Data breach

Subscribe to Data breach via RSS

For several years, cybersecurity has been a perennial D&O liability issue. Although there has never quite been the volume of cybersecurity-related D&O litigation that some anticipated, cybersecurity-related D&O claims do continue to arise. In the latest example, last week a plaintiff shareholder filed a securities suit against cloud data storage company Snowflake, alleging, among many other things, that the company failed to disclose shortcomings in its customer data security arrangements that allegedly allowed key customers to experience a data breach. There are a number of noteworthy aspects of this new complaint and its cybersecurity-related allegations, as discussed below. A copy of the plaintiff’s complaint can be found here.

Continue Reading Cybersecurity-Related Securities Suit Hits Cloud Data Storage Company

The possibility of a securities class action lawsuit being filed against a company after it experiences a data breach is a long-standing risk. For most of 2025, there were relatively few of these kinds of suits filed, at least compared to recent years. However, last week, two different companies – the e-commerce firm Coupang and the application security firm F5 – were each hit with new cybersecurity-related securities class action lawsuits. The new lawsuits have several interesting features, as discussed below, and at a minimum underscore the fact that the threat of these kinds of cybersecurity suits is ongoing.

Continue Reading Two Tech Companies Hit with Data Breach-Related Securities Suits

In the immediate aftermath of the Delaware Supreme Court’s 2019 decision in Marchand v. Barnhill, which revitalized so-called Caremark claims for breach of the duty of oversight, one question I was asked was whether claimants might seek to assert breach of the duty of oversight claims in the context of cybersecurity and data privacy issues. Claimants did, in fact, subsequently raise Caremark claims in connection with the high-profile date breaches at Marriott and SolarWinds, but in each case, the Delaware Chancery Court granted the defendants’ motions to dismiss (as discussed here and here, respectively), raising questions about the viability of duty of oversight claims in the cybersecurity context.

Notwithstanding the less than promising track record for these kinds of claims, in a recent article, NYU Law Professor Jennifer Arlen argues that cybersecurity-related claims for breach of the duty of oversight should support Caremark liability in at least one class of cases – that is, cases relating to companies for whom cybersecurity is a “mission critical legal risk” and in which it is alleged that the company had inadequate cybersecurity that risked (and later caused) substantial harm to businesses and government agency customers, and that the company had misled the customers through statements that were designed to defraud the customers into believing that the company’s cybersecurity systems were materially better than they were. Professor Arlen’s March 18, 2025, post on the Harvard Law School Forum on Corporate Governance about Caremark claims in the cybersecurity context can be found here.

Continue Reading Cybersecurity and the Duty of Oversight

Earlier this week, the SEC announced that it had filed settled charges against four companies for alleged misleading disclosures concerning cybersecurity incidents at the companies. The charges against the companies arose out of the SEC’s investigation of companies potentially affected by the compromise of SolarWinds’ Orion software. One of the four companies was additionally charged with disclosure controls and procedures violations. Without admitting or denying the SEC’s charges, each company agreed to the entry of a cease-and-desist order against them. The companies agreed to pay civil penalties ranging from $4 million to $990,000. The SEC’s October 22, 2024, press release about the charges against the four companies can be found here.

Continue Reading SEC Charges Four Companies for “Downplaying” Cyber Incidents

In a move that may set a record for hacking chutzpah, a cyber ransom gang has filed a complaint with the SEC reporting that a company they hacked had failed to report the incident to the SEC within the time required by the agency’s new cybersecurity disclosure guidelines. The gang apparently filed the complaint after the hacked company failed to respond to the hackers’ ransom demand. The hacking incident and the SEC report were first reported in a November 15, 2023, post on the DataBreaches.net site, and further detailed in a November 15, 2023, post on the BleepingComputer.com site.

Continue Reading Hackers Complain to SEC Company They Hacked Failed to Disclose the Incident

As I noted in my year-end round up of D&O related issues (here), plaintiffs’ lawyers have continued to file securities class action lawsuits following cybersecurity incidents, even though the plaintiffs’ track record in these kinds of lawsuits generally has been poor. Among the cybersecurity-related securities lawsuits filed last year was the suit against cloud-based software company Okta relating in part to the cybersecurity incident at the company earlier in the year. Consistent with the general trend, on March 31, 2023, the court presiding over the Okta securities lawsuit granted the defendants’ motion to dismiss the cybersecurity-related allegations, although the court denied the dismissal motion with respect to certain of the plaintiffs’ other unrelated allegations. The court granted the plaintiff leave to amend the dismissed allegations. The court’s March 31, 2023, order can be found here.

Continue Reading Cybersecurity-Related Securities Suit Allegations Against Okta Dismissed

For several years now, one of the perennial questions in the corporate and securities arena has been the extent to which cybersecurity-related issues will contribute to D&O claims. There has never really been the volume of securities and derivative lawsuits that some observers expected, but there has been a small scattering of occasional suits filed from time to time. Now, in what is the latest cybersecurity-related D&O suit, a plaintiff shareholder has filed securities class action lawsuit against pay-TV services provider, Dish Networks, related to a network service disruption at the company caused by a cyber-security incident. A copy of the March 23, 2023, complaint can be found here.

Continue Reading Dish Networks Hit with Cybersecurity-Related Securities Suit

Jarett Sena

As I have noted in numerous posts on this site (most recently here), plaintiffs’ lawyers seem drawn to filing D&O claims against companies that have experience cybersecurity incidents. But as I have also noted, the plaintiffs’ lawyers’ track record in these cases is not particularly good. However, as discussed in the following guest post by Jarett Sena, Director of Litigation Analysis, ISS Securities Class Action Services, the cybersecurity-related securities class action lawsuit pending against SolarWinds recently resulted in a significant  and noteworthy settlement. This article previously was published on ISS Securities Services’ ISS Insights. I would like to thank Jarett and ISS Securities Class Action Services for allowing me to publish this article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Jarett’s article.
Continue Reading Guest Post: SolarWinds Agrees to $26 Million Payout Over Massive Data Breach

In numerous prior posts I have examined efforts by plaintiffs’ attorneys to try to impose civil liability on corporate executives in D&O claims following cyber security incidents. Two recent cases show that, in addition to potential civil litigation liability exposure, corporate executives may also face potential regulatory liability and even criminal liability exposure for cyber security incidents at their company. The two recent cases are discussed in an October 27, 2022 memo from the White and Case law firm, here.
Continue Reading Corporate Executives Face Personal Liability Exposure for Cyber Incidents

The payment technology firm Block, Inc. (formerly known as Square) has been hit with a securities class action lawsuit related to the company’s announcement earlier this year that a former employee had improperly accessed and downloaded company customer data. The new lawsuit is the latest example of the ways in which data security incidents can translate into D&O claims. The complaint, filed on October 11, 2022, can be found here.
Continue Reading Payments Company Hit With Data Breach-Related Securities Suit