In an action the SEC’s two Republican Commissioners sharply criticized in a separately-issued statement, the SEC has filed settled charges against business communications services provider R.R. Donnelly & Sons (RRD) relating to the company’s disclosure and accounting controls in connection with cybersecurity incidents the company suffered in late 2021. The company, which the SEC credited for its cooperation and remedial measures, agreed to pay a $2.125 million civil penalty and voluntarily adopted corrective processes and procedures. The settled action provides strong indications of the measures and controls the agency expects reporting companies to adopt and implement with respect to cybersecurity.Continue Reading SEC Files Settled Charges Based on Alleged Cybersecurity-Related Control Deficiencies
data breach disclosure
Guest Post: Beat the Clock: 5 Important Steps to Deal with Today’s Complicated Cyber Breach Disclosure World
Cybersecurity threats are on the rise. Companies that find themselves hit with data breaches face a number of challenges, including in particular the challenge of responding to strict breach disclosure and notification requirements. In the following guest post, Paul A. Ferrillo, a shareholder in the Greenberg Traurig law firm’s Cybersecurity, Privacy, and Crisis Management Practice, takes a look at the steps the companies can take before they are breached to be better positioned to respond to the notification requirements in the event of a breach. I would like to thank Paul for allowing me to publish his article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
Continue Reading Guest Post: Beat the Clock: 5 Important Steps to Deal with Today’s Complicated Cyber Breach Disclosure World
Equifax Data Breach-Related Securities Suit Dismissal Motion Denied in Part, Granted in Part
During 2017 and 2018, plaintiffs’ lawyers filed a number of securities class action lawsuits against companies that had experienced data breaches. Among the highest profile of these cases was the securities lawsuit filed in 2017 against the credit rating firm, Equifax, which in September 2017 announced that hackers had breached its consumer database and accessed millions of records containing personally identifiable information. On January 28, 2019, in a ruling that will be closely analyzed in connection with the several other recently filed data breach-related securities lawsuits, Northern District of Georgia Judge Thomas W. Thrash, Jr. entered an order granting in part and denying in part the defendants’ motion to dismiss. A copy of the January 28 order can be found here.
Continue Reading Equifax Data Breach-Related Securities Suit Dismissal Motion Denied in Part, Granted in Part
Yahoo Data Breach-Related Derivative Suit Settled for $29 Million
In recent years, plaintiffs’ lawyers have filed a number of management liability lawsuits against the executives of companies that have experienced high-profile data breaches. These lawsuits have either been filed as shareholder derivative lawsuits or securities class action lawsuits. By and large, the cases filed as shareholder derivative lawsuits have been unsuccessful. However, in a development that represents a milestone in several different respects, the parties to the Yahoo data breach-related derivative lawsuit have agreed to settle the case for $29 million. As discussed below, this settlement may have important implications for future data breach-related derivative litigation. The Court’s January 4, 2019 order approving the settlement can be found here (see calendar Line 5 in the order).
Continue Reading Yahoo Data Breach-Related Derivative Suit Settled for $29 Million
Dismissal Motion Granted in PayPal Data Breach-Related Securities Suit
As I have noted in several recent posts, plaintiffs’ lawyers seem to have a renewed interest in trying to pursue securities class action lawsuits against companies that have experienced a data breach. Just to cite one recent example, as discussed here, within a day of Marriott’s recent high-profile announcement of a data breach involving its Starwood unit’s customer database, plaintiffs’ lawyers filed a securities class action lawsuit against the company. While plaintiffs’ lawyers may be drawn to these data breach cases, the cases may or may not prove to be successful for them. For example, in a recent ruling in the data breach-related securities class action lawsuit filed against PayPal late last year, the court granted the defendants’ motion to dismiss. The ruling highlights many of the problems plaintiffs’ lawyers will have in trying to pursue these kinds of cases. Northern District of California Judge Edward Chen’s December 13, 2018 ruling in the case can be found here.
Continue Reading Dismissal Motion Granted in PayPal Data Breach-Related Securities Suit
Cybersecurity Disclosure Practices and Standards
In February 2018, the SEC updated its cybersecurity disclosure guidelines for reporting companies, emphasizing the importance to investors and markets for prompt and robust disclosure relating to cyber issues. Indeed, in April, the agency brought its first enforcement action relating to cybersecurity enforcement issues. In its recent annual report, the agency’s enforcement division emphasized that cybersecurity disclosure is a priority issue. Clearly, public company’s cybersecurity-related disclosure practices are receiving a great deal of attention and scrutiny.
But what are public companies actually doing in terms of cybersecurity disclosures? A recent study by EY took a look at the actual cybersecurity disclosure practices. Their analysis shows that cybersecurity-related disclosure practices “vary widely,” suggesting there is an “opportunity for enhancement.” The October 22, 2018 report, entitled “Cybersecurity Disclosure Benchmarking,” can be found here.
Continue Reading Cybersecurity Disclosure Practices and Standards
Guest Post: Ten Questions the SEC Will Probably Be Asking Google
Earlier this week, media reports circulated that this past spring Google had exposed the private data of thousands of the Google+ social network users and then opted not to disclose the issue, in part because of concerns that doing so would draw regulatory scrutiny and cause reputational damage. In the wake of these revelations, one question is whether the SEC will look into these circumstances. In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a look at what he regards as a likely SEC investigation and the questions that the SEC likely will be asking. A version of this article originally appeared on Securities Docket. I would like to thank John for allowing me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit an article. Here is John’s post.
Continue Reading Guest Post: Ten Questions the SEC Will Probably Be Asking Google
First-Ever SEC Data Breach Disclosure Enforcement Penalty Imposed
In a development in an enforcement action that is the first of its kind, the SEC has levied a $35 million penalty against Altaba, Inc. as successor in interest to Yahoo, for Yahoo’s two-year delay in reporting the massive data breach the company experienced in December 2014. Altaba, which neither admitted nor denied any wrongdoing, agreed to pay the penalty as part of the settled resolution of SEC cease-and-desist proceedings. The penalty follows the SEC’s recent release of cybersecurity disclosure guidance for reporting companies and clearly indicates that the agency is increasingly focused on companies’ cybersecurity disclosure practices. The SEC’s April 24, 2018 press release about the penalty can be found here. The SEC’s April 24, 2018 order in the cease-and-desist proceedings can be found here.
Continue Reading First-Ever SEC Data Breach Disclosure Enforcement Penalty Imposed
Will Yahoo’s Data Breach Reporting Become the Test Case for the SEC’s Cyber Disclosure Guidelines?
Ever since the SEC released its cyber security disclosure guidelines in October 2011, commentators (including me) have been speculating whether the agency might try to nab a company whose disclosure practices the agency might use as sort of a test case on the guidelines’ requirements. It now appears, at least based on media reports, the SEC is investigating Yahoo in what may yet become the long-anticipated test case. According to a front page January 23, 2017 Wall Street Journal article (here), the SEC has opened an investigation looking into Yahoo, Inc.’s disclosures of two massive data breaches the company reported last year.
Continue Reading Will Yahoo’s Data Breach Reporting Become the Test Case for the SEC’s Cyber Disclosure Guidelines?
Thinking About the Data Breach Securities Class Action Lawsuits Yet to Come
There has been extensive litigation filed in the wake of the many high-profile data breaches over the last several years, but by and large the lawsuits have been filed on behalf of consumers or employees. Along the way, there have also been lawsuits filed against the directors and officers of the companies that experienced the…