cybersecurity

Subscribe to cybersecurity via RSS

The filing of data breach and other cybersecurity incident-related shareholder derivative lawsuits against corporate boards is nothing new; plaintiffs’ lawyers have been filing these kinds of claims now for several years. However, in recent months, the plaintiffs’ lawyers have shown an increasing inclination to file these claims based on allegations of breach of the duty of oversight. The latest example of this type of claim is the shareholder derivative suit filed this week against the board of T-Mobile USA. Although the plaintiff’s complaint does not expressly use the words “breach of the duty of oversight” or refer to “Caremark duties,” the complaint does refer to the board’s alleged “failure to monitor” and to the board’s alleged failure “to heed red flags” – the very kind of allegations that are at the heart of breach of the duty of oversight claims. A copy of the plaintiff’s complaint in the November 29, 2021 lawsuit can be found here.
Continue Reading Data Breach-Related Derivative Suit Filed Against T-Mobile USA Board

In the latest example of claimants seeking to assert the newly revitalized type of claim for breach of the duty of oversight against corporate boards, plaintiff shareholders have filed a derivative lawsuit in Delaware Chancery Court against certain past and current directors of technology company SolarWinds, based on the massive cybersecurity incident involving the company’s software and systems discovered in December 2020. As discussed below, there are several interesting features of this lawsuit in light of recent developments involving claims for alleged breaches of the duty of oversight. A copy of the heavily redacted publicly available version of the plaintiffs’ complaint against the SolarWinds board can be found here.
Continue Reading Cybersecurity-Related Breach of the Duty of Oversight Claim Filed Against SolarWinds Board

Rachel Soich

As I have noted in prior posts on this site, cybersecurity issues can lead to D&O claims. In the following guest post, Rachel Soich, FCAS, MAAA. Consulting Actuary at Milliman, considers steps that companies can take to avoid cyber-related D&O costs. A prior version of this article previously was published in Milliman Insight. I would like to thank Rachel for allowing me to publish her article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Rachel’s article.
Continue Reading Guest Post: Three Ways to Avoid Cyber-Related D&O Costs

In an interesting development, the U.S. District Court Judge overseeing the cybersecurity-related securities class action lawsuit pending against title insurance company First American Financial Corp. has granted the defendants’ motion to dismiss. The dismissal in the case is interesting because the company had in June 2021 agreed with the SEC to enter a cease-and-desist order and to pay a modest civil penalty to settle charges related to the same cybersecurity incident. The dismissal is also interesting because it shows how plaintiffs’ lawyers have struggled to get traction with cybersecurity-related securities suits. A copy of the Court’s September 22, 2021 order granting the motion to dismiss in the First American securities suit can be found here.
Continue Reading Cybersecurity-Related Securities Suit Dismissed

When companies are hit with cybersecurity incidents, class action privacy litigation often follows. However, claimants in these kinds of cases face a threshold challenge of showing they have suffered a sufficient “injury in fact” to establish that they have standing to assert their claims. The following guest post, written by Paul Ferrillo, Kristine Argentine, Emily Dorner, and Alexandra Drury of the Seyfarth Shaw law firm, provides a survey of the current state of play for the standing requirements in this type of litigation. I would like to thank the authors for allowing me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is the authors’ article. 
Continue Reading Guest Post: First There was Litigation; And Then There Was Standing

In the agency’s latest move underscoring its emphasis on cybersecurity disclosure, the SEC has filed settled charges against the U.K. educational publishing and services company Pearson plc, alleging that the company misled investors about a 2018 data breach. The company, which neither admitted nor denied the charges, agreed to pay a $1 million civil money penalty. The administrative enforcement action, while not the first of its type, does highlight the agency’s heightened focus on cybersecurity disclosure issues. The agency’s August 16, 2021 cease and desist order can be found here. The agency’s August 16, 2021 press release about the order can be found here. Pearson’s statement about the proceeding can be found here.
Continue Reading SEC Charges Company Over Misleading Cybersecurity-Related Disclosures

John Cheffers

In the following guest post, John Cheffers analyzes the data relating to cybersecurity incidents at companies listed on Nasdaq and New York Stock Exchange. John is Associate Counsel and Director of Research at Watchdog Research. I would like to thank John for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: Cybersecurity Incident and Litigation Review 2021

After the news emerged last week that Chinese cybersecurity regulators had cracked down on the ride-sharing firm DiDi Global shortly after the company completed its U.S. IPO, the company was hit with a U.S. securities class action lawsuit. However, DiDi was not the only Chinese company that recently completed a U.S. IPO that was targeted by the Chinese regulator. Two other Chinese companies that completed U.S. IPOs in June – Full Truck Alliance Co. Ltd. and Kanshun Limited – were both also notified that their companies were under review by the cybersecurity regulator. And now both of these companies have also been hit with U.S. securities class action lawsuits, as discussed below.
Continue Reading Two More Chinese Companies Hit with U.S. Securities Suits Following Post-IPO Crackdown by Chinese Regulator

On July 6, 2021, after the Wall Street Journal reported that prior to DiDi’s June 30, 2021 U.S. IPO,  government authorities had urged the Chinese ride-hailing firm to postpone the offering, but that the company, under pressure from investors, had gone ahead with the IPO anyway, it seemed that it would only be a matter of time before DiDi would be hit with a U.S. securities lawsuit. Indeed, as it turned out, the same day the Journal article appeared, an investor filed a U.S. securities class action lawsuit against the company. As discussed below, the lawsuit is based on cybersecurity and privacy concerns relating to the company’s ride-hailing app. A copy of the investor’s July 6, 2021 complaint can be found here.
Continue Reading Chinese Ride-Hailing Firm DiDi Hit With Securities Suit Related to Its Recent IPO

In a very interesting June 16, 2021 opinion, the Ninth Circuit has reversed in part the district court’s dismissal of the privacy and cybersecurity-related securities class action lawsuit filed against Google- parent Alphabet, Inc, relating the company’s discovery of and decision not to disclose a software vulnerability that exposed user data of nearly half a million users of the Google+ social media site. The appellate court’s decision, a copy of which can be found here, could represent a significant development in the evolution of cybersecurity and privacy-related securities litigation.
Continue Reading Ninth Circuit in Part Reverses Dismissal of the Google+ User Data Securities Lawsuit