As I have noted in prior posts (most recently here), an important concern these days for insurance industry observers and commentators is “silent cyber” — that is, the coverage for cyber-related losses under traditional property and casualty insurance policies, as opposed to purpose-built cyber insurance policies. For example, in one recent case (discussed here), a court found coverage for cyber losses under a business owner’s policy. While the possibility for finding cyber coverage under several other types of coverage is frequently discussed, one line of coverage that is not frequently considered is fiduciary liability coverage. However, a recent lawsuit, in which a corporate benefits plan participant lost funds to a cyber thief, suggests a way in which a cyber loss potentially could trigger a fiduciary liability policy.
Continue Reading “Silent Cyber” and Fiduciary Liability Claims

With coronavirus-related developments consuming all of the attention these days, it might be easy to forget other unrelated claims trends are continuing to develop and unfold. One important pre-pandemic trend that has continued to develop is the rise of D&O claims arising out of cybersecurity incidents. In the latest sign that this claims trend remains important, a plaintiff shareholder has filed a derivative lawsuit against certain directors and officers of Laboratory Corporation of America, in connection with two cybersecurity incidents involving the company. As detailed below, the first of these two incidents involved a data breach that took place at one of LabCorp’s third-party service providers. A copy of the complaint, filed in Delaware Chancery Court on April 28, 2020, can be found here.
Continue Reading LabCorp Board Hit with Derivative Suit Over Third-Party Service Provider’s Data Breach

The coronavirus pandemic poses a host of threats and challenges for every organization. The outbreak also presents a number of serious challenges for boards of directors as well. In the following guest post, Paul Ferrillo, a partner in the McDermott, Will & Emery law firm, considers the challenges that boards are facing and the litigation threats that may arise as a result. I would like to thank Paul for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
Continue Reading Guest Post: Directors Beware: More Perils from COVID-19

One of the most watched and commented on corporate and securities litigation trends over the last several years has been the rise of management liability related lawsuits arising from cybersecurity-related incidents. While there has never been the volume of cases that some commentators expected, there have been a number of cases filed. The latest of these lawsuits is the securities class action lawsuit filed this week against FedEx, in which the plaintiff shareholder alleges the company did not fully disclose the extent of the disruption at its European operation after it was hit with the NotPetya malware virus in June 2017. A number of the allegations in the new FedEx complaint are similar to those raised in prior cybersecurity-related securities suit, suggesting some of the factors that might lead to this type of cybersecurity follow-on lawsuit. A copy of the complaint, filed in the Southern District of New York on June 26, 2019, can be found here.
Continue Reading FedEx Hit with Cyber Attack-Related Securities Suit

Karen Boto

In the following guest post, Karen Boto, Legal Director at the Clyde & Co. law firm, takes a look at the unusual circumstances that have recently come to light in connection with the cryptocurrency trading platform Quadriga, as well as the insurance issues that the circumstances might involve. I would like to thank Karen for allowing me to publish her guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Karen’s article.
Continue Reading Guest Post: Cryptocurrencies — A Quandary for Quadriga

The outrage that followed Uber’s revelation that hackers had accessed 57 million passenger and drive records was not about the breach itself. It was about the accompanying disclosure that the company had kept the news of the data breach secret after paying the hackers a ransom. The outrage at these disclosures was not lost on lawmakers in Washington. A measure was recently introduced in Congress that would impose new criminal penalties on anyone convicted of “intentionally and willfully” concealing a data breach, including fines and up to five years imprisonment, or both. This proposed provision is only one of several measure intended to ensure that companies quickly notify affected persons that a data breach has occurred.
Continue Reading Executive Liability for Data Breach Notification Delay?

There has been a steady drumbeat of news about high profile data breaches in the past several days, including the news about the Equifax data breach and the disclosure of the breach at the SEC. In the following guest post, John Reed Stark takes a look at these data breaches and their implications. John is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. I would like to thank John for his willingness to allow me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s guest post.
Continue Reading Guest Post: The Equifax and SEC Data Breaches: Takeaways, Reminders & Caveats

John Stark Reed

Readers undoubtedly are aware of the recent outbreak of ransomware incidents and the problems they present. The threat of ransomware attacks poses a host of issues, among the most significant of which is whether or not ransomware victims should go ahead and make the demanded ransomware payment as the quickest way to try to recover captured systems. In the following blog post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a comprehensive look that problems involved with making payments in response to a ransomware attack. A version of this article originally appeared on CybersecurityDocket.

I would like to thank John for his willingness to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit an article. Here is John’s guest post.
Continue Reading Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance

SEC logoCybersecurity has been and remains one of the hot topics in corporate governance. Several federal regulatory agencies, including the SEC, have made it clear that cybersecurity is a high priority item and at the top of their agenda. The SEC’s particular cybersecurity focus has been on consumer privacy and on corporate disclosure. But though the SEC has made cybersecurity issues, including disclosure, a top priority, it appears to be the case that very few public companies are actually disclosing cybersecurity and data breach incidents in their SEC filings. The current disclosure practices could be a concern for investors – and for D&O underwriters.
Continue Reading Cybersecurity Disclosure Practices: What’s Up With That?

Odonnell, Stephen - Chicago - 300 DPI
Stephen O’Donnell

Cyber liability insurance is a relatively new product and many of the terms and conditions found in cyber-liability policies are as yet untested in the courts. In this guest post, Stephen O’Donnell of the Steptoe & Johnson law firm takes a look at two particular standard features of the cyber liability insurance policies, the retroactive date and policy inception date exclusions, and the potential for these exclusions to preclude coverage for the very kind of exposures that are the reasons most purchasers buy the insurance.

I would like to thank Stephen for his willingness to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Stephen’s guest post.


Continue Reading Guest Post: Cyber-Liability Insurance and the Retroactive Date Exclusion