During the period 2014-2015, several companies –including Home Depot — that had experienced high-profile data breaches were hit with cybersecurity-related D&O lawsuits. All of these lawsuits, including the one against Home Depot, were dismissed. The plaintiffs in the Home Depot case filed an appeal of the dismissal. Now it appears that while the appeal was pending the parties to the Home Depot data breach-related derivative lawsuit have reached a settlement. The settlement could have interesting implications for the plaintiffs’ bar’s ongoing efforts to pursue data breach related D&O litigation.
Continue Reading Home Depot Settles Data Breach-Related Derivative Lawsuit
Guest Post: Three Cybersecurity Lessons From Yahoo’s Legal Department Woes
The recent news that Yahoo’s general counsel had resigned following a probe of high-profile data breaches at the company has generated a great deal of discussion and concern. In the following guest post, David Fontaine and John Reed Stark take a look at the circumstances surrounding the resignation and consider the implications of and lessons from this development. David is the CEO of Kroll and its parent company, Corporate Risk Holdings, and John is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. A version of this article originally appeared on CybersecurityDocket. I would like to thank Dave and John for their willingness to publish their article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Dave and John’s guest post.
Continue Reading Guest Post: Three Cybersecurity Lessons From Yahoo’s Legal Department Woes
Guest Post: The “Wicked Problem” of Cybersecurity
Cybersecurity is one of the most important and challenging issues of our time, one with which many organizations are struggling. In the following guest post, John Doernberg takes a look at the ways we talk about cybersecurity and asks whether the language we use may be part of the problem. John is an Area Vice President at Arthur J. Gallagher & Co. in Boston and leads that office’s Cyber Liability Practice. A version of this article previously appeared as a LinkedIn post, here. I would like to thank John for his willingness to publish his guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s post.
Continue Reading Guest Post: The “Wicked Problem” of Cybersecurity
Shareholder Files Data Breach Securities Class Action Lawsuit Against Yahoo
I wouldn’t ordinarily write about the same company or set of circumstances two days in a row, but because of developments following in the wake of the data breaches Yahoo announced last year, the company’s name has come up again. Yesterday, I wrote about the investigation the SEC reportedly is pursuing in connection with Yahoo’s alleged delays in disclosing the data breaches. It turns out that yesterday a plaintiff shareholder also filed a securities class action lawsuit in the Northern District of California against Yahoo and certain of its directors and offices relating the company’s reported data breaches. A copy of the complaint the plaintiff filed on January 24, 2017 can be found here.
Continue Reading Shareholder Files Data Breach Securities Class Action Lawsuit Against Yahoo
Will Yahoo’s Data Breach Reporting Become the Test Case for the SEC’s Cyber Disclosure Guidelines?
Ever since the SEC released its cyber security disclosure guidelines in October 2011, commentators (including me) have been speculating whether the agency might try to nab a company whose disclosure practices the agency might use as sort of a test case on the guidelines’ requirements. It now appears, at least based on media reports, the SEC is investigating Yahoo in what may yet become the long-anticipated test case. According to a front page January 23, 2017 Wall Street Journal article (here), the SEC has opened an investigation looking into Yahoo, Inc.’s disclosures of two massive data breaches the company reported last year.
Continue Reading Will Yahoo’s Data Breach Reporting Become the Test Case for the SEC’s Cyber Disclosure Guidelines?
Book Review: “Take Back Control of Your Cybersecurity Now”
There is little doubt that cybersecurity is one of the most pressing issues in the contemporary corporate, political and economic arena. When, as have seen, cybersecurity has become a critical issue in the U.S. political and electoral processes, it is clear that the consequence and complications associated with cybersecurity have become both acute. Cybersecurity has become a pervasive issue that with political, military, and economic implications. It is also one of the foremost issues – if not the foremost issue – in the corporate risk management environment. In a complex and rapidly changing world, many companies and their senior officials are struggling to deal with cybersecurity issues and their implications.
Continue Reading Book Review: “Take Back Control of Your Cybersecurity Now”
Data Breach-Related Shareholder Derivative Lawsuit Filed Against Wendy’s
Cyber-breach related D&O lawsuits have not fared particularly well. Indeed, after the shareholder derivative lawsuit against the board of Home Depot was recently dismissed, it was unclear what the future direction for cybersecurity litigation against corporate officials might be. But though the future direction of this type of litigation is unclear, it seemed unlikely despite the poor track record that we had seen the last of these cases. Among other things, it seemed likely that entrepreneurial plaintiffs’ lawyers would continue to try to identify their litigation opportunity for these kinds of cases. As it has now turned out, we didn’t have to wait long for confirmation that despite the dismissals we had not seen the last of the cyber breach-related D&O lawsuits.
Continue Reading Data Breach-Related Shareholder Derivative Lawsuit Filed Against Wendy’s
Home Depot Data Breach Derivative Lawsuit Dismissed
For some time now, many commentators (including me) have been predicting that as a result of rising numbers of companies experiencing date breaches that there would be a resulting wave of D&O lawsuits. Indeed, there have been a small number of high profile data security-related D&O lawsuits filed. However, several of those cases – including, for example, the derivative lawsuits filed against Target (about which refer here) and Wyndham Worldwide (here) – have been dismissed. Following these dismissals, the sole remaining recent high-profile data breach-related derivative lawsuit was the one filed against the directors and officers of Home Depot. However, the Home Depot lawsuit has now also been dismissed as well. The spate of dismissals certainly raises a question about what we may expect with respect to future cybersecurity-related D&O lawsuits. A copy of Northern District of Georgia Judge Thomas Thrash’s November 30, 2016 opinion in the Home Depot derivative lawsuit can be found here.
Continue Reading Home Depot Data Breach Derivative Lawsuit Dismissed
Cybersecurity Disclosure Practices: What’s Up With That?
Cybersecurity has been and remains one of the hot topics in corporate governance. Several federal regulatory agencies, including the SEC, have made it clear that cybersecurity is a high priority item and at the top of their agenda. The SEC’s particular cybersecurity focus has been on consumer privacy and on corporate disclosure. But though the SEC has made cybersecurity issues, including disclosure, a top priority, it appears to be the case that very few public companies are actually disclosing cybersecurity and data breach incidents in their SEC filings. The current disclosure practices could be a concern for investors – and for D&O underwriters.
Continue Reading Cybersecurity Disclosure Practices: What’s Up With That?
Sixth Circuit: Data Breach Victims’ Heightened Risk of Future Harm Establishes Article III Standing
One of defendants’ most significant arguments in opposing data breach victims’ negligence and breach of privacy claims has been that the claimants that have not suffered actual fraud or identity theft can show no cognizable injury and therefore lack Article III standing to assert their claims. Appellate decisions in the Seventh and Ninth Circuit have previously taken a bite out of this defense, in rulings holding that the victims’ fear of future harm is sufficient to establish standing. Now the Sixth Circuit in a case involving alleged victims of a data breach at Nationwide Mutual Insurance Company has joined these other circuits, holding that the claimants’ heightened risk for fraud and mitigation costs were sufficient to establish Article III standing. The Sixth Circuit’s September 12, 2016 opinion, which can be found here, represents the latest in a series of developments evincing courts’ increasing willingness to recognize fear of potential future harm as sufficient to establish standing, which in turn may make it easier for the plaintiffs’ claims in these kinds of data breach cases to go forward.
Continue Reading Sixth Circuit: Data Breach Victims’ Heightened Risk of Future Harm Establishes Article III Standing