In my recent annual round-up of the top stories in the world of D&O liability, I noted that among the key D&O issues is the possibility of claims against corporate directors and officers arising out of cybersecurity incidents. One of the more interesting cybersecurity-related D&O claims in recent years is the securities class action lawsuit a plaintiff shareholder filed against FedEx in connection with the company’s disclosures concerning the “NotPetya” virus cyberattack on its European operations. What made the lawsuit interesting is that it involved not the company’s disclosures at the time of the cyber incident but rather concerned the company’s subsequent statements about the company’s recovery from the attack and the attack’s longer-term impact on its finances, operations, and business strategy. In a February 4, 2021 opinion (here), Southern District of New York Judge Ronnie Abrams granted the defendants’ motion to dismiss the FedEx NotPetya securities lawsuit, with prejudice. As I discuss below, the opinion has some interesting lessons on the importance of precautionary disclosure.
Continue Reading FedEx “NotPetya” Cyberattack Securities Suit Dismissed

Paul A. Ferrillo

As I noted in a prior post, the recent state-sponsored cyber incident carried out through an attack on SolarWinds has a number of important implications. As noted in the following guest post from Paul Ferrillo, the incident could also have important implications for the cyber insurance marketplace. Paul is a partner in the McDermott, Will & Emery law firm. I would like to thank Paul for allowing me to publish this article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
Continue Reading Guest Post: SolarWinds – Einstein Failed Us, and the Cyber Insurance Markets will Feel the Squeeze

In my round-up of the Top D&O Stories of 2020, which I published earlier this week, I noted that the recent massive state-actor hack of U.S. government agencies and technology companies underscored the fact that cybersecurity represents a significant operational and management risk for organization of every type. I also noted that cybersecurity-related issues represent an ongoing D&O claims risk. As if to confirm these propositions, the first securities class action lawsuit of the New Year was filed against Solar Winds, the network infrastructure management company whose breached software is believe to have contributed to the recent massive hack. As discussed below, the newly filed complaint highlights the fact that cybersecurity represents a significant potential source of management liability risk.
Continue Reading SolarWinds Hit with Securities Suit Based on Third-Party Governmental Actor Cyber Attack

The directors’ and officers’ liability environment is always changing, but 2020 was a particularly eventful year, with important consequences for the D&O insurance marketplace. The past year’s many developments also have significant implications for what may lie ahead in 2021 – and possibly for years to come.  I have set out below the Top Ten D&O Stories of 2020, with a focus on the future implications. Please note that on Wednesday, January 13, 2021 at 11:00 AM EST, my colleague Marissa Streckfus and I will be conducting a free, hour-long webinar in which we will discuss The Top Ten D&O Stories of 2020. Registration for the webinar can be found here. I hope you will please join us for the webinar.
Continue Reading The Top Ten D&O Stories of 2020

On December 15, 2020, the Irish Data Protection Commission (DPC) announced the imposition under the General Data Protection Regulation (GDPR) of a €450,000 fine against the social media company Twitter for its delay in reporting to DPC a data breach the company sustained in late 2018. According to the DPC’s press release about the fine, the DPC’s inquiry concerning the Twitter data breach was the first to go through the GDPR “dispute resolution” process since the GDPR’s introduction and was also  the first decision in a “big tech” case in which all EU supervisory authorities were consulted as Concerned Supervisory Authorities. The DPC’s December 9, 2020 order can be found here. The DPC’s December 15, 2020 press release can be found here.
Continue Reading In First for U.S. Tech Firm, Twitter Hit with GDPR Fine

Technology-based education firm K12, Inc., which hoped to be able to profit from the pandemic-related shift to virtual learning , has been hit with a securities class action lawsuit alleging that the company’s share price declined after school systems using its platform to address their online learning needs allegedly experienced disappointing results. A copy of the shareholder plaintiff’s November 19, 2020 complaint can be found here.
Continue Reading Online Learning Firm Hit with COVID-19-Related Securities Suit

When the news circulated in February that the Equifax data breach securities lawsuit had settled for $149 million, I wondered whether the sizeable settlement might further encourage plaintiffs’ lawyers to file more securities suits against companies that had experienced cybersecurity incidents. As it has turned out, there have been no new cybersecurity incident-related securities suits filed since then – until now. Earlier this week, a plaintiff shareholder filed a securities suit against title insurance and insurance services company First American Financial Corp., which experienced a significant cybersecurity incident in May 2019. As discussed below, the filing of this complaint is noteworthy in several respects. A copy of the complaint in the recently filed First American securities lawsuit can be found here.
Continue Reading Title Insurance Company Hit with Cybersecurity Incident-Related Securities Suit

Bill Boeck

Ransomware attacks are on the increase, putting the target organizations in the uncomfortable position of having to decide whether or not to pay the demanded ransom. As if that were not tough enough, an October 1, 2020 advisory statement by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) warns that companies paying ransoms under these circumstances may risk violating OFAC regulations and could be subject to penalties. In the following guest post, Bill Boeck takes a look at the OFAC advisory and its implications.  Bill is Lockton’s Global Cyber Product and Claims leader and U.S. Financial Lines Claims Practice Leader. A version of this article previously was published as a Lockton client alert. I would like to thank Bill for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Bill’s article.
Continue Reading Guest Post: OFAC Warns Against Paying Cyber Ransoms to Sanctioned Entities

John Reed Stark

Along with all of the other anxieties about the upcoming Presidential election, there is the concern that someone, somewhere will use some type of cyberattack to interfere with the electoral process. If that were to happen, the immediate question will “Who did it?” In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, underscores the difficulties associated with identifying the actors behind any cyberattack and cautions against jumping to conclusions about who might have been involved. A version of this article previously was published on Cybersecurity Docket. I would like to thank John for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: Attribution on Election Cyber-Attacks: Don’t Rush to Judgment

John Reed Stark

In the following guest post, John Reed Stark President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a look at questions of confidentiality surrounding a discovery dispute between class action plaintiffs and a data breach victim company relating to forensic work conducted by Crowdstrike, Inc. in connection with a 2018 data security incident at Marriott International, Inc. As Stark notes, the issue of protecting the confidentiality of post-data breach forensic findings (when the forensic firm is typically engaged by counsel) has become of critical importance and has significant consequences. A version of this article previously was published on Cybersecurity Docket. I would like to thank John for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: More Battles Over Digital Forensic Findings