Peter Selvin

In the following guest post, Peter Selvin discussed the Fifth Circuit’s July 21, 2021 decision in Landry’s Incorporated v. The Insurance Company of the State of Pennsylvania (here), which considered the question of coverage under a commercial general liability policy of damages from a data breach caused by a third-party hacker. Selvin is a partner with Los Angeles-based Ervin Cohen & Jessup. A version of this article previously was published in the LA Daily Journal. I would like to thank Peter for allowing me to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Peter’s article.
Continue Reading Guest Post: CGL Coverage for Data Breaches: New Developments

In the agency’s latest move underscoring its emphasis on cybersecurity disclosure, the SEC has filed settled charges against the U.K. educational publishing and services company Pearson plc, alleging that the company misled investors about a 2018 data breach. The company, which neither admitted nor denied the charges, agreed to pay a $1 million civil money penalty. The administrative enforcement action, while not the first of its type, does highlight the agency’s heightened focus on cybersecurity disclosure issues. The agency’s August 16, 2021 cease and desist order can be found here. The agency’s August 16, 2021 press release about the order can be found here. Pearson’s statement about the proceeding can be found here.
Continue Reading SEC Charges Company Over Misleading Cybersecurity-Related Disclosures

A cybersecurity incident earlier this year at the technology company Ubiquiti has given rise to a securities class action lawsuit against the company and two of its executives. The lawsuit is the latest example of the D&O risk exposure relating to cybersecurity. As discussed below, the lawsuit’s allegation illustrates that the way that a company handles bad news can be an important litigation risk factor. A copy of the May 19, 2021 securities lawsuit complaint against Ubiquiti can be found here.
Continue Reading Internet Technology Company Hit with Data Breach-Related Securities Suit

Paul A. Ferrillo

As I noted in a prior post, the recent state-sponsored cyber incident carried out through an attack on SolarWinds has a number of important implications. As noted in the following guest post from Paul Ferrillo, the incident could also have important implications for the cyber insurance marketplace. Paul is a partner in the McDermott, Will & Emery law firm. I would like to thank Paul for allowing me to publish this article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
Continue Reading Guest Post: SolarWinds – Einstein Failed Us, and the Cyber Insurance Markets will Feel the Squeeze

In my round-up of the Top D&O Stories of 2020, which I published earlier this week, I noted that the recent massive state-actor hack of U.S. government agencies and technology companies underscored the fact that cybersecurity represents a significant operational and management risk for organization of every type. I also noted that cybersecurity-related issues represent an ongoing D&O claims risk. As if to confirm these propositions, the first securities class action lawsuit of the New Year was filed against Solar Winds, the network infrastructure management company whose breached software is believe to have contributed to the recent massive hack. As discussed below, the newly filed complaint highlights the fact that cybersecurity represents a significant potential source of management liability risk.
Continue Reading SolarWinds Hit with Securities Suit Based on Third-Party Governmental Actor Cyber Attack

Technology-based education firm K12, Inc., which hoped to be able to profit from the pandemic-related shift to virtual learning , has been hit with a securities class action lawsuit alleging that the company’s share price declined after school systems using its platform to address their online learning needs allegedly experienced disappointing results. A copy of the shareholder plaintiff’s November 19, 2020 complaint can be found here.
Continue Reading Online Learning Firm Hit with COVID-19-Related Securities Suit

John Reed Stark

Along with all of the other anxieties about the upcoming Presidential election, there is the concern that someone, somewhere will use some type of cyberattack to interfere with the electoral process. If that were to happen, the immediate question will “Who did it?” In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, underscores the difficulties associated with identifying the actors behind any cyberattack and cautions against jumping to conclusions about who might have been involved. A version of this article previously was published on Cybersecurity Docket. I would like to thank John for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: Attribution on Election Cyber-Attacks: Don’t Rush to Judgment

John Reed Stark

In the following guest post, John Reed Stark President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a look at questions of confidentiality surrounding a discovery dispute between class action plaintiffs and a data breach victim company relating to forensic work conducted by Crowdstrike, Inc. in connection with a 2018 data security incident at Marriott International, Inc. As Stark notes, the issue of protecting the confidentiality of post-data breach forensic findings (when the forensic firm is typically engaged by counsel) has become of critical importance and has significant consequences. A version of this article previously was published on Cybersecurity Docket. I would like to thank John for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: More Battles Over Digital Forensic Findings

Stephen Reilly
Andrew Jones

Data breach class action lawsuits are already well-established in the United States, but are only developing elsewhere. In the following guest post, Stephen Reilly and Andrew Jones of Beale & Company Solicitors take a look at the possibilities and prospects for data breach class actions in the U.K. A version of this article previously was published as a Beale & Company client alert. I would like to thank Stephen and Andrew for allowing me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Stephen and Andrew’s guest post.
Continue Reading Guest Post: Data Breach Class Actions in the UK — What Next?

Paul Ferrillo

In the following guest post, Paul Ferrillo provides a primer for the purchase of cybersecurity insurance. Paul is a partner in the McDermott, Will & Emery law firm. My thanks to Paul for allowing me to publish his article as a guest post on this site. I welcome guest posts from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
Continue Reading Guest Post: The Basics and Essentials of Purchasing Cybersecurity Insurance