When the news circulated in February that the Equifax data breach securities lawsuit had settled for $149 million, I wondered whether the sizeable settlement might further encourage plaintiffs’ lawyers to file more securities suits against companies that had experienced cybersecurity incidents. As it has turned out, there have been no new cybersecurity incident-related securities suits filed since then – until now. Earlier this week, a plaintiff shareholder filed a securities suit against title insurance and insurance services company First American Financial Corp., which experienced a significant cybersecurity incident in May 2019. As discussed below, the filing of this complaint is noteworthy in several respects. A copy of the complaint in the recently filed First American securities lawsuit can be found here.
Continue Reading Title Insurance Company Hit with Cybersecurity Incident-Related Securities Suit
“Silent Cyber” and Fiduciary Liability Claims
As I have noted in prior posts (most recently here), an important concern these days for insurance industry observers and commentators is “silent cyber” — that is, the coverage for cyber-related losses under traditional property and casualty insurance policies, as opposed to purpose-built cyber insurance policies. For example, in one recent case (discussed here), a court found coverage for cyber losses under a business owner’s policy. While the possibility for finding cyber coverage under several other types of coverage is frequently discussed, one line of coverage that is not frequently considered is fiduciary liability coverage. However, a recent lawsuit, in which a corporate benefits plan participant lost funds to a cyber thief, suggests a way in which a cyber loss potentially could trigger a fiduciary liability policy.
Continue Reading “Silent Cyber” and Fiduciary Liability Claims
LabCorp Board Hit with Derivative Suit Over Third-Party Service Provider’s Data Breach
With coronavirus-related developments consuming all of the attention these days, it might be easy to forget other unrelated claims trends are continuing to develop and unfold. One important pre-pandemic trend that has continued to develop is the rise of D&O claims arising out of cybersecurity incidents. In the latest sign that this claims trend remains important, a plaintiff shareholder has filed a derivative lawsuit against certain directors and officers of Laboratory Corporation of America, in connection with two cybersecurity incidents involving the company. As detailed below, the first of these two incidents involved a data breach that took place at one of LabCorp’s third-party service providers. A copy of the complaint, filed in Delaware Chancery Court on April 28, 2020, can be found here.
Continue Reading LabCorp Board Hit with Derivative Suit Over Third-Party Service Provider’s Data Breach
Guest Post: Directors Beware: More Perils from COVID-19
The coronavirus pandemic poses a host of threats and challenges for every organization. The outbreak also presents a number of serious challenges for boards of directors as well. In the following guest post, Paul Ferrillo, a partner in the McDermott, Will & Emery law firm, considers the challenges that boards are facing and the litigation threats that may arise as a result. I would like to thank Paul for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
Continue Reading Guest Post: Directors Beware: More Perils from COVID-19
FedEx Hit with Cyber Attack-Related Securities Suit
One of the most watched and commented on corporate and securities litigation trends over the last several years has been the rise of management liability related lawsuits arising from cybersecurity-related incidents. While there has never been the volume of cases that some commentators expected, there have been a number of cases filed. The latest of these lawsuits is the securities class action lawsuit filed this week against FedEx, in which the plaintiff shareholder alleges the company did not fully disclose the extent of the disruption at its European operation after it was hit with the NotPetya malware virus in June 2017. A number of the allegations in the new FedEx complaint are similar to those raised in prior cybersecurity-related securities suit, suggesting some of the factors that might lead to this type of cybersecurity follow-on lawsuit. A copy of the complaint, filed in the Southern District of New York on June 26, 2019, can be found here.
Continue Reading FedEx Hit with Cyber Attack-Related Securities Suit
Guest Post: Cryptocurrencies — A Quandary for Quadriga
In the following guest post, Karen Boto, Legal Director at the Clyde & Co. law firm, takes a look at the unusual circumstances that have recently come to light in connection with the cryptocurrency trading platform Quadriga, as well as the insurance issues that the circumstances might involve. I would like to thank Karen for allowing me to publish her guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Karen’s article.
Continue Reading Guest Post: Cryptocurrencies — A Quandary for Quadriga
Executive Liability for Data Breach Notification Delay?
The outrage that followed Uber’s revelation that hackers had accessed 57 million passenger and drive records was not about the breach itself. It was about the accompanying disclosure that the company had kept the news of the data breach secret after paying the hackers a ransom. The outrage at these disclosures was not lost on lawmakers in Washington. A measure was recently introduced in Congress that would impose new criminal penalties on anyone convicted of “intentionally and willfully” concealing a data breach, including fines and up to five years imprisonment, or both. This proposed provision is only one of several measure intended to ensure that companies quickly notify affected persons that a data breach has occurred.
Continue Reading Executive Liability for Data Breach Notification Delay?
Guest Post: The Equifax and SEC Data Breaches: Takeaways, Reminders & Caveats
There has been a steady drumbeat of news about high profile data breaches in the past several days, including the news about the Equifax data breach and the disclosure of the breach at the SEC. In the following guest post, John Reed Stark takes a look at these data breaches and their implications. John is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. I would like to thank John for his willingness to allow me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s guest post.
Continue Reading Guest Post: The Equifax and SEC Data Breaches: Takeaways, Reminders & Caveats
Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance
Readers undoubtedly are aware of the recent outbreak of ransomware incidents and the problems they present. The threat of ransomware attacks poses a host of issues, among the most significant of which is whether or not ransomware victims should go ahead and make the demanded ransomware payment as the quickest way to try to recover captured systems. In the following blog post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a comprehensive look that problems involved with making payments in response to a ransomware attack. A version of this article originally appeared on CybersecurityDocket.
I would like to thank John for his willingness to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit an article. Here is John’s guest post.
Continue Reading Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance
Cybersecurity Disclosure Practices: What’s Up With That?
Cybersecurity has been and remains one of the hot topics in corporate governance. Several federal regulatory agencies, including the SEC, have made it clear that cybersecurity is a high priority item and at the top of their agenda. The SEC’s particular cybersecurity focus has been on consumer privacy and on corporate disclosure. But though the SEC has made cybersecurity issues, including disclosure, a top priority, it appears to be the case that very few public companies are actually disclosing cybersecurity and data breach incidents in their SEC filings. The current disclosure practices could be a concern for investors – and for D&O underwriters.
Continue Reading Cybersecurity Disclosure Practices: What’s Up With That?