Odonnell, Stephen - Chicago - 300 DPI
Stephen O’Donnell

Cyber liability insurance is a relatively new product and many of the terms and conditions found in cyber-liability policies are as yet untested in the courts. In this guest post, Stephen O’Donnell of the Steptoe & Johnson law firm takes a look at two particular standard features of the cyber liability insurance policies, the retroactive date and policy inception date exclusions, and the potential for these exclusions to preclude coverage for the very kind of exposures that are the reasons most purchasers buy the insurance.

I would like to thank Stephen for his willingness to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Stephen’s guest post.


Continue Reading Guest Post: Cyber-Liability Insurance and the Retroactive Date Exclusion

Stark Photo
John Reed Stark

There have been several very high profile news reports of significant law firm data breaches. It is not a mere coincidence that law firms increasingly are targeted in data breach attacks. Law firms have a trove of information that makes them highly attractive to cybercriminals. In the following guest post, John Reed Stark takes a look at the reasons for the rise in the number of cyber attacks as well as the steps that law firms can take to try to defend themselves and their clients. John is the President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. A version of this article originally appeared on CybersecurityDocket.com. I would like to thank John for his willingness to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: Law Firms and Cybersecurity: A Comprehensive Guide for Law Firm Executive Committees

weilIn the following guest post, Paul Ferrillo of the Weil Gotshal law firm and Christophe Veltsos, CISSP, CISA, and CIPP, and an Associate Professor at Minnesota State University, Mankato, take a look at a recent NASDAQ survey of corporate officials in multiple countries on the topic of cybersecurity accountability. As Paul and Christophe detail, there is reason to be concerned about the apparent lack of cybersecurity literacy, awareness and risk assessments among corporate officials surveyed. The authors also take a look at the steps companies can take to address these concerns.

I would like to thank Paul and Christophe for their willingness to publish their guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul and Chrisophe’s guest post.
Continue Reading Guest Post: Grading Global Boards of Directors on Cybersecurity

weilIn the following guest post, Paul A. Ferrillo and Christophe Veltsos take a look at the next-level concepts companies should adopt to improve their data breach detection and response time, perhaps allowing them to kick attackers off their networks before bad things happen. Paul Ferrillo is a member of the Cybersecurity, Data Privacy & Information Management practice at Weil, Gotshal & Manges LLP, and a featured speaker at the upcoming Incident Response Forum on March 31, 2016, in Washington, D.C. Christophe Veltsos, PhD, CISSP, CISA, CIPP, GCFA, regularly teaches Information Security and Information Warfare classes at Minnesota State University. I would like to thank Paul and Christophe for their willingness to publish their article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul and Christophe’s guest post.
Continue Reading Guest Post: Next-Level Cybersecurity Incident Response Trends 2016

wyndham worldwideAccording to the company’s December 9, 2015 press release (here), Wyndham Worldwide has reached a settlement with the Federal Trade Commission in the long-running and high-profile civil action the agency filed against the company and its affiliates in connection with data breaches at the company during the period 2008-2010. Under the terms of the settlement, the company has agreed to undertake certain measures and to continue to meet certain standards with respect to its customers’ payment card information.  As the company said in its press release about the settlement, the company’s undertakings in the settlement set “a standard for what the government considers reasonable data security of payment card information.” The FTC’s December 9, 2015 press release about the settlement can be found here. The parties’ stipulated order for injunction, which is subject to court approval, can be found here.
Continue Reading Wyndham Worldwide Settles Data Breach-Related FTC Enforcement Action

ftcFollowing the Third Circuit’s August 2015 decision in which the appellate court affirmed the Federal Trade Commission’s authority to pursue an enforcement action against Wyndham Worldwide alleging that the company failed to make reasonable efforts to protect consumers’ private information, there have been concerns that other companies experiencing data breaches could be the target of enforcement actions by the FTC and other regulatory agencies. However, a recent decision by the FTC’s Chief Administrative Law Judge has set a high bar for the degree and kind of consumer harm that must be shown in order for the FTC to be able to pursue a data breach-related claim under Section 5 of the FTC Act.

In a 92-page November 13, 2015 opinion (here), FTC Chief Administrative Law Judge D. Michael Chappell dismissed the FTC’s complaint against LabMD, Inc., based on his holding that the FTC had failed to meet its burden to show that the company’s data security practices has caused or were likely to cause harm to consumers. As discussed below, the agency intends to appeal the ALJ’s ruling, but as it stands the ruling could provide companies that are the target of an FTC data breach-related enforcement action a basis upon which to try to challenge the sufficiency of the FTC’s allegations.
Continue Reading FTC Data Breach-Related Enforcement Action Dismissed Based on Lack of Alleged Consumer Harm

cyber risksWe live in a world in which rapidly shifting technologies and communications modalities have changed the way we interact and conduct business. These new media and means of interaction have introduced innumerable benefits and efficiencies. Unfortunately, these new alternatives have down sides; among other things, they mean new risks and even liability exposures for both individuals and companies that use them. We are all well aware of what can happen to a company that experiences a major data breach. But the new technologies and communications approaches also introduce a host of other potential business liability risks and exposures.

In the new 2015 edition of their interesting and readable book Cyber Risks, Social Media and Insurance: A Guide to Risk Assessment and Management (here), Carrie Cope, Dirk E. Ehlers and Keith W. Mandell take a comprehensive look at the new technologies and communications approaches, review the changed liability environment that these new alternatives present, analyze the current state of the insurance marketplace for these various exposures, and make some projections about what may lie ahead.
Continue Reading Book Review: Cyber Risks, Social Media and Insurance

Clabby_Jack (1)
John E. Clabby
Swanson_Joseph
Joseph W. Swanson

As I noted in a September 9, 2015 post (here), a Home Depot shareholder has filed a data breach-related derivative lawsuit against certain of the company’s directors and officers, in which the plaintiff contends that the defendants breached their fiduciary duties by failing to ensure that customer credit card information was secure and protected. A copy of the complaint can be found here.

In the following guest post, John E. Clabby and Joseph W. Swanson of the Carlton Fields Jorden Burt law firm take a look at the Home Depot data breach D&O lawsuit and provide their views on what the lawsuit may foreshadow for future D&O litigation. Jack and Joe also  review what they think are the lessons for corporate boards and managers from the lawsuit’s allegations, as well as the implications of the lawsuit for companies that experience a data breach in the future.

I would like to thank Jack and Joe for their willingness to publish their guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. Please contact me directly if you would like to submit a guest post. Here is Jack and Joe’s guest post.

********************************************

 

Ending months of speculation, a shareholder has finally filed a derivative lawsuit against the directors and management of The Home Depot, Inc., in connection with the massive data breach the company suffered in 2014. The complaint, which alleges breach of fiduciary duty and corporate waste, fits the emerging template of shareholder derivative lawsuits after breaches at public companies. As such, it is worth a closer analysis for those whose jobs include protection of public companies and their boards from and during data breaches, both directly through more robust cybersecurity measures and indirectly through director and officer insurance and cyber-risk policies.
Continue Reading Guest Post: Preparing for a Cyber Caremark Lawsuit: Lessons from the Home Depot Derivative Complaint

homedepotIn early 2014, when plaintiffs initiated data breach-related derivative lawsuits against the boards of Target Corp. (here) and Wyndham Worldwide (here), there was some speculation that these cases might be the first of what could become a wave of data-breach related D&O lawsuits. But then the Wyndham Worldwide case was dismissed (refer here) and no new data breach-related D&O lawsuits followed, even though there were several high profile data breaches after that time (including Sony Entertainment, Anthem and Home Depot). Although many predicted that more D&O lawsuits were to come, the suits themselves did not materialize. There were, however, some suggestions that a lawsuit against Home Depot might eventually arrive, as a plaintiff initiated a books and records action in Delaware Chancery Court against the company.

The wondering and waiting about whether or not there will be a Home Depot data breach-related D&O lawsuit is now over. A Home Depot data breach-related shareholder’s derivative lawsuit has been filed in the Northern District of Georgia. On September 2, 2015, a plaintiff shareholder filed a redacted complaint in a lawsuit against Home Depot, as nominal defendant, and twelve Home Depot directors and officers, alleging that the defendants breached “their fiduciary duties of loyalty, good faith, and due care by knowingly and in conscious disregard of their duties failing to ensure that Home Depot took reasonable measures to protect its customers’ personal and financial information.” The redacted version of the plaintiff’s complaint can be found here. (Please see below for further explanation about the timing of the filing of the plaintiff’s lawsuit and the redactions to the complaint.)
Continue Reading Data Breach-Related Derivative Lawsuit Filed against Home Depot Directors and Officers