When companies are hit with cybersecurity incidents, class action privacy litigation often follows. However, claimants in these kinds of cases face a threshold challenge of showing they have suffered a sufficient “injury in fact” to establish that they have standing to assert their claims. The following guest post, written by Paul Ferrillo, Kristine Argentine, Emily Dorner, and Alexandra Drury of the Seyfarth Shaw law firm, provides a survey of the current state of play for the standing requirements in this type of litigation. I would like to thank the authors for allowing me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is the authors’ article. 
Continue Reading Guest Post: First There was Litigation; And Then There Was Standing

In the agency’s latest move underscoring its emphasis on cybersecurity disclosure, the SEC has filed settled charges against the U.K. educational publishing and services company Pearson plc, alleging that the company misled investors about a 2018 data breach. The company, which neither admitted nor denied the charges, agreed to pay a $1 million civil money penalty. The administrative enforcement action, while not the first of its type, does highlight the agency’s heightened focus on cybersecurity disclosure issues. The agency’s August 16, 2021 cease and desist order can be found here. The agency’s August 16, 2021 press release about the order can be found here. Pearson’s statement about the proceeding can be found here.
Continue Reading SEC Charges Company Over Misleading Cybersecurity-Related Disclosures

John Cheffers

In the following guest post, John Cheffers analyzes the data relating to cybersecurity incidents at companies listed on Nasdaq and New York Stock Exchange. John is Associate Counsel and Director of Research at Watchdog Research. I would like to thank John for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: Cybersecurity Incident and Litigation Review 2021

After the news emerged last week that Chinese cybersecurity regulators had cracked down on the ride-sharing firm DiDi Global shortly after the company completed its U.S. IPO, the company was hit with a U.S. securities class action lawsuit. However, DiDi was not the only Chinese company that recently completed a U.S. IPO that was targeted by the Chinese regulator. Two other Chinese companies that completed U.S. IPOs in June – Full Truck Alliance Co. Ltd. and Kanshun Limited – were both also notified that their companies were under review by the cybersecurity regulator. And now both of these companies have also been hit with U.S. securities class action lawsuits, as discussed below.
Continue Reading Two More Chinese Companies Hit with U.S. Securities Suits Following Post-IPO Crackdown by Chinese Regulator

On July 6, 2021, after the Wall Street Journal reported that prior to DiDi’s June 30, 2021 U.S. IPO,  government authorities had urged the Chinese ride-hailing firm to postpone the offering, but that the company, under pressure from investors, had gone ahead with the IPO anyway, it seemed that it would only be a matter of time before DiDi would be hit with a U.S. securities lawsuit. Indeed, as it turned out, the same day the Journal article appeared, an investor filed a U.S. securities class action lawsuit against the company. As discussed below, the lawsuit is based on cybersecurity and privacy concerns relating to the company’s ride-hailing app. A copy of the investor’s July 6, 2021 complaint can be found here.
Continue Reading Chinese Ride-Hailing Firm DiDi Hit With Securities Suit Related to Its Recent IPO

In a very interesting June 16, 2021 opinion, the Ninth Circuit has reversed in part the district court’s dismissal of the privacy and cybersecurity-related securities class action lawsuit filed against Google- parent Alphabet, Inc, relating the company’s discovery of and decision not to disclose a software vulnerability that exposed user data of nearly half a million users of the Google+ social media site. The appellate court’s decision, a copy of which can be found here, could represent a significant development in the evolution of cybersecurity and privacy-related securities litigation.
Continue Reading Ninth Circuit in Part Reverses Dismissal of the Google+ User Data Securities Lawsuit

Shortly after Marriott International’s November 2018 announcement that it had uncovered a data breach in the guest registration system of Starwood (which Marriott had acquired two years earlier), the company was hit with a raft of litigation, including both securities class action lawsuits and shareholder derivative lawsuits. In twin June 11, 2021 opinions, the federal district judge presiding over the various Marriott data breach-related lawsuits granted the defendants’ motions to dismiss both the  consolidated securities suits and the consolidated derivative suits. The lengthy and detailed opinions make for interesting reading and underscore the challenge plaintiffs face in trying to turn a cybersecurity incident into a D&O claim. The opinion in the securities suit can be found here and the opinion in the derivative suit can be found here.
Continue Reading Marriott Data Breach-Related Securities and Derivative Suits Both Dismissed

The business pages have been full in recent months with tales of cyber extortion and ransomware. In an effort to try to explain these developments, some commentators have suggested that the availability of ransomware coverage under cyber insurance is a cause of the problem. In the following guest post, Paul Ferrillo takes on the question of the role of cyber insurance availability in the proliferation of ransomware incidents. Paul is a partner in the securities litigation group at the Seyfarth Shaw law firm. I would like to thank Paul for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
Continue Reading Cybersecurity Insurance Did NOT Cause the Ransomware Plague

A cybersecurity incident earlier this year at the technology company Ubiquiti has given rise to a securities class action lawsuit against the company and two of its executives. The lawsuit is the latest example of the D&O risk exposure relating to cybersecurity. As discussed below, the lawsuit’s allegation illustrates that the way that a company handles bad news can be an important litigation risk factor. A copy of the May 19, 2021 securities lawsuit complaint against Ubiquiti can be found here.
Continue Reading Internet Technology Company Hit with Data Breach-Related Securities Suit

In the following guest post, Angus Duncan of Willis Towers Watson summarizes the result of the 2021 Willis Towers Watson D&O Liability Survey. I would like to thank Angus for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Angus’s article.
Continue Reading Guest Post: 2021 Willis Towers Watson D&O Liability Survey