Data breach

Subscribe to Data breach

In the immediate aftermath of the Delaware Supreme Court’s 2019 decision in Marchand v. Barnhill, which revitalized so-called Caremark claims for breach of the duty of oversight, one question I was asked was whether claimants might seek to assert breach of the duty of oversight claims in the context of cybersecurity and data privacy issues. Claimants did, in fact, subsequently raise Caremark claims in connection with the high-profile date breaches at Marriott and SolarWinds, but in each case, the Delaware Chancery Court granted the defendants’ motions to dismiss (as discussed here and here, respectively), raising questions about the viability of duty of oversight claims in the cybersecurity context.

Notwithstanding the less than promising track record for these kinds of claims, in a recent article, NYU Law Professor Jennifer Arlen argues that cybersecurity-related claims for breach of the duty of oversight should support Caremark liability in at least one class of cases – that is, cases relating to companies for whom cybersecurity is a “mission critical legal risk” and in which it is alleged that the company had inadequate cybersecurity that risked (and later caused) substantial harm to businesses and government agency customers, and that the company had misled the customers through statements that were designed to defraud the customers into believing that the company’s cybersecurity systems were materially better than they were. Professor Arlen’s March 18, 2025, post on the Harvard Law School Forum on Corporate Governance about Caremark claims in the cybersecurity context can be found here.Continue Reading Cybersecurity and the Duty of Oversight

Earlier this week, the SEC announced that it had filed settled charges against four companies for alleged misleading disclosures concerning cybersecurity incidents at the companies. The charges against the companies arose out of the SEC’s investigation of companies potentially affected by the compromise of SolarWinds’ Orion software. One of the four companies was additionally charged with disclosure controls and procedures violations. Without admitting or denying the SEC’s charges, each company agreed to the entry of a cease-and-desist order against them. The companies agreed to pay civil penalties ranging from $4 million to $990,000. The SEC’s October 22, 2024, press release about the charges against the four companies can be found here.Continue Reading SEC Charges Four Companies for “Downplaying” Cyber Incidents

In a move that may set a record for hacking chutzpah, a cyber ransom gang has filed a complaint with the SEC reporting that a company they hacked had failed to report the incident to the SEC within the time required by the agency’s new cybersecurity disclosure guidelines. The gang apparently filed the complaint after the hacked company failed to respond to the hackers’ ransom demand. The hacking incident and the SEC report were first reported in a November 15, 2023, post on the DataBreaches.net site, and further detailed in a November 15, 2023, post on the BleepingComputer.com site.Continue Reading Hackers Complain to SEC Company They Hacked Failed to Disclose the Incident

As I noted in my year-end round up of D&O related issues (here), plaintiffs’ lawyers have continued to file securities class action lawsuits following cybersecurity incidents, even though the plaintiffs’ track record in these kinds of lawsuits generally has been poor. Among the cybersecurity-related securities lawsuits filed last year was the suit against cloud-based software company Okta relating in part to the cybersecurity incident at the company earlier in the year. Consistent with the general trend, on March 31, 2023, the court presiding over the Okta securities lawsuit granted the defendants’ motion to dismiss the cybersecurity-related allegations, although the court denied the dismissal motion with respect to certain of the plaintiffs’ other unrelated allegations. The court granted the plaintiff leave to amend the dismissed allegations. The court’s March 31, 2023, order can be found here.Continue Reading Cybersecurity-Related Securities Suit Allegations Against Okta Dismissed

For several years now, one of the perennial questions in the corporate and securities arena has been the extent to which cybersecurity-related issues will contribute to D&O claims. There has never really been the volume of securities and derivative lawsuits that some observers expected, but there has been a small scattering of occasional suits filed from time to time. Now, in what is the latest cybersecurity-related D&O suit, a plaintiff shareholder has filed securities class action lawsuit against pay-TV services provider, Dish Networks, related to a network service disruption at the company caused by a cyber-security incident. A copy of the March 23, 2023, complaint can be found here.Continue Reading Dish Networks Hit with Cybersecurity-Related Securities Suit

Jarett Sena

As I have noted in numerous posts on this site (most recently here), plaintiffs’ lawyers seem drawn to filing D&O claims against companies that have experience cybersecurity incidents. But as I have also noted, the plaintiffs’ lawyers’ track record in these cases is not particularly good. However, as discussed in the following guest post by Jarett Sena, Director of Litigation Analysis, ISS Securities Class Action Services, the cybersecurity-related securities class action lawsuit pending against SolarWinds recently resulted in a significant  and noteworthy settlement. This article previously was published on ISS Securities Services’ ISS Insights. I would like to thank Jarett and ISS Securities Class Action Services for allowing me to publish this article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Jarett’s article.
Continue Reading Guest Post: SolarWinds Agrees to $26 Million Payout Over Massive Data Breach

In numerous prior posts I have examined efforts by plaintiffs’ attorneys to try to impose civil liability on corporate executives in D&O claims following cyber security incidents. Two recent cases show that, in addition to potential civil litigation liability exposure, corporate executives may also face potential regulatory liability and even criminal liability exposure for cyber security incidents at their company. The two recent cases are discussed in an October 27, 2022 memo from the White and Case law firm, here.
Continue Reading Corporate Executives Face Personal Liability Exposure for Cyber Incidents

The payment technology firm Block, Inc. (formerly known as Square) has been hit with a securities class action lawsuit related to the company’s announcement earlier this year that a former employee had improperly accessed and downloaded company customer data. The new lawsuit is the latest example of the ways in which data security incidents can translate into D&O claims. The complaint, filed on October 11, 2022, can be found here.
Continue Reading Payments Company Hit With Data Breach-Related Securities Suit

Readers of this blog know that in recent years, plaintiffs’ lawyers have filed a number of D&O lawsuits against companies that experience cybersecurity-related incidents. Overall, the plaintiffs’ track record on these cases is at best mixed, and a number of high-profile cases have been dismissed. In the latest example of the dismissal of a cybersecurity-related securities suit, the court in the Capital One Financial Corporation data breach-related securities class action lawsuit has granted the defendants’ motion to dismiss. The September 13, 2022 dismissal order in the case can be found here.
Continue Reading Capital One Data Breach-Related Securities Suit Dismissed

Regular readers of this site know that one of the continuing D&O litigation trends over the last several years has been the incidence of securities class action lawsuits and other litigation arising out of cybersecurity incidents at the defendant company. While in many instances these suits have not fared particularly well, plaintiffs’ lawyers have nevertheless continued to file the suits. In the latest suit filing of this type, on May 20, 2022, a plaintiff shareholder filed a securities suit against the cybersecurity firm Octa, Inc., relating to the decline in the company’s share price following revelations of a data breach at the firm. Although in many ways this latest suit is similar to previously filed cybersecurity-related securities suits, there are certain distinct aspect of the suit that make it noteworthy, as discussed below.  A copy of the May 20, 2022 complaint in the new lawsuit can be found here.
Continue Reading Cybersecurity Firm Hit with Data Breach-Related Securities Suit