In an action the SEC’s two Republican Commissioners sharply criticized in a separately-issued statement, the SEC has filed settled charges against business communications services provider R.R. Donnelly & Sons (RRD) relating to the company’s disclosure and accounting controls in connection with cybersecurity incidents the company suffered in late 2021. The company, which the SEC credited for its cooperation and remedial measures, agreed to pay a $2.125 million civil penalty and voluntarily adopted corrective processes and procedures. The settled action provides strong indications of the measures and controls the agency expects reporting companies to adopt and implement with respect to cybersecurity.Continue Reading SEC Files Settled Charges Based on Alleged Cybersecurity-Related Control Deficiencies
During 2017 and 2018, plaintiffs’ lawyers filed a number of securities class action lawsuits against companies that had experienced data breaches. Among the highest profile of these cases was the securities lawsuit filed in 2017 against the credit rating firm, Equifax, which in September 2017 announced that hackers had breached its consumer database and accessed millions of records containing personally identifiable information. On January 28, 2019, in a ruling that will be closely analyzed in connection with the several other recently filed data breach-related securities lawsuits, Northern District of Georgia Judge Thomas W. Thrash, Jr. entered an order granting in part and denying in part the defendants’ motion to dismiss. A copy of the January 28 order can be found 
In recent years, plaintiffs’ lawyers have filed a number of management liability lawsuits against the executives of companies that have experienced high-profile data breaches. These lawsuits have either been filed as shareholder derivative lawsuits or securities class action lawsuits. By and large, the cases filed as shareholder derivative lawsuits have been unsuccessful. However, in a development that represents a milestone in several different respects, the parties to the Yahoo data breach-related derivative lawsuit have agreed to settle the case for $29 million. As discussed below, this settlement may have important implications for future data breach-related derivative litigation. The Court’s January 4, 2019 order approving the settlement can be found 
As I have noted in several recent posts, plaintiffs’ lawyers seem to have a renewed interest in trying to pursue securities class action lawsuits against companies that have experienced a data breach. Just to cite one recent example, as discussed 
In February 2018, the SEC 
In a development in an enforcement action that is the first of its kind, the SEC has levied a $35 million penalty against Altaba, Inc. as successor in interest to Yahoo, for Yahoo’s two-year delay in reporting the massive data breach the company experienced in December 2014. Altaba, which neither admitted nor denied any wrongdoing, agreed to pay the penalty as part of the settled resolution of SEC cease-and-desist proceedings. The penalty follows the SEC’s recent release of cybersecurity disclosure guidance for reporting companies and clearly indicates that the agency is increasingly focused on companies’ cybersecurity disclosure practices. The SEC’s April 24, 2018 press release about the penalty can be found 
Ever since the SEC released its 