In what seems is likely to be the last cybersecurity-related enforcement action by the SEC under outgoing chair Gary Gensler, the agency has brought a settled enforcement action against asset management firm Ashford, Inc., alleging that the company made misrepresentations in its periodic reporting documents about a cybersecurity-related incident at the firm. As discussed below, the action raises questions about what may come next as far as SEC cybersecurity-related enforcement under the new administration. A copy of the SEC’s January 13, 2025, complaint in the enforcement action can be found here. The SEC’s January 13, 2025, press release about the action can be found here.Continue Reading SEC Files Cyber Disclosure Enforcement Action Against Asset Manager

Brent Stevens

In the following guest post, Brent Stevens analyzes and summarizes the findings from the 2024 Claims Litigation Management Defense Counsel Study. Brent is a Senior Director at Consilio and leads Consilio’s Insurance Vertical, serving Consilio’s Insurance Industry clients, including carriers, brokers, and their law firms. I would like to thank Brent for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to the site’s readers. Please contact me directly if you would like to submit a guest post. Here is Brent’s article.Continue Reading Guest Post: Navigating Key Insights from the 2024 CLM Study

Frank Hülsberg

Burkhard Fassbach

In this guest post, Frank Hülsberg and Burkhard Fassbach take a look at a recent Reuters special report about the use of cyber hacking and other espionage techniques in litigation and consider the D&O liability and insurance implications. Frank Hülsberg is a Chartered Accountant and Tax Advisor in Düsseldorf, Partner Advisory and Member of the Executive Board at Grant Thornton AG Wirtschaftsprüfungsgesellschaft in Germany, and Burkhard Fassbach is a D&O-lawyer in private practice in Germany.  I would like to thank Frank and Burkhard for allowing me to publish their article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Frank and Burkhard’s article.
Continue Reading Guest Post: Spy Phishing Attacks Against Lawyers and Litigants

As I have noted in prior posts (most recently here), an important concern these days for insurance industry observers and commentators is “silent cyber” — that is, the coverage for cyber-related losses under traditional property and casualty insurance policies, as opposed to purpose-built cyber insurance policies. For example, in one recent case (discussed here), a court found coverage for cyber losses under a business owner’s policy. While the possibility for finding cyber coverage under several other types of coverage is frequently discussed, one line of coverage that is not frequently considered is fiduciary liability coverage. However, a recent lawsuit, in which a corporate benefits plan participant lost funds to a cyber thief, suggests a way in which a cyber loss potentially could trigger a fiduciary liability policy.
Continue Reading “Silent Cyber” and Fiduciary Liability Claims

One of the hot topics for mainstream P&C insurers these days is dealing with “silent cyber” – that is, the coverage for cyber-related losses in traditional property and casualty insurance policies. There are a number of initiatives underway in the insurance underwriting community as insurers try to address silent cyber. However, as noted in an interesting January 14, 2020 memo from the Covington law firm entitled “The Noise About ‘Silent Cyber’ Insurance Coverage” (here), these initiatives have important implications for policyholders. Among other things, these initiatives potentially could result in a gap in policyholders’ coverage for cyber-related losses, as discussed below.
Continue Reading Addressing “Silent Cyber” and the Risk of Coverage Gaps

The SEC’s disclosure that its EDGAR system had been had hacked was big news last week, as was the accompanying disclosure that the information accessed may have been used for improper trading. In the following guest post, John Reed Stark takes a look at the interesting and important legal issues that might arise if the authorities were to try to pursue claims against persons trying to trade on the information stolen from the SEC.  John is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. I would like to thank John for his willingness to allow me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s guest post.
Continue Reading Guest Post: Think the SEC EDGAR Data Breach Involved Insider Trading? Think Again.

wyndham worldwideAccording to the company’s December 9, 2015 press release (here), Wyndham Worldwide has reached a settlement with the Federal Trade Commission in the long-running and high-profile civil action the agency filed against the company and its affiliates in connection with data breaches at the company during the period 2008-2010. Under the terms of the settlement, the company has agreed to undertake certain measures and to continue to meet certain standards with respect to its customers’ payment card information.  As the company said in its press release about the settlement, the company’s undertakings in the settlement set “a standard for what the government considers reasonable data security of payment card information.” The FTC’s December 9, 2015 press release about the settlement can be found here. The parties’ stipulated order for injunction, which is subject to court approval, can be found here.
Continue Reading Wyndham Worldwide Settles Data Breach-Related FTC Enforcement Action

ftcFollowing the Third Circuit’s August 2015 decision in which the appellate court affirmed the Federal Trade Commission’s authority to pursue an enforcement action against Wyndham Worldwide alleging that the company failed to make reasonable efforts to protect consumers’ private information, there have been concerns that other companies experiencing data breaches could be the target of enforcement actions by the FTC and other regulatory agencies. However, a recent decision by the FTC’s Chief Administrative Law Judge has set a high bar for the degree and kind of consumer harm that must be shown in order for the FTC to be able to pursue a data breach-related claim under Section 5 of the FTC Act.

In a 92-page November 13, 2015 opinion (here), FTC Chief Administrative Law Judge D. Michael Chappell dismissed the FTC’s complaint against LabMD, Inc., based on his holding that the FTC had failed to meet its burden to show that the company’s data security practices has caused or were likely to cause harm to consumers. As discussed below, the agency intends to appeal the ALJ’s ruling, but as it stands the ruling could provide companies that are the target of an FTC data breach-related enforcement action a basis upon which to try to challenge the sufficiency of the FTC’s allegations.
Continue Reading FTC Data Breach-Related Enforcement Action Dismissed Based on Lack of Alleged Consumer Harm

Stark Photo
John Reed Stark

Fontaine
David Fontaine

It is well understood by now that cyber security is a concern for every organization and that it is an issue on which every company’s board should be focused. But what specifically should boards of directors be worried about and what questions should they be asking? In the following guest post, John Reed Stark and David R. Fontaine take a look at the ten cybersecurity concerns on which every board of directors should be focused. John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm.  David Fontaine is Executive Vice President, Chief Legal & Administrative Officer and Corporate Secretary of Altegrity, a privately held company that among other entities, owns Kroll’s data breach response services. The authors’ complete biographies appear at the end of the post. This article was previously published on CybersecurityDocket.com, an online global cybersecurity and incident response report, and a division of Docket Media.

I would like to thank the authors’ for their willingness to publish their article on this site. I welcome guest posts from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. The authors’ guest post follows.

*************************************

Every board now knows its company will fall victim to a cyber-attack, and even worse, that the board will need to clean up the mess and superintend the fallout.

Yet cyber-attacks can be extraordinarily complicated and, once identified, demand a host of costly responses. These include digital forensic preservation and investigation, notification of a broad range of third parties and other constituencies,[1] fulfillment of state and federal compliance obligations, potential litigation, engagement with law enforcement, the provision of credit monitoring, crisis management, a communications plan – and the list goes on.

And besides the more predictable workflow, a company is exposed to other even more intangible costs as well, including temporary or even permanent reputational and brand damage;[2] loss of productivity; extended management drag; and a negative impact on employee morale and overall business performance.

So what is the role of a board of directors amid all of this complex and bet-the-company workflow? Corporate directors clearly have a fiduciary duty to understand and oversee cybersecurity, but there is no need for board members (many of whom have limited IT experience) to panic.

Below we compile a list of ten cybersecurity considerations that provide a solid bedrock  of inquiry for corporate directors who want to take their cybersecurity oversight and supervision responsibilities seriously.[3]  This “cybersecurity top ten list” provides the requisite strategical framework for boards of directors to engage in an intelligent, thoughtful and appropriate supervision of a company’s cybersecurity risks.
Continue Reading Guest Post: Ten Cybersecurity Concerns for Every Board of Directors