As I have noted in prior posts on this site, cybersecurity issues can lead to D&O claims. In the following guest post, Rachel Soich, FCAS, MAAA. Consulting Actuary at Milliman, considers steps that companies can take to avoid cyber-related D&O costs. A prior version of this article previously was published in Milliman Insight. I would like to thank Rachel for allowing me to publish her article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Rachel’s article.
Continue Reading Guest Post: Three Ways to Avoid Cyber-Related D&O Costs
In an interesting development, the U.S. District Court Judge overseeing the cybersecurity-related securities class action lawsuit pending against title insurance company First American Financial Corp. has granted the defendants’ motion to dismiss. The dismissal in the case is interesting because the company had in June 2021 agreed with the SEC to enter a cease-and-desist order and to pay a modest civil penalty to settle charges related to the same cybersecurity incident. The dismissal is also interesting because it shows how plaintiffs’ lawyers have struggled to get traction with cybersecurity-related securities suits. A copy of the Court’s September 22, 2021 order granting the motion to dismiss in the First American securities suit can be found 
When companies are hit with cybersecurity incidents, class action privacy litigation often follows. However, claimants in these kinds of cases face a threshold challenge of showing they have suffered a sufficient “injury in fact” to establish that they have standing to assert their claims. The following guest post, written by Paul Ferrillo, Kristine Argentine, Emily Dorner, and Alexandra Drury of the Seyfarth Shaw law firm, provides a survey of the current state of play for the standing requirements in this type of litigation. I would like to thank the authors for allowing me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is the authors’ article. 
In the agency’s latest move underscoring its emphasis on cybersecurity disclosure, the SEC has filed settled charges against the U.K. educational publishing and services company Pearson plc, alleging that the company misled investors about a 2018 data breach. The company, which neither admitted nor denied the charges, agreed to pay a $1 million civil money penalty. The administrative enforcement action, while not the first of its type, does highlight the agency’s heightened focus on cybersecurity disclosure issues. The agency’s August 16, 2021 cease and desist order can be found 
After 
On July 6, 2021, after the Wall Street Journal reported that prior to DiDi’s June 30, 2021 U.S. IPO, government authorities had urged the Chinese ride-hailing firm to postpone the offering, but that the company, under pressure from investors, had gone ahead with the IPO anyway, it seemed that it would only be a matter of time before DiDi would be hit with a U.S. securities lawsuit. Indeed, as it turned out, the same day the Journal article appeared, an investor filed a U.S. securities class action lawsuit against the company. As discussed below, the lawsuit is based on cybersecurity and privacy concerns relating to the company’s ride-hailing app. A copy of the investor’s July 6, 2021 complaint can be found 
In a very interesting June 16, 2021 opinion, the Ninth Circuit has reversed in part the district court’s dismissal of the privacy and cybersecurity-related securities class action lawsuit filed against Google- parent Alphabet, Inc, relating the company’s discovery of and decision not to disclose a software vulnerability that exposed user data of nearly half a million users of the Google+ social media site. The appellate court’s decision, a copy of which can be found 
Shortly after Marriott International’s November 2018 announcement that it had uncovered a data breach in the guest registration system of Starwood (which Marriott had acquired two years earlier), the company was hit with a raft of litigation, including both securities class action lawsuits and shareholder derivative lawsuits. In twin June 11, 2021 opinions, the federal district judge presiding over the various Marriott data breach-related lawsuits granted the defendants’ motions to dismiss both the consolidated securities suits and the consolidated derivative suits. The lengthy and detailed opinions make for interesting reading and underscore the challenge plaintiffs face in trying to turn a cybersecurity incident into a D&O claim. The opinion in the securities suit can be found 
The business pages have been full in recent months with tales of cyber extortion and ransomware. In an effort to try to explain these developments, some commentators have suggested that the availability of ransomware coverage under cyber insurance is a cause of the problem. In the following guest post, Paul Ferrillo takes on the question of the role of cyber insurance availability in the proliferation of ransomware incidents. Paul is a partner in the securities litigation group at the Seyfarth Shaw law firm. I would like to thank Paul for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.