cybersecurity

Subscribe to cybersecurity via RSS
Paul Ferrillo

As regular readers of this blog know, one of the many consequences that may follow for a company that experiences a cybersecurity incident is that it could get hit with a D&O claim. In the following guest post, Paul Ferrillo examine whether the increasing move toward cybersecurity-related D&O claims could in turn lead to an increase in prior Delaware Section 220 books and records inspection demands. Paul is a shareholder in the Greenberg Traurig law firm’s Cybersecurity, Privacy, and Crisis Management Practice. I would like to thank Paul for allowing me to publish his guest post as an article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
Continue Reading Guest Post: Board Cyber Oversight Duties and Delaware Section 220 Demands

Many of you probably saw the news this past week that Target has filed a lawsuit against one of its insurers over losses the company sustained in connection with the company’s 2014 data breach. The Target lawsuit is the latest in a series of high profile insurance battles in which companies are seeking to recoup losses resulting from cybersecurity incidents. However, as my friend, colleague, and Cyber insurance maven Mickey Estey pointed out to me, in its lawsuit Target is in fact not seeking to recover its claimed losses under a cyber insurance policy; rather, in its latest lawsuit, Target is seeking to recover for certain of its losses under its general liability policy. The Target lawsuit is only the latest in a series of high-profile insurance disputes in which companies that have sustained losses from a cybersecurity event are seeking coverage under a variety of different types of policies.
Continue Reading Seeking Insurance for Cybersecurity-Related Losses

In the latest example of a securities class action lawsuit arising out of data breach or other cybersecurity incident, on October 24, 2019, a plaintiff shareholder filed a securities class action lawsuit against California-based software company Zendesk. The lawsuit follows after the company announced disappointing second quarter financial results in July and then announced in early October that customer account information had been accessed. The lawsuit is most recent in a series of lawsuits in which companies experiencing cybersecurity incidents get hit with securities lawsuits.
Continue Reading Zendesk Hit with Data Breach-Related Securities Suit

In the latest securities class action lawsuit to be filed against a company that has experienced a data breach or other cybersecurity incident, a plaintiff shareholder has filed a securities suit against Capital One in connection with the company’s recent massive data breach. While there have been a number of data breach-related securities suits before, there are some unique features of the Capital One situation that make it distinctive and interesting, as discussed below. The plaintiff shareholder’s October 2, 2019 complaint can be found here.
Continue Reading Data Breach-Related Securities Suit Filed Against Capital One

Paul Ferrillo
Chris Veltsos

As this blog’s readers know, there have been a number of management liability claims that have been raised against companies that have experienced cybersecurity incidents. In the following guest post by Paul Ferrillo and Chris Veltsos, the authors argue that cyber risk is in fact D&O risk and that the risk is growing. The authors also suggest a 10-step plan to grapple with the risk. Paul is a shareholder in the Greenberg Traurig law firm’s Cybersecurity, Privacy, and Crisis Management Practice. Chris is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. My thanks to thank Paul and Chris for allowing me to publish this article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul and Chris’s article.
Continue Reading Guest Post: Time to Face the Music – Cyber Risk is D&O Risk – And Things Are Getting Worse!

John Reed Stark

The Capital One data hack has attracted a great deal of attention, not least because of the size and extent of the breach, but also because the hacker apparently managed to steal data from The Cloud. In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a closer look at this aspect of the Capital One data breach and asked whether Amazon, the cloud service provider, can be held liable for the hack? Stark takes a close look at the technology involved and analyzes the potential liability issues between Capital One, on the one hand, and Amazon, on the other. A version of this article originally appeared on Securities Docket. My thanks to John for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: Is Amazon Liable for the Capital One Hack?

In addition to all of the other risks, liabilities and exposures arising from cybersecurity concerns, you can now add the possibility of a whistleblower action for cybersecurity fraud. According to a July 31, 2019 press release from counsel for the whistleblower involved (here), Cisco Systems has agreed to an $8.6 million settlement in what the press release claims is the “first cybersecurity whistleblower case ever successfully litigated under the False Claims Act.” Cisco has agreed to pay the amount to settle allegations that the company knowingly sold vulnerable and defective video surveillance software to federal, state, and local government agencies, exposing the systems to unauthorized access. As discussed below, this development even further expands the range of concerns companies must take into account when assessing their cybersecurity exposures. An August 12, 2019 memo from the Jones Day law firm about the settlement and its implications can be found here.
Continue Reading Cybersecurity Whistleblower Claim under the False Claims Act Settled

John Reed Stark

The news of the recent massive data breach at Capital One made the front pages of the business sections of newspapers across the country. The hack has drawn attention not just because of the magnitude of the hack, but also because the hackers apparently managed to steal data from The Cloud. The Capital Data breach represents a “wake-up call” for boards of directors, according to the following guest post from John Reed Stark. John is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. A version of this article originally appeared on Securities Docket. My thanks to John for allowing me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: What the Capital One Hack Means for Board of Directors

Under the Delaware Chancery Court decision in the Caremark case, directors can be liable for failures in their oversight duties – that is, their duties to monitor the company and its functions. Lawsuits alleging a violation of the duty of oversight are notoriously challenging for plaintiffs. However, in the recent Marchand v. Barnhill case, the Delaware Supreme Court reversed the Chancery Court’s dismissal of a Caremark liability case and allowed the case to proceed against the board of an ice cream manufacturer that experienced a deadly listeria outbreak. Caremark liability cases remain difficult to plead and prove, but the Marchand decision nevertheless has important implications for director liability for breaches of their duty of oversight.
Continue Reading Recent Delaware Caremark Duty Decision Underscores Board Cyber and Privacy Liability Risks

Paul Ferrillo
Christophe Veltsos

In the following guest post, Paul Ferrillo and Christophe Veltsos consider the implications of the recently announced bankruptcy of the corporate parent of a medical billing company following a high-profile date breach at the billing company. Paul is a shareholder in the Greenberg Traurig law firm’s Cybersecurity, Privacy, and Crisis Management Practice. Chris is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. I would like to than Paul and Chris for their willingness to allow me to publish their article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul and Chris’s article.
Continue Reading Guest Post: Buckle up Directors: Cybersecurity Risk and Bankruptcy Risk Are Not Mutually Exclusive