Paul Ferrillo
Christophe Veltsos

In the following guest post, Paul Ferrillo and Christophe Veltsos consider the implications of the recently announced bankruptcy of the corporate parent of a medical billing company following a high-profile date breach at the billing company. Paul is a shareholder in the Greenberg Traurig law firm’s Cybersecurity, Privacy, and Crisis Management Practice. Chris is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. I would like to than Paul and Chris for their willingness to allow me to publish their article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul and Chris’s article.
Continue Reading Guest Post: Buckle up Directors: Cybersecurity Risk and Bankruptcy Risk Are Not Mutually Exclusive

 For any organization experiencing a data breach, the organization’s response to the incident remains one of the most important and yet one of the most challenging next steps. In the following guest post, Paul Ferrillo, a partner in the New York office of the Greenberg Traurig law firm, examines the ways that an organization can respond well to a cyber incident. I would like to thank Paul for his willingness to allow me to publish his article as a guest post on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
Continue Reading Guest Post: The Speed of Breaches and Other Bad News in Cybersecurity Incident Response

While commentators (like me) were predicting a blitz of data breach-related D&O litigation, the anticipated onslaught failed to materialize. The few cases that were filed –in the form of shareholder derivative suits — were unsuccessful. More recently, however, plaintiffs’ lawyers have been taking a different approach to data breach-related D&O lawsuits, filing their cases in the form of securities class action lawsuits. These more recent suits involve cases against Equifax (about which refer here) and PayPal (here). Now plaintiffs’ lawyers have filed yet another data breach-related securities suit, this one against Qudian, a Chinese company that just completed its IPO in October 2017.   
Continue Reading Yet Another Data Breach-Related Securities Suit Filed

John Stark Reed

Readers undoubtedly are aware of the recent outbreak of ransomware incidents and the problems they present. The threat of ransomware attacks poses a host of issues, among the most significant of which is whether or not ransomware victims should go ahead and make the demanded ransomware payment as the quickest way to try to recover captured systems. In the following blog post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a comprehensive look that problems involved with making payments in response to a ransomware attack. A version of this article originally appeared on CybersecurityDocket.

I would like to thank John for his willingness to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit an article. Here is John’s guest post.
Continue Reading Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance

david_bergenfeld1In the current world, cyber security is critical for every organization. Cyber insurance is an important part of every organization’s cybersecurity program. In the following guest post, a Senior Associate in D’Amato & Lynch, LLP’s Fidelity Bond Practice Group, examines how business can best match their cyber insurance to their cyber security needs. I would like to thank David for his willingness to allow me to publish his article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is David’s guest post.
Continue Reading Guest Post: Matching Business Models and Processes with Cybercrime Insurance Programs

David Fontaine
David Fontaine
John Reed Stark 1
John Reed Stark

The recent news that Yahoo’s general counsel had resigned following a probe of high-profile data breaches at the company has generated a great deal of discussion and concern. In the following guest post, David Fontaine and John Reed Stark take a look at the circumstances surrounding the resignation and consider the implications of and lessons from this development. David is the CEO of Kroll and its parent company, Corporate Risk Holdings, and John is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. A version of this article originally appeared on CybersecurityDocket. I would like to thank Dave and John for their willingness to publish their article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Dave and John’s guest post.
Continue Reading Guest Post: Three Cybersecurity Lessons From Yahoo’s Legal Department Woes

wendysCyber-breach related D&O lawsuits have not fared particularly well. Indeed, after the shareholder derivative lawsuit against the board of Home Depot was recently dismissed, it was unclear what the future direction for cybersecurity litigation against corporate officials might be. But though the future direction of this type of litigation is unclear, it seemed unlikely despite the poor track record that we had seen the last of these cases. Among other things, it seemed likely that entrepreneurial plaintiffs’ lawyers would continue to try to identify their litigation opportunity for these kinds of cases. As it has now turned out, we didn’t have to wait long for confirmation that despite the dismissals we had not seen the last of the cyber breach-related D&O lawsuits. 
Continue Reading Data Breach-Related Shareholder Derivative Lawsuit Filed Against Wendy’s

sixth circuit sealOne of defendants’ most significant arguments in opposing data breach victims’ negligence and breach of privacy claims has been that the claimants that have not suffered actual fraud or identity theft can show no cognizable injury and therefore lack Article III standing to assert their claims. Appellate decisions in the Seventh and Ninth Circuit have previously taken a bite out of this defense, in rulings holding that the victims’ fear of future harm is sufficient to establish standing. Now the Sixth Circuit in a case involving alleged victims of a data breach at Nationwide Mutual Insurance Company has joined these other circuits, holding that the  claimants’ heightened risk for fraud and mitigation costs were sufficient to establish Article III standing. The Sixth Circuit’s September 12, 2016 opinion, which can be found here, represents the latest in a series of developments evincing courts’ increasing willingness to recognize fear of potential future harm as sufficient to establish standing, which in turn may make it easier for the plaintiffs’ claims in these kinds of data breach cases to go forward.
Continue Reading Sixth Circuit: Data Breach Victims’ Heightened Risk of Future Harm Establishes Article III Standing

ftc1One of the recurring issues that has arisen as claimants and regulators have pursued cybersecurity-related claims against companies that have experienced a data breach is the question of what type or quantum of claimed injury is sufficient to sustain a claim. This issue has recurred in consumer cybersecurity-related damages actions and it has also arisen in regulatory enforcement actions as well. These issues were presented in a very interesting July 29, 2016 Opinion from the Federal Trade Commission (here). The Commission overturned a prior ruling by one of its own Administrative Law Judges, and held, contrary to the ALJ, that the release of private and sensitive information in and of itself was sufficient – even in the absence of alleged economic or physical injury — to support a claim against LabMD that its failure to prevent the information’s release constitutes an “unfair” practice. The FTC’s July 29, 2016 press release about the agency’s ruling can be found here.  As the WSJ Law Blog noted in a July 29, 2016 post (here), the FTC’s ruling sets the stage for a “high stakes federal court battle” on the issue of what kind of alleged injury is sufficient to support cybersecurity-related unfair practices claim.
Continue Reading FTC Holds Private Information Disclosure In and Of Itself Sufficient Injury to Support Unfair Practices Claim

david_bergenfeld1 (1)
David Bergenfeld

In the following guest post, David Bergenfeld, a Senior Associate in D’Amato & Lynch, LLP’s Fidelity Bond Practice Group, takes a look at key court decisions during the first quarter of 2016 analyzing cybercrime insurance.  I would like to thank David for his willingness to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is David’s guest post.
Continue Reading Guest Post: Fidelity Bonds and Cybercrime Insurance: 2016 First Quarter Update