Readers of this blog know that in recent years, plaintiffs’ lawyers have filed a number of D&O lawsuits against companies that experience cybersecurity-related incidents. Overall, the plaintiffs’ track record on these cases is at best mixed, and a number of high-profile cases have been dismissed. In the latest example of the dismissal of a cybersecurity-related securities suit, the court in the Capital One Financial Corporation data breach-related securities class action lawsuit has granted the defendants’ motion to dismiss. The September 13, 2022 dismissal order in the case can be found here.
Continue Reading Capital One Data Breach-Related Securities Suit Dismissed

Regular readers of this site know that one of the continuing D&O litigation trends over the last several years has been the incidence of securities class action lawsuits and other litigation arising out of cybersecurity incidents at the defendant company. While in many instances these suits have not fared particularly well, plaintiffs’ lawyers have nevertheless continued to file the suits. In the latest suit filing of this type, on May 20, 2022, a plaintiff shareholder filed a securities suit against the cybersecurity firm Octa, Inc., relating to the decline in the company’s share price following revelations of a data breach at the firm. Although in many ways this latest suit is similar to previously filed cybersecurity-related securities suits, there are certain distinct aspect of the suit that make it noteworthy, as discussed below.  A copy of the May 20, 2022 complaint in the new lawsuit can be found here.
Continue Reading Cybersecurity Firm Hit with Data Breach-Related Securities Suit

One of the reasons there have not been as many cybersecurity-related securities lawsuits as some commentators (including me) expected is that the plaintiffs’ track record in the cases that have been filed has been decidedly mixed. To be sure, there have been some very noteworthy successes for the plaintiffs, including the Equifax cybersecurity-related securities suit, which settled for $149 million. But though there have been some noteworthy successes, many of the other cybersecurity related securities suits have ended in dismissal.

Among the more significant recent cybersecurity-related securities suit dismissals was the ruling  in the securities lawsuit relating to the massive Marriott data breach. Now, on appeal, the Fourth Circuit has affirmed the district court’s dismissal in the Marriott case, the latest in a series of high-profile setbacks plaintiffs have experienced in cybersecurity-related securities suits. A copy of the Fourth Circuit’s April 21, 2022 opinion can be found here.
Continue Reading Fourth Circuit Affirms Dismissal of Marriott Data Breach-Related Securities Suit

As I have noted in prior posts on this site (most recently here), plaintiffs’ lawyers’ claims in cybersecurity-related D&O lawsuits recently have fared poorly. A number of these suits recently have failed to clear the initial pleading hurdles. However, in a ruling last week, the federal judge presiding over the SolarWinds cybersecurity-related securities suits substantially denied the defendants’ motions to dismiss in an opinion that has a number of interesting features, as discussed below. Western District of Texas Judge Robert Pitman’s March 30, 2022 opinion in the case can be found here.
Continue Reading Dismissal Motion Largely Denied in the SolarWinds Cybersecurity-Related Securities Suit

As I have noted in numerous posts on this site (most recently here), the plaintiffs’ track record in data breach-related securities class action lawsuits is mixed at best. To be sure, there have been cases in which plaintiffs’ have prevailed, but overall the plaintiffs’ track record in data breach-related securities suits has been poor. In the latest setback for plaintiffs in these kinds of cases, the Ninth Circuit has affirmed the trial court’s dismissal of the data breach-related securities suit filed against Zendesk. A copy of the Ninth Circuit’s March 2, 2022 Opinion in the Zendesk case can be found here.
Continue Reading Ninth Circuit Affirms Zendesk Data Breach Securities Suit Dismissal

In the latest example of claimants seeking to assert the newly revitalized type of claim for breach of the duty of oversight against corporate boards, plaintiff shareholders have filed a derivative lawsuit in Delaware Chancery Court against certain past and current directors of technology company SolarWinds, based on the massive cybersecurity incident involving the company’s software and systems discovered in December 2020. As discussed below, there are several interesting features of this lawsuit in light of recent developments involving claims for alleged breaches of the duty of oversight. A copy of the heavily redacted publicly available version of the plaintiffs’ complaint against the SolarWinds board can be found here.
Continue Reading Cybersecurity-Related Breach of the Duty of Oversight Claim Filed Against SolarWinds Board

Rachel Soich

As I have noted in prior posts on this site, cybersecurity issues can lead to D&O claims. In the following guest post, Rachel Soich, FCAS, MAAA. Consulting Actuary at Milliman, considers steps that companies can take to avoid cyber-related D&O costs. A prior version of this article previously was published in Milliman Insight. I would like to thank Rachel for allowing me to publish her article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Rachel’s article.
Continue Reading Guest Post: Three Ways to Avoid Cyber-Related D&O Costs

In an interesting development, the U.S. District Court Judge overseeing the cybersecurity-related securities class action lawsuit pending against title insurance company First American Financial Corp. has granted the defendants’ motion to dismiss. The dismissal in the case is interesting because the company had in June 2021 agreed with the SEC to enter a cease-and-desist order and to pay a modest civil penalty to settle charges related to the same cybersecurity incident. The dismissal is also interesting because it shows how plaintiffs’ lawyers have struggled to get traction with cybersecurity-related securities suits. A copy of the Court’s September 22, 2021 order granting the motion to dismiss in the First American securities suit can be found here.
Continue Reading Cybersecurity-Related Securities Suit Dismissed

Peter Selvin

In the following guest post, Peter Selvin discussed the Fifth Circuit’s July 21, 2021 decision in Landry’s Incorporated v. The Insurance Company of the State of Pennsylvania (here), which considered the question of coverage under a commercial general liability policy of damages from a data breach caused by a third-party hacker. Selvin is a partner with Los Angeles-based Ervin Cohen & Jessup. A version of this article previously was published in the LA Daily Journal. I would like to thank Peter for allowing me to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Peter’s article.
Continue Reading Guest Post: CGL Coverage for Data Breaches: New Developments

In the agency’s latest move underscoring its emphasis on cybersecurity disclosure, the SEC has filed settled charges against the U.K. educational publishing and services company Pearson plc, alleging that the company misled investors about a 2018 data breach. The company, which neither admitted nor denied the charges, agreed to pay a $1 million civil money penalty. The administrative enforcement action, while not the first of its type, does highlight the agency’s heightened focus on cybersecurity disclosure issues. The agency’s August 16, 2021 cease and desist order can be found here. The agency’s August 16, 2021 press release about the order can be found here. Pearson’s statement about the proceeding can be found here.
Continue Reading SEC Charges Company Over Misleading Cybersecurity-Related Disclosures