John Reed Stark

In the following guest post, John Reed Stark President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a look at questions of confidentiality surrounding a discovery dispute between class action plaintiffs and a data breach victim company relating to forensic work conducted by Crowdstrike, Inc. in connection with a 2018 data security incident at Marriott International, Inc. As Stark notes, the issue of protecting the confidentiality of post-data breach forensic findings (when the forensic firm is typically engaged by counsel) has become of critical importance and has significant consequences. A version of this article previously was published on Cybersecurity Docket. I would like to thank John for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: More Battles Over Digital Forensic Findings

Stephen Reilly
Andrew Jones

Data breach class action lawsuits are already well-established in the United States, but are only developing elsewhere. In the following guest post, Stephen Reilly and Andrew Jones of Beale & Company Solicitors take a look at the possibilities and prospects for data breach class actions in the U.K. A version of this article previously was published as a Beale & Company client alert. I would like to thank Stephen and Andrew for allowing me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Stephen and Andrew’s guest post.
Continue Reading Guest Post: Data Breach Class Actions in the UK — What Next?

Like many others, I look forward to Warren Buffett’s annual letter to Berkshire Hathaway shareholders, and like many others, I read his annual letter closely, looking for any investment insights I can glean as well for Buffett’s now-famous homespun brand of wisdom and humor. Although Buffett latest letter to Berkshire shareholders – which was published Saturday morning – does offer readers a little under each of these headings, I think many reading Buffet’s latest letter might have come away a little disappointed, as I discuss further below. Buffett’s 2019 letter to Berkshire shareholders, published on February 22, 2020, can be found here. (Full disclosure: I own BRK.B shares, although not as many as I wish I did.)
Continue Reading A Closer Look at Warren Buffett’s Annual Letter to Berkshire Shareholders

Over the last several years, plaintiffs’ lawyers have filed a number of D&O lawsuits against companies that had been hit with a cybersecurity incident. These suits have largely been unsuccessful, with the exception of the lawsuits filed against Yahoo in the wake of that company’s data breach. While the plaintiffs’ track record in data breach-related D&O lawsuits so far has not been good, a recent development could suggest that that has changed. On February 13, 2020, the parties to the Equifax data breach-related lawsuit filed a stipulation of settlement stating that the case has been settled based on the defendants’ agreement to pay $149 million. The settlement is subject to court approval. This settlement has a number of interesting implications, as discussed below. A copy of the parties’ stipulation of settlement can be found here.
Continue Reading Equifax Data Breach-Related Securities Suit Settled for $149 Million

Paul A. Ferrillo

In the following guest post, Paul A. Ferrillo takes a look at the recent findings that the SEC Office of Compliance, Inspections and Examinations issue with respect to its cybersecurity examinations of registered investment advisers and broker dealers. The findings, Paul suggests, provides good guidance from a number of perspectives with regard to cybersecurity governance issues. Paul is a partner with McDermott, Will & Emery. I would like to thank Paul for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
Continue Reading Guest Post: Avoiding Event Driven Litigation through Good Cybersecurity Governance

John Reed Stark

In the following guest post, John Reed Stark takes a look at the troubling rise of ransomware attacks, and the disturbing relationship between ransomware attacks and bitcoin. John is the President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. I would like to thank John for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: Ransomware’s Year-End Thank You Note to Bitcoin

Umesh Pratapa

As many insurance industry observers know, one of the great concerns within the industry now is the possible impact of “silent cyber” – that is, the potential for cybersecurity-related coverage outside of purpose-built cyber insurance policies. In the following guest post, Umesh Pratapa takes a look at the silent cyber phenomenon.  A version of this article previously was published on Umesh’s website (here). Umesh is an independent insurance consultant based in India. I would like to thank Umesh for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Umesh’s article.
Continue Reading Guest Post: Silent Cyber – Is it Deafening?

Paul Ferrillo

As regular readers of this blog know, one of the many consequences that may follow for a company that experiences a cybersecurity incident is that it could get hit with a D&O claim. In the following guest post, Paul Ferrillo examine whether the increasing move toward cybersecurity-related D&O claims could in turn lead to an increase in prior Delaware Section 220 books and records inspection demands. Paul is a shareholder in the Greenberg Traurig law firm’s Cybersecurity, Privacy, and Crisis Management Practice. I would like to thank Paul for allowing me to publish his guest post as an article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
Continue Reading Guest Post: Board Cyber Oversight Duties and Delaware Section 220 Demands

Many of you probably saw the news this past week that Target has filed a lawsuit against one of its insurers over losses the company sustained in connection with the company’s 2014 data breach. The Target lawsuit is the latest in a series of high profile insurance battles in which companies are seeking to recoup losses resulting from cybersecurity incidents. However, as my friend, colleague, and Cyber insurance maven Mickey Estey pointed out to me, in its lawsuit Target is in fact not seeking to recover its claimed losses under a cyber insurance policy; rather, in its latest lawsuit, Target is seeking to recover for certain of its losses under its general liability policy. The Target lawsuit is only the latest in a series of high-profile insurance disputes in which companies that have sustained losses from a cybersecurity event are seeking coverage under a variety of different types of policies.
Continue Reading Seeking Insurance for Cybersecurity-Related Losses

In the latest example of a securities class action lawsuit arising out of data breach or other cybersecurity incident, on October 24, 2019, a plaintiff shareholder filed a securities class action lawsuit against California-based software company Zendesk. The lawsuit follows after the company announced disappointing second quarter financial results in July and then announced in early October that customer account information had been accessed. The lawsuit is most recent in a series of lawsuits in which companies experiencing cybersecurity incidents get hit with securities lawsuits.
Continue Reading Zendesk Hit with Data Breach-Related Securities Suit