data breach-related litigation

Over the last several years, plaintiffs’ lawyers have filed a number of D&O lawsuits against companies that had been hit with a cybersecurity incident. These suits have largely been unsuccessful, with the exception of the lawsuits filed against Yahoo in the wake of that company’s data breach. While the plaintiffs’ track record in data breach-related D&O lawsuits so far has not been good, a recent development could suggest that that has changed. On February 13, 2020, the parties to the Equifax data breach-related lawsuit filed a stipulation of settlement stating that the case has been settled based on the defendants’ agreement to pay $149 million. The settlement is subject to court approval. This settlement has a number of interesting implications, as discussed below. A copy of the parties’ stipulation of settlement can be found here.
Continue Reading

During 2017 and 2018, plaintiffs’ lawyers filed a number of securities class action lawsuits against companies that had experienced data breaches. Among the highest profile of these cases was the securities lawsuit filed in 2017 against the credit rating firm, Equifax, which in September 2017 announced that hackers had breached its consumer database and accessed millions of records containing personally identifiable information. On January 28, 2019, in a ruling that will be closely analyzed in connection with the several other recently filed data breach-related securities lawsuits, Northern District of Georgia Judge Thomas W. Thrash, Jr. entered an order granting in part and denying in part the defendants’ motion to dismiss. A copy of the January 28 order can be found here.
Continue Reading

When news of the recent massive data breach at Marriott began circulating late last week, a colleague emailed and asked me how long I thought it would take for a D&O lawsuit to be filed. I emailed back that I thought there would be a securities class action lawsuit before the end of business on Monday (December 3). Turns out, I didn’t give the plaintiffs’ lawyers nearly enough credit for haste. The plaintiffs’ lawyers managed to file a securities class action lawsuit against the company on December 1, 2018, just one day after Marriott announced the breach. The lawsuit is the latest example both of a data breach-related D&O lawsuit and an event-driven securities suit, as discussed further below.
Continue Reading

Last week, the Wall Street Journal reported that this past spring Google had exposed thousands of the Google+ social network users’ private data and then opted to withhold disclosure of the incident because of concerns that doing so would attract regulatory scrutiny and harm the company’s reputation. Following the news reports, questions immediately were asked about a possible SEC investigation of the incident. And now, these developments have drawn two new securities class action lawsuits in which shareholders of Alphabet, Google’s parent company, allege that the company misled investors about the adequacy of the company’s security measures to protect user data from theft and security breaches. As discussed below, the new lawsuits bring together several securities litigation filing trends involving data and privacy-related issues.
Continue Reading

One of the most-watched corporate and securities litigation trends in recent years has been the incidence of D&O claims after companies experience data breaches. Although there have been a number of high profile claims along the way, the volume of data breach-related D&O claims has never quite lived up to the hype. Just the same, these kinds of claims have continued to be filed. The most recent case is a securities class action lawsuit that has now been filed against educational services company Chegg, Inc., after its recent announcement of a data breach involving customer data. The Chegg lawsuit, filed on September 27, 2018 in the Northern District of California, can be found here.
Continue Reading

As readers of this blog know, data breach, cyber, and privacy-related issues have become a new important area of securities class action litigation in the U.S. In the following guest post, Andrew Miers, Jason Symons, and Shonagh Rasmussen of the HWL Ebsworth law firm review the possibilities or this type of securities lawsuit in Australia. I would like to thank the authors for allowing me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is the authors’ guest post.
Continue Reading

In a recent case in the Fifth Circuit, a retail merchant sought to establish that its D&O insurer was required to provide a defense to a data breach-related claim that had been brought against the merchant. The appellate court held that the trial court erred in granting the insurer’s motion for judgment on the pleadings and ruling that the policy’s contractual liability exclusion precluded coverage. The ruling, which suggests at least the possibility of coverage under the D&O policy for at least some of the claims against the merchant, raises a number of important issues, as discussed below. The Fifth Circuit’s June 25, 2018 opinion in the case can be found here. A July 11, 2018 memo from the Crowell & Moring law firm about the decision can be found here.
Continue Reading

The newly disclosed $80 million settlement of the Yahoo data breach-related securities class action lawsuit will not make the list of the Top 100 securities suit settlements, but it is significant in its own way just the same. Because the settlement is the first substantial data breach-related shareholder lawsuit recovery, it represents a milestone development in a number of respects, as discussed below. The parties’ March 2, 2018 Stipulation and Agreement of Settlement can be found here.
Continue Reading

Commentators (including me) have long speculated about the possible future direction of data breach-related litigation. There have of course been a number of very high profile data breach-related consumer class action suits, but so far relatively few data breach related D&O lawsuits. Of course, more recently investors filed a securities class action lawsuit involving the high-profile data breach at Equifax. Now investors have filed another data breach securities class action lawsuit, in this case involving PayPal Holdings.
Continue Reading

In the wake of credit monitoring and reporting firm Equifax’s announcement last week that it had sustained a data breach involving 143 million U.S. customers, a wave of consumer class action lawsuits has followed. In addition, the litigation wave now also includes at least one securities class action lawsuit; more securities suits are likely to follow. Although data breach-related D&O claims have not fared particularly well in the past, there are features of the Equifax situation that may put the securities suits against Equifax in a different category. An even more interesting question is the extent to which the new lawsuit portends further data breach-related securities litigation going forward.  
Continue Reading