Readers undoubtedly are aware of the recent outbreak of ransomware incidents and the problems they present. The threat of ransomware attacks poses a host of issues, among the most significant of which is whether or not ransomware victims should go ahead and make the demanded ransomware payment as the quickest way to try to recover captured systems. In the following blog post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a comprehensive look that problems involved with making payments in response to a ransomware attack. A version of this article originally appeared on CybersecurityDocket.
I would like to thank John for his willingness to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit an article. Here is John’s guest post.
Continue Reading Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance
During the period 2014-2015, several companies –including Home Depot — that had experienced high-profile data breaches were hit with cybersecurity-related D&O lawsuits. All of these lawsuits, including the one against Home Depot, were dismissed. The plaintiffs in the Home Depot case filed an appeal of the dismissal. Now it appears that while the appeal was pending the parties to the Home Depot data breach-related derivative lawsuit have reached a settlement. The settlement could have interesting implications for the plaintiffs’ bar’s ongoing efforts to pursue data breach related D&O litigation.
There is little doubt that cybersecurity is one of the most pressing issues in the contemporary corporate, political and economic arena. When, as have seen, cybersecurity has become a critical issue in the U.S. political and electoral processes, it is clear that the consequence and complications associated with cybersecurity have become both acute. Cybersecurity has become a pervasive issue that with political, military, and economic implications. It is also one of the foremost issues – if not the foremost issue – in the corporate risk management environment. In a complex and rapidly changing world, many companies and their senior officials are struggling to deal with cybersecurity issues and their implications.
Cybersecurity has been and remains one of the hot topics in corporate governance. Several federal regulatory agencies, including the SEC, have 
One of the recurring issues that has arisen as claimants and regulators have pursued cybersecurity-related claims against companies that have experienced a data breach is the question of what type or quantum of claimed injury is sufficient to sustain a claim. This issue has 
For some time now, many commentators, including me, have been predicting that cybersecurity-related litigation could become an important part of the D&O litigation environment. And that may yet happen. For now, however, the results in the recent cybersecurity-related cases have been, from the plaintiffs’ perspective, not particularly promising. On July 7, 2016, in the latest of these cases to hit the skids, District of Minnesota Judge Paul Magnuson, in reliance on the report of the special litigation committee appointed to investigate the claims and in the absence of opposition from the plaintiff, granted the motions of the special litigation committee and of the defendants and dismissed the consolidated cybersecurity-related derivative litigation that had been filed against Target Corporation’s board. As discussed below, the plaintiffs’ track record in this type of litigation has been poor, which does raise the question whether this type of litigation will become a significant phenomenon. A copy of Judge Magnuson’s order in the Target Corp. case can be found 
