data breach litigation

The liability environment for directors and officers is always in a state of change, but 2019 was a particularly eventful year in the D&O liability arena, with important consequences for the D&O insurance marketplace. The past year’s many developments have significant implications for what may lie ahead in 2020 – and possibly for years to come, as well.  I have set out below the Top Ten D&O Stories of 2019, with a focus on the future implications.
Continue Reading

In the latest example of a securities class action lawsuit arising out of data breach or other cybersecurity incident, on October 24, 2019, a plaintiff shareholder filed a securities class action lawsuit against California-based software company Zendesk. The lawsuit follows after the company announced disappointing second quarter financial results in July and then announced in early October that customer account information had been accessed. The lawsuit is most recent in a series of lawsuits in which companies experiencing cybersecurity incidents get hit with securities lawsuits.
Continue Reading

In the latest securities class action lawsuit to be filed against a company that has experienced a data breach or other cybersecurity incident, a plaintiff shareholder has filed a securities suit against Capital One in connection with the company’s recent massive data breach. While there have been a number of data breach-related securities suits before, there are some unique features of the Capital One situation that make it distinctive and interesting, as discussed below. The plaintiff shareholder’s October 2, 2019 complaint can be found here.
Continue Reading

John Reed Stark

As discussed in the following guest post from John Reed Stark, a recent development in the class action litigation arising out of the massive Marriott International data breach could have significant ramifications for other claimants asserting class action claims — including securities class action claims — based on data breaches or other cybersecurity incidents. Stark is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. A version of this article originally appeared on Securities Docket. I would like to thank John for allowing me to publish his guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading

In recent years, plaintiffs’ lawyers have filed a number of management liability lawsuits against the executives of companies that have experienced high-profile data breaches. These lawsuits have either been filed as shareholder derivative lawsuits or securities class action lawsuits. By and large, the cases filed as shareholder derivative lawsuits have been unsuccessful. However, in a development that represents a milestone in several different respects, the parties to the Yahoo data breach-related derivative lawsuit have agreed to settle the case for $29 million. As discussed below, this settlement may have important implications for future data breach-related derivative litigation. The Court’s January 4, 2019 order approving the settlement can be found here (see calendar Line 5 in the order).
Continue Reading

As I have noted in several recent posts, plaintiffs’ lawyers seem to have a renewed interest in trying to pursue securities class action lawsuits against companies that have experienced a data breach. Just to cite one recent example, as discussed here, within a day of Marriott’s recent high-profile announcement of a data breach involving its Starwood unit’s customer database, plaintiffs’ lawyers filed a securities class action lawsuit against the company. While plaintiffs’ lawyers may be drawn to these data breach cases, the cases may or may not prove to be successful for them. For example, in a recent ruling in the data breach-related securities class action lawsuit filed against PayPal late last year, the court granted the defendants’ motion to dismiss. The ruling highlights many of the problems plaintiffs’ lawyers will have in trying to pursue these kinds of cases. Northern District of California Judge Edward Chen’s December 13, 2018 ruling in the case can be found here.
Continue Reading

For some time now, some observers had been predicting that we would be seeing a bunch of data breach-related securities class action lawsuits, but the predicted wave never seemed to materialize. However, with a recent uptick in these kinds of cases, that could be changing. On October 8, 2018, in the latest of these kinds of lawsuits to be filed, a plaintiff shareholder filed a securities class action lawsuit against China-based Huazhu Group. As discussed below, there are a number of interesting features of this latest data breach-related securities suit.
Continue Reading

More recent data breach-related D&O lawsuits have been filed in the form of securities class actions, one of which, the Yahoo securities class action lawsuit, recently resulted in a sizable settlement. Before that though, during the period 2014 to 2016, there was a series of data breach related suits filed in the form of shareholder derivative actions. By and large, these cases did not fare particularly well, largely resulting in dismissals. The last of these data breach-related derivative lawsuits that remained pending is the one filed against fast-food company Wendy’s. Now the Wendy’s case has also settled, albeit for a combination of cybersecurity and governance therapeutics and agreement to pay the plaintiffs’ attorneys fees. The resolution of this last remaining shareholder derivative suit again raises a question that has been much discussed, of the extent to which data breach-related issues will lead to more D&O litigation.
Continue Reading

Andrew G. Lipton
Laura Schmidt

Although a number of high-profile data breaches have led to D&O claims, so far the plaintiffs’ track record in these kinds of cases has been poor. However, as a result of a number of recent developments, there may be good reason for corporate directors and officers to be concerned about these kinds of claims going forward, as discussed in the following guest post by Andrew G. Lipton and Laura Schmidt, both associates at the White & Williams law firm. I would like to thank Andrew and Laura for submitting their article for publication as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Andrew and Laura’s guest post.  
Continue Reading

In the latest decision in which class action consumer data breach claimants have been successful in establishing the requisite standing to pursue their claims, on August 1, 2017, the D.C. Circuit held that the claimants’ risk of future harm is sufficient to meet Article III standing requirements. This decision is the latest in a growing number of federal circuit decisions finding that data breach claimants have satisfied standing requirements, but it also deepens a circuit split that could mean eventual U.S. Supreme Court review of the issue. The D.C. Circuit’s August 1 opinion in the Attias v. Care First case can be found here.  
Continue Reading