data breach litigation

The filing of data breach and other cybersecurity incident-related shareholder derivative lawsuits against corporate boards is nothing new; plaintiffs’ lawyers have been filing these kinds of claims now for several years. However, in recent months, the plaintiffs’ lawyers have shown an increasing inclination to file these claims based on allegations of breach of the duty of oversight. The latest example of this type of claim is the shareholder derivative suit filed this week against the board of T-Mobile USA. Although the plaintiff’s complaint does not expressly use the words “breach of the duty of oversight” or refer to “Caremark duties,” the complaint does refer to the board’s alleged “failure to monitor” and to the board’s alleged failure “to heed red flags” – the very kind of allegations that are at the heart of breach of the duty of oversight claims. A copy of the plaintiff’s complaint in the November 29, 2021 lawsuit can be found here.
Continue Reading Data Breach-Related Derivative Suit Filed Against T-Mobile USA Board

Shortly after Marriott International’s November 2018 announcement that it had uncovered a data breach in the guest registration system of Starwood (which Marriott had acquired two years earlier), the company was hit with a raft of litigation, including both securities class action lawsuits and shareholder derivative lawsuits. In twin June 11, 2021 opinions, the federal district judge presiding over the various Marriott data breach-related lawsuits granted the defendants’ motions to dismiss both the  consolidated securities suits and the consolidated derivative suits. The lengthy and detailed opinions make for interesting reading and underscore the challenge plaintiffs face in trying to turn a cybersecurity incident into a D&O claim. The opinion in the securities suit can be found here and the opinion in the derivative suit can be found here.
Continue Reading Marriott Data Breach-Related Securities and Derivative Suits Both Dismissed

With coronavirus-related developments consuming all of the attention these days, it might be easy to forget other unrelated claims trends are continuing to develop and unfold. One important pre-pandemic trend that has continued to develop is the rise of D&O claims arising out of cybersecurity incidents. In the latest sign that this claims trend remains important, a plaintiff shareholder has filed a derivative lawsuit against certain directors and officers of Laboratory Corporation of America, in connection with two cybersecurity incidents involving the company. As detailed below, the first of these two incidents involved a data breach that took place at one of LabCorp’s third-party service providers. A copy of the complaint, filed in Delaware Chancery Court on April 28, 2020, can be found here.
Continue Reading LabCorp Board Hit with Derivative Suit Over Third-Party Service Provider’s Data Breach

The liability environment for directors and officers is always in a state of change, but 2019 was a particularly eventful year in the D&O liability arena, with important consequences for the D&O insurance marketplace. The past year’s many developments have significant implications for what may lie ahead in 2020 – and possibly for years to come, as well.  I have set out below the Top Ten D&O Stories of 2019, with a focus on the future implications.
Continue Reading The Top Ten D&O Stories of 2019

In the latest example of a securities class action lawsuit arising out of data breach or other cybersecurity incident, on October 24, 2019, a plaintiff shareholder filed a securities class action lawsuit against California-based software company Zendesk. The lawsuit follows after the company announced disappointing second quarter financial results in July and then announced in early October that customer account information had been accessed. The lawsuit is most recent in a series of lawsuits in which companies experiencing cybersecurity incidents get hit with securities lawsuits.
Continue Reading Zendesk Hit with Data Breach-Related Securities Suit

In the latest securities class action lawsuit to be filed against a company that has experienced a data breach or other cybersecurity incident, a plaintiff shareholder has filed a securities suit against Capital One in connection with the company’s recent massive data breach. While there have been a number of data breach-related securities suits before, there are some unique features of the Capital One situation that make it distinctive and interesting, as discussed below. The plaintiff shareholder’s October 2, 2019 complaint can be found here.
Continue Reading Data Breach-Related Securities Suit Filed Against Capital One

John Reed Stark

As discussed in the following guest post from John Reed Stark, a recent development in the class action litigation arising out of the massive Marriott International data breach could have significant ramifications for other claimants asserting class action claims — including securities class action claims — based on data breaches or other cybersecurity incidents. Stark is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. A version of this article originally appeared on Securities Docket. I would like to thank John for allowing me to publish his guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: Some Good News for the Cybersecurity Class Action Bar

In recent years, plaintiffs’ lawyers have filed a number of management liability lawsuits against the executives of companies that have experienced high-profile data breaches. These lawsuits have either been filed as shareholder derivative lawsuits or securities class action lawsuits. By and large, the cases filed as shareholder derivative lawsuits have been unsuccessful. However, in a development that represents a milestone in several different respects, the parties to the Yahoo data breach-related derivative lawsuit have agreed to settle the case for $29 million. As discussed below, this settlement may have important implications for future data breach-related derivative litigation. The Court’s January 4, 2019 order approving the settlement can be found here (see calendar Line 5 in the order).
Continue Reading Yahoo Data Breach-Related Derivative Suit Settled for $29 Million

As I have noted in several recent posts, plaintiffs’ lawyers seem to have a renewed interest in trying to pursue securities class action lawsuits against companies that have experienced a data breach. Just to cite one recent example, as discussed here, within a day of Marriott’s recent high-profile announcement of a data breach involving its Starwood unit’s customer database, plaintiffs’ lawyers filed a securities class action lawsuit against the company. While plaintiffs’ lawyers may be drawn to these data breach cases, the cases may or may not prove to be successful for them. For example, in a recent ruling in the data breach-related securities class action lawsuit filed against PayPal late last year, the court granted the defendants’ motion to dismiss. The ruling highlights many of the problems plaintiffs’ lawyers will have in trying to pursue these kinds of cases. Northern District of California Judge Edward Chen’s December 13, 2018 ruling in the case can be found here.
Continue Reading Dismissal Motion Granted in PayPal Data Breach-Related Securities Suit

For some time now, some observers had been predicting that we would be seeing a bunch of data breach-related securities class action lawsuits, but the predicted wave never seemed to materialize. However, with a recent uptick in these kinds of cases, that could be changing. On October 8, 2018, in the latest of these kinds of lawsuits to be filed, a plaintiff shareholder filed a securities class action lawsuit against China-based Huazhu Group. As discussed below, there are a number of interesting features of this latest data breach-related securities suit.
Continue Reading Chinese Hotel Company Hit With Data Breach-Related Securities Suit