John Reed Stark

Is a company’s post-breach forensic report subject to discovery in subsequent breach related litigation? That is the question that John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, examines in the following guest post. A version of this article originally appeared on Securities Docket. I would like to thank John for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: Data Breach Forensic Reports: Keeping a Grail Document Confidential

One of the hot topics for mainstream P&C insurers these days is dealing with “silent cyber” – that is, the coverage for cyber-related losses in traditional property and casualty insurance policies. There are a number of initiatives underway in the insurance underwriting community as insurers try to address silent cyber. However, as noted in an interesting January 14, 2020 memo from the Covington law firm entitled “The Noise About ‘Silent Cyber’ Insurance Coverage” (here), these initiatives have important implications for policyholders. Among other things, these initiatives potentially could result in a gap in policyholders’ coverage for cyber-related losses, as discussed below.
Continue Reading Addressing “Silent Cyber” and the Risk of Coverage Gaps

John Reed Stark

The news of the recent massive data breach at Capital One made the front pages of the business sections of newspapers across the country. The hack has drawn attention not just because of the magnitude of the hack, but also because the hackers apparently managed to steal data from The Cloud. The Capital Data breach represents a “wake-up call” for boards of directors, according to the following guest post from John Reed Stark. John is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. A version of this article originally appeared on Securities Docket. My thanks to John for allowing me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: What the Capital One Hack Means for Board of Directors

Paul Ferrillo
Christophe Veltsos

In the following guest post, Paul Ferrillo and Christophe Veltsos consider the implications of the recently announced bankruptcy of the corporate parent of a medical billing company following a high-profile date breach at the billing company. Paul is a shareholder in the Greenberg Traurig law firm’s Cybersecurity, Privacy, and Crisis Management Practice. Chris is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. I would like to than Paul and Chris for their willingness to allow me to publish their article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul and Chris’s article.
Continue Reading Guest Post: Buckle up Directors: Cybersecurity Risk and Bankruptcy Risk Are Not Mutually Exclusive

 For any organization experiencing a data breach, the organization’s response to the incident remains one of the most important and yet one of the most challenging next steps. In the following guest post, Paul Ferrillo, a partner in the New York office of the Greenberg Traurig law firm, examines the ways that an organization can respond well to a cyber incident. I would like to thank Paul for his willingness to allow me to publish his article as a guest post on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
Continue Reading Guest Post: The Speed of Breaches and Other Bad News in Cybersecurity Incident Response

While commentators (like me) were predicting a blitz of data breach-related D&O litigation, the anticipated onslaught failed to materialize. The few cases that were filed –in the form of shareholder derivative suits — were unsuccessful. More recently, however, plaintiffs’ lawyers have been taking a different approach to data breach-related D&O lawsuits, filing their cases in the form of securities class action lawsuits. These more recent suits involve cases against Equifax (about which refer here) and PayPal (here). Now plaintiffs’ lawyers have filed yet another data breach-related securities suit, this one against Qudian, a Chinese company that just completed its IPO in October 2017.   
Continue Reading Yet Another Data Breach-Related Securities Suit Filed

John Stark Reed

Readers undoubtedly are aware of the recent outbreak of ransomware incidents and the problems they present. The threat of ransomware attacks poses a host of issues, among the most significant of which is whether or not ransomware victims should go ahead and make the demanded ransomware payment as the quickest way to try to recover captured systems. In the following blog post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a comprehensive look that problems involved with making payments in response to a ransomware attack. A version of this article originally appeared on CybersecurityDocket.

I would like to thank John for his willingness to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit an article. Here is John’s guest post.
Continue Reading Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance

david_bergenfeld1In the current world, cyber security is critical for every organization. Cyber insurance is an important part of every organization’s cybersecurity program. In the following guest post, a Senior Associate in D’Amato & Lynch, LLP’s Fidelity Bond Practice Group, examines how business can best match their cyber insurance to their cyber security needs. I would like to thank David for his willingness to allow me to publish his article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is David’s guest post.
Continue Reading Guest Post: Matching Business Models and Processes with Cybercrime Insurance Programs

David Fontaine
David Fontaine
John Reed Stark 1
John Reed Stark

The recent news that Yahoo’s general counsel had resigned following a probe of high-profile data breaches at the company has generated a great deal of discussion and concern. In the following guest post, David Fontaine and John Reed Stark take a look at the circumstances surrounding the resignation and consider the implications of and lessons from this development. David is the CEO of Kroll and its parent company, Corporate Risk Holdings, and John is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. A version of this article originally appeared on CybersecurityDocket. I would like to thank Dave and John for their willingness to publish their article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Dave and John’s guest post.
Continue Reading Guest Post: Three Cybersecurity Lessons From Yahoo’s Legal Department Woes

wendysCyber-breach related D&O lawsuits have not fared particularly well. Indeed, after the shareholder derivative lawsuit against the board of Home Depot was recently dismissed, it was unclear what the future direction for cybersecurity litigation against corporate officials might be. But though the future direction of this type of litigation is unclear, it seemed unlikely despite the poor track record that we had seen the last of these cases. Among other things, it seemed likely that entrepreneurial plaintiffs’ lawyers would continue to try to identify their litigation opportunity for these kinds of cases. As it has now turned out, we didn’t have to wait long for confirmation that despite the dismissals we had not seen the last of the cyber breach-related D&O lawsuits. 
Continue Reading Data Breach-Related Shareholder Derivative Lawsuit Filed Against Wendy’s