled for $29 Million
Guest Post: Ohio Now Accepts Bitcoin for Tax Payments; No Problem, Right?
Lost amidst all of the turmoil surrounding the dramatic swings in the value of digital currencies is that the original idea for these digital assets is that they might actually be used as exchange media, in place of traditional currencies. Whether or not someone might use cryptocurrency to, say, buy a cup of coffee at Starbuck’s, Ohio residents, at least, may now use bitcoin to pay their state taxes. In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a look at Ohio’s recent bitcoin move and reviews what it might mean – for Ohio, and in general. A version of this article previously was published on CybersecurityDocket.com. I would like to thank John for allowing me to publish his guest article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: Ohio Now Accepts Bitcoin for Tax Payments; No Problem, Right?
Are GDPR Fines and Penalties Insurable?
When the European Union’s updated General Data Protection Regulation (GDPR) went into effect on May 25, 2018, media reports focused on the potentially massive fines that the regulation authorizes – the regulation authorizes fines of up to €20 million or 4 percent of a company’s annual worldwide revenue, whichever is higher, for noncompliance with the regulation’s strict data collection and use requirements. The possibility of regulatory fines of this magnitude immediately raised the question of whether or not insurance is available to protect companies against the huge financial exposure. The answer to this question, it turns out, is complicated.
Continue Reading Are GDPR Fines and Penalties Insurable?
Cybersecurity Disclosure Practices and Standards
In February 2018, the SEC updated its cybersecurity disclosure guidelines for reporting companies, emphasizing the importance to investors and markets for prompt and robust disclosure relating to cyber issues. Indeed, in April, the agency brought its first enforcement action relating to cybersecurity enforcement issues. In its recent annual report, the agency’s enforcement division emphasized that cybersecurity disclosure is a priority issue. Clearly, public company’s cybersecurity-related disclosure practices are receiving a great deal of attention and scrutiny.
But what are public companies actually doing in terms of cybersecurity disclosures? A recent study by EY took a look at the actual cybersecurity disclosure practices. Their analysis shows that cybersecurity-related disclosure practices “vary widely,” suggesting there is an “opportunity for enhancement.” The October 22, 2018 report, entitled “Cybersecurity Disclosure Benchmarking,” can be found here.
Continue Reading Cybersecurity Disclosure Practices and Standards
SEC Warns of Need for Internal Controls to Prevent Cyberscams
The threat of cyberscams in the form of what has been called “social engineering fraud” or “payment instruction fraud” has become pervasive. In these swindles, imposters posing as senior corporate executives or company vendors direct company personnel to transfer funds to accounts that the imposters control. Losses from these frauds can be substantial, and, as I have noted on prior posts on this site, the insurance coverage questions these losses present can be challenging. Earlier this week, the SEC released an investigative report taking a look at what the agency called “business email compromises” at nine different public companies. The report underscores the need for companies to take cyber threats into account when implementing internal accounting controls. The report has some interesting insurance underwriting implications as well. The SEC’s October 16, 2018 press release about the report can be found here.
Continue Reading SEC Warns of Need for Internal Controls to Prevent Cyberscams
Educational Services Company Hit With Data Breach-Related Securities Suit
One of the most-watched corporate and securities litigation trends in recent years has been the incidence of D&O claims after companies experience data breaches. Although there have been a number of high profile claims along the way, the volume of data breach-related D&O claims has never quite lived up to the hype. Just the same, these kinds of claims have continued to be filed. The most recent case is a securities class action lawsuit that has now been filed against educational services company Chegg, Inc., after its recent announcement of a data breach involving customer data. The Chegg lawsuit, filed on September 27, 2018 in the Northern District of California, can be found here.
Continue Reading Educational Services Company Hit With Data Breach-Related Securities Suit
Guest Post: The Speed of Breaches and Other Bad News in Cybersecurity Incident Response
For any organization experiencing a data breach, the organization’s response to the incident remains one of the most important and yet one of the most challenging next steps. In the following guest post, Paul Ferrillo, a partner in the New York office of the Greenberg Traurig law firm, examines the ways that an organization can respond well to a cyber incident. I would like to thank Paul for his willingness to allow me to publish his article as a guest post on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
Continue Reading Guest Post: The Speed of Breaches and Other Bad News in Cybersecurity Incident Response
6th Circ.: Crime Policy’s Computer Fraud Section Covers Email Scheme Losses
In the second policyholder-favorable federal appellate court decision on the issue in a matter of days, the Sixth Circuit has held that the Computer Fraud provisions of a commercial crime policy cover a company’s losses from an email payment instruction fraud scheme. Just last week, the Second Circuit ruled in the Medidata case that Computer Fraud coverage applied to losses incurred in a similar email scam. However, the Sixth Circuit’s decision may be even more helpful for policyholders as, unlike the Second Circuit’s decision, the policyholder-favorable ruling is not as dependent on very specific factual determinations about the way the fraudster manipulated the harmed company’s email program. The Sixth Circuit’s July 13, 2018 decision in the American Tooling Center (ATC) opinion can be found here.
Continue Reading 6th Circ.: Crime Policy’s Computer Fraud Section Covers Email Scheme Losses
Guest Post: Why the Crypto-Enforcement Onslaught by U.S. Regulators Has Just Begun
One of the most significant recent developments in the financial world has been the sudden proliferation of cryptocurrencies. The quick rise of digital currencies seemingly caught regulators by surprise; regulatory action and involvement was slow to develop. But as John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, documents in the following guest post, U.S. regulators have heard the bell and are now rising to action, and for good reason. A version of this article previously appeared on Cybersecurity Docket. I would like to thank John for his willingness to allow me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit and article. Here is John’s guest post.
Continue Reading Guest Post: Why the Crypto-Enforcement Onslaught by U.S. Regulators Has Just Begun
Ninth Circuit: No Crime Policy Coverage for Social Engineering Fraud Losses
Along with all of the other risks arising from companies’ increasing dependence on electronics communications and data storage technology has come not only the risks of a data breach caused by a hacker, but also the risk of a company’s transfer of funds by one of its employees who has been duped into believing the transfer was legitimate and authorized. These kinds of losses, which have been called “payment instruction fraud” or “social engineering fraud,” raise of a host of potential issues under traditional insurance policies, owing to the voluntary nature of the funds transfer made by a person authorized to access the company’s computer system. A recent decision by the Ninth Circuit illustrates the kinds of coverage problems that can arise from these circumstances. The Ninth Circuit’s unpublished April 17, 2018 opinion in Aqua Star (USA) Corp. v. Travelers Casualty & Surety Company of America can be found here. The Wiley Rein’s law firm’s April 19, 2018 post about the Ninth Circuit decision can be found here.
Continue Reading Ninth Circuit: No Crime Policy Coverage for Social Engineering Fraud Losses