Shortly after Marriott International’s November 2018 announcement that it had uncovered a data breach in the guest registration system of Starwood (which Marriott had acquired two years earlier), the company was hit with a raft of litigation, including both securities class action lawsuits and shareholder derivative lawsuits. In twin June 11, 2021 opinions, the federal district judge presiding over the various Marriott data breach-related lawsuits granted the defendants’ motions to dismiss both the consolidated securities suits and the consolidated derivative suits. The lengthy and detailed opinions make for interesting reading and underscore the challenge plaintiffs face in trying to turn a cybersecurity incident into a D&O claim. The opinion in the securities suit can be found here and the opinion in the derivative suit can be found here.
Continue Reading Marriott Data Breach-Related Securities and Derivative Suits Both Dismissed
LabCorp Board Hit with Derivative Suit Over Third-Party Service Provider’s Data Breach
With coronavirus-related developments consuming all of the attention these days, it might be easy to forget other unrelated claims trends are continuing to develop and unfold. One important pre-pandemic trend that has continued to develop is the rise of D&O claims arising out of cybersecurity incidents. In the latest sign that this claims trend remains important, a plaintiff shareholder has filed a derivative lawsuit against certain directors and officers of Laboratory Corporation of America, in connection with two cybersecurity incidents involving the company. As detailed below, the first of these two incidents involved a data breach that took place at one of LabCorp’s third-party service providers. A copy of the complaint, filed in Delaware Chancery Court on April 28, 2020, can be found here.
Continue Reading LabCorp Board Hit with Derivative Suit Over Third-Party Service Provider’s Data Breach
The Top Ten D&O Stories of 2019
The liability environment for directors and officers is always in a state of change, but 2019 was a particularly eventful year in the D&O liability arena, with important consequences for the D&O insurance marketplace. The past year’s many developments have significant implications for what may lie ahead in 2020 – and possibly for years to come, as well. I have set out below the Top Ten D&O Stories of 2019, with a focus on the future implications.
Continue Reading The Top Ten D&O Stories of 2019
Zendesk Hit with Data Breach-Related Securities Suit
In the latest example of a securities class action lawsuit arising out of data breach or other cybersecurity incident, on October 24, 2019, a plaintiff shareholder filed a securities class action lawsuit against California-based software company Zendesk. The lawsuit follows after the company announced disappointing second quarter financial results in July and then announced in early October that customer account information had been accessed. The lawsuit is most recent in a series of lawsuits in which companies experiencing cybersecurity incidents get hit with securities lawsuits.
Continue Reading Zendesk Hit with Data Breach-Related Securities Suit
Data Breach-Related Securities Suit Filed Against Capital One
In the latest securities class action lawsuit to be filed against a company that has experienced a data breach or other cybersecurity incident, a plaintiff shareholder has filed a securities suit against Capital One in connection with the company’s recent massive data breach. While there have been a number of data breach-related securities suits before, there are some unique features of the Capital One situation that make it distinctive and interesting, as discussed below. The plaintiff shareholder’s October 2, 2019 complaint can be found here.
Continue Reading Data Breach-Related Securities Suit Filed Against Capital One
Guest Post: Some Good News for the Cybersecurity Class Action Bar
As discussed in the following guest post from John Reed Stark, a recent development in the class action litigation arising out of the massive Marriott International data breach could have significant ramifications for other claimants asserting class action claims — including securities class action claims — based on data breaches or other cybersecurity incidents. Stark is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. A version of this article originally appeared on Securities Docket. I would like to thank John for allowing me to publish his guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: Some Good News for the Cybersecurity Class Action Bar
Yahoo Data Breach-Related Derivative Suit Settled for $29 Million
In recent years, plaintiffs’ lawyers have filed a number of management liability lawsuits against the executives of companies that have experienced high-profile data breaches. These lawsuits have either been filed as shareholder derivative lawsuits or securities class action lawsuits. By and large, the cases filed as shareholder derivative lawsuits have been unsuccessful. However, in a development that represents a milestone in several different respects, the parties to the Yahoo data breach-related derivative lawsuit have agreed to settle the case for $29 million. As discussed below, this settlement may have important implications for future data breach-related derivative litigation. The Court’s January 4, 2019 order approving the settlement can be found here (see calendar Line 5 in the order).
Continue Reading Yahoo Data Breach-Related Derivative Suit Settled for $29 Million
Dismissal Motion Granted in PayPal Data Breach-Related Securities Suit
As I have noted in several recent posts, plaintiffs’ lawyers seem to have a renewed interest in trying to pursue securities class action lawsuits against companies that have experienced a data breach. Just to cite one recent example, as discussed here, within a day of Marriott’s recent high-profile announcement of a data breach involving its Starwood unit’s customer database, plaintiffs’ lawyers filed a securities class action lawsuit against the company. While plaintiffs’ lawyers may be drawn to these data breach cases, the cases may or may not prove to be successful for them. For example, in a recent ruling in the data breach-related securities class action lawsuit filed against PayPal late last year, the court granted the defendants’ motion to dismiss. The ruling highlights many of the problems plaintiffs’ lawyers will have in trying to pursue these kinds of cases. Northern District of California Judge Edward Chen’s December 13, 2018 ruling in the case can be found here.
Continue Reading Dismissal Motion Granted in PayPal Data Breach-Related Securities Suit
Chinese Hotel Company Hit With Data Breach-Related Securities Suit
For some time now, some observers had been predicting that we would be seeing a bunch of data breach-related securities class action lawsuits, but the predicted wave never seemed to materialize. However, with a recent uptick in these kinds of cases, that could be changing. On October 8, 2018, in the latest of these kinds of lawsuits to be filed, a plaintiff shareholder filed a securities class action lawsuit against China-based Huazhu Group. As discussed below, there are a number of interesting features of this latest data breach-related securities suit.
Continue Reading Chinese Hotel Company Hit With Data Breach-Related Securities Suit
Wendy’s Settles Data Breach-Related Derivative Lawsuit
More recent data breach-related D&O lawsuits have been filed in the form of securities class actions, one of which, the Yahoo securities class action lawsuit, recently resulted in a sizable settlement. Before that though, during the period 2014 to 2016, there was a series of data breach related suits filed in the form of shareholder derivative actions. By and large, these cases did not fare particularly well, largely resulting in dismissals. The last of these data breach-related derivative lawsuits that remained pending is the one filed against fast-food company Wendy’s. Now the Wendy’s case has also settled, albeit for a combination of cybersecurity and governance therapeutics and agreement to pay the plaintiffs’ attorneys fees. The resolution of this last remaining shareholder derivative suit again raises a question that has been much discussed, of the extent to which data breach-related issues will lead to more D&O litigation.
Continue Reading Wendy’s Settles Data Breach-Related Derivative Lawsuit