In numerous prior posts I have examined efforts by plaintiffs’ attorneys to try to impose civil liability on corporate executives in D&O claims following cyber security incidents. Two recent cases show that, in addition to potential civil litigation liability exposure, corporate executives may also face potential regulatory liability and even criminal liability exposure for cyber security incidents at their company. The two recent cases are discussed in an October 27, 2022 memo from the White and Case law firm, here.
Continue Reading Corporate Executives Face Personal Liability Exposure for Cyber Incidents

In prior posts on this site (for example here), I have expressed my concern that the current hot topic of ESG has a fundamental underlying flaw in that the term lacks definition and that this lack of precision has led to a great deal of sloppy thinking. A recent post on the Harvard Law School Forum on Corporate Governance provides a good examination of these ESG-related concerns. In an October 14, 2022 post (here), Douglas Chia of Soundboard Governance LLC, shows, using cybersecurity as an example, that one of the “biggest flaws” of ESG is “the subjective open-endedness of what counts as E, S, or G.”
Continue Reading ESG’s “Biggest Risk”?

The payment technology firm Block, Inc. (formerly known as Square) has been hit with a securities class action lawsuit related to the company’s announcement earlier this year that a former employee had improperly accessed and downloaded company customer data. The new lawsuit is the latest example of the ways in which data security incidents can translate into D&O claims. The complaint, filed on October 11, 2022, can be found here.
Continue Reading Payments Company Hit With Data Breach-Related Securities Suit

Readers of this blog know that in recent years, plaintiffs’ lawyers have filed a number of D&O lawsuits against companies that experience cybersecurity-related incidents. Overall, the plaintiffs’ track record on these cases is at best mixed, and a number of high-profile cases have been dismissed. In the latest example of the dismissal of a cybersecurity-related securities suit, the court in the Capital One Financial Corporation data breach-related securities class action lawsuit has granted the defendants’ motion to dismiss. The September 13, 2022 dismissal order in the case can be found here.
Continue Reading Capital One Data Breach-Related Securities Suit Dismissed

In the midst of its battles with Elon Musk over Musk’s attempt to walk away from his proposed takeover of the company, Twitter was rocked by the news that a whistleblower had sent Congress and federal agencies explosive reports of “major security problems” at the company. According to the news reports, the whistleblower’s disclosure not only detailed privacy and cybersecurity vulnerabilities at Twitter, but also included allegations that company management had misled its own corporate board and government regulators about the vulnerabilities. Among other things, these revelations triggered a Congressional inquiry. And now, a plaintiff shareholder has launched a securities class action lawsuit against the company and several of its executives, based on the whistleblower’s allegations. As discussed below, the complaint has several interesting features.
Continue Reading Twitter Hit with Cybersecurity-Related Securities Suit Over Whistleblower Allegations

Regular readers of this site know that one of the continuing D&O litigation trends over the last several years has been the incidence of securities class action lawsuits and other litigation arising out of cybersecurity incidents at the defendant company. While in many instances these suits have not fared particularly well, plaintiffs’ lawyers have nevertheless continued to file the suits. In the latest suit filing of this type, on May 20, 2022, a plaintiff shareholder filed a securities suit against the cybersecurity firm Octa, Inc., relating to the decline in the company’s share price following revelations of a data breach at the firm. Although in many ways this latest suit is similar to previously filed cybersecurity-related securities suits, there are certain distinct aspect of the suit that make it noteworthy, as discussed below.  A copy of the May 20, 2022 complaint in the new lawsuit can be found here.
Continue Reading Cybersecurity Firm Hit with Data Breach-Related Securities Suit

One of the reasons there have not been as many cybersecurity-related securities lawsuits as some commentators (including me) expected is that the plaintiffs’ track record in the cases that have been filed has been decidedly mixed. To be sure, there have been some very noteworthy successes for the plaintiffs, including the Equifax cybersecurity-related securities suit, which settled for $149 million. But though there have been some noteworthy successes, many of the other cybersecurity related securities suits have ended in dismissal.

Among the more significant recent cybersecurity-related securities suit dismissals was the ruling  in the securities lawsuit relating to the massive Marriott data breach. Now, on appeal, the Fourth Circuit has affirmed the district court’s dismissal in the Marriott case, the latest in a series of high-profile setbacks plaintiffs have experienced in cybersecurity-related securities suits. A copy of the Fourth Circuit’s April 21, 2022 opinion can be found here.
Continue Reading Fourth Circuit Affirms Dismissal of Marriott Data Breach-Related Securities Suit

As I have noted in prior posts on this site (most recently here), plaintiffs’ lawyers’ claims in cybersecurity-related D&O lawsuits recently have fared poorly. A number of these suits recently have failed to clear the initial pleading hurdles. However, in a ruling last week, the federal judge presiding over the SolarWinds cybersecurity-related securities suits substantially denied the defendants’ motions to dismiss in an opinion that has a number of interesting features, as discussed below. Western District of Texas Judge Robert Pitman’s March 30, 2022 opinion in the case can be found here.
Continue Reading Dismissal Motion Largely Denied in the SolarWinds Cybersecurity-Related Securities Suit

On March 9, 2022, the SEC finally released its long-anticipated updated cybersecurity disclosure requirements. The proposed rules, inclusive of specifications both for incident reporting and for risk management and governance disclosure, were adopted by a 3-1 vote and are now subject to a public reporting period. The new rules, which the Commission’s press release says are “designed to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents,” underscore the Commission’s emphasis on cybersecurity reporting and disclosure issues.

The SEC’s March 9, 2022 press release about the proposed new rules can be found here. The Commission’s two-page “fact sheet” about the new rules can be found here. The Commission’s 129-page proposing release can be found here. Cydney Posner’s March 9, 2022 post on the Cooley law firm’s PubCo blog about the proposed rules can be found here.
Continue Reading SEC Proposes New Rules for Cybersecurity Disclosure and Incident Reporting Rules