John Stark Reed

Readers undoubtedly are aware of the recent outbreak of ransomware incidents and the problems they present. The threat of ransomware attacks poses a host of issues, among the most significant of which is whether or not ransomware victims should go ahead and make the demanded ransomware payment as the quickest way to try to recover captured systems. In the following blog post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a comprehensive look that problems involved with making payments in response to a ransomware attack. A version of this article originally appeared on CybersecurityDocket.

I would like to thank John for his willingness to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit an article. Here is John’s guest post.
Continue Reading Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance

david_bergenfeld1In the current world, cyber security is critical for every organization. Cyber insurance is an important part of every organization’s cybersecurity program. In the following guest post, a Senior Associate in D’Amato & Lynch, LLP’s Fidelity Bond Practice Group, examines how business can best match their cyber insurance to their cyber security needs. I would like to thank David for his willingness to allow me to publish his article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is David’s guest post.
Continue Reading Guest Post: Matching Business Models and Processes with Cybercrime Insurance Programs

David Fontaine
David Fontaine
John Reed Stark 1
John Reed Stark

The recent news that Yahoo’s general counsel had resigned following a probe of high-profile data breaches at the company has generated a great deal of discussion and concern. In the following guest post, David Fontaine and John Reed Stark take a look at the circumstances surrounding the resignation and consider the implications of and lessons from this development. David is the CEO of Kroll and its parent company, Corporate Risk Holdings, and John is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. A version of this article originally appeared on CybersecurityDocket. I would like to thank Dave and John for their willingness to publish their article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Dave and John’s guest post.
Continue Reading Guest Post: Three Cybersecurity Lessons From Yahoo’s Legal Department Woes

wendysCyber-breach related D&O lawsuits have not fared particularly well. Indeed, after the shareholder derivative lawsuit against the board of Home Depot was recently dismissed, it was unclear what the future direction for cybersecurity litigation against corporate officials might be. But though the future direction of this type of litigation is unclear, it seemed unlikely despite the poor track record that we had seen the last of these cases. Among other things, it seemed likely that entrepreneurial plaintiffs’ lawyers would continue to try to identify their litigation opportunity for these kinds of cases. As it has now turned out, we didn’t have to wait long for confirmation that despite the dismissals we had not seen the last of the cyber breach-related D&O lawsuits. 
Continue Reading Data Breach-Related Shareholder Derivative Lawsuit Filed Against Wendy’s

sixth circuit sealOne of defendants’ most significant arguments in opposing data breach victims’ negligence and breach of privacy claims has been that the claimants that have not suffered actual fraud or identity theft can show no cognizable injury and therefore lack Article III standing to assert their claims. Appellate decisions in the Seventh and Ninth Circuit have previously taken a bite out of this defense, in rulings holding that the victims’ fear of future harm is sufficient to establish standing. Now the Sixth Circuit in a case involving alleged victims of a data breach at Nationwide Mutual Insurance Company has joined these other circuits, holding that the  claimants’ heightened risk for fraud and mitigation costs were sufficient to establish Article III standing. The Sixth Circuit’s September 12, 2016 opinion, which can be found here, represents the latest in a series of developments evincing courts’ increasing willingness to recognize fear of potential future harm as sufficient to establish standing, which in turn may make it easier for the plaintiffs’ claims in these kinds of data breach cases to go forward.
Continue Reading Sixth Circuit: Data Breach Victims’ Heightened Risk of Future Harm Establishes Article III Standing

ftc1One of the recurring issues that has arisen as claimants and regulators have pursued cybersecurity-related claims against companies that have experienced a data breach is the question of what type or quantum of claimed injury is sufficient to sustain a claim. This issue has recurred in consumer cybersecurity-related damages actions and it has also arisen in regulatory enforcement actions as well. These issues were presented in a very interesting July 29, 2016 Opinion from the Federal Trade Commission (here). The Commission overturned a prior ruling by one of its own Administrative Law Judges, and held, contrary to the ALJ, that the release of private and sensitive information in and of itself was sufficient – even in the absence of alleged economic or physical injury — to support a claim against LabMD that its failure to prevent the information’s release constitutes an “unfair” practice. The FTC’s July 29, 2016 press release about the agency’s ruling can be found here.  As the WSJ Law Blog noted in a July 29, 2016 post (here), the FTC’s ruling sets the stage for a “high stakes federal court battle” on the issue of what kind of alleged injury is sufficient to support cybersecurity-related unfair practices claim.
Continue Reading FTC Holds Private Information Disclosure In and Of Itself Sufficient Injury to Support Unfair Practices Claim

david_bergenfeld1 (1)
David Bergenfeld

In the following guest post, David Bergenfeld, a Senior Associate in D’Amato & Lynch, LLP’s Fidelity Bond Practice Group, takes a look at key court decisions during the first quarter of 2016 analyzing cybercrime insurance.  I would like to thank David for his willingness to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is David’s guest post.
Continue Reading Guest Post: Fidelity Bonds and Cybercrime Insurance: 2016 First Quarter Update

wyndham worldwideAccording to the company’s December 9, 2015 press release (here), Wyndham Worldwide has reached a settlement with the Federal Trade Commission in the long-running and high-profile civil action the agency filed against the company and its affiliates in connection with data breaches at the company during the period 2008-2010. Under the terms of the settlement, the company has agreed to undertake certain measures and to continue to meet certain standards with respect to its customers’ payment card information.  As the company said in its press release about the settlement, the company’s undertakings in the settlement set “a standard for what the government considers reasonable data security of payment card information.” The FTC’s December 9, 2015 press release about the settlement can be found here. The parties’ stipulated order for injunction, which is subject to court approval, can be found here.
Continue Reading Wyndham Worldwide Settles Data Breach-Related FTC Enforcement Action

weilOn September 22, 2015, in what has been described as the SEC’s first cybersecurity-related enforcement action, the SEC announced that it had entered a settlement St. Louis-based investment advisor R.T. Jones Capital Equities Management, Inc., based on charges that the company had failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients.  A copy of the SEC’s order related to the settlement can be found here.

In the following guest post, David Wohl and Paul Ferrillo of the Weil Gotshal law firm take a look at the SEC’s settlement with R.T. Jones and examine the implications of the settlement, and of the recent guidance from SEC’s Office of Investor Education and Advocacy, for future regulatory action, from the SEC and other agencies. A version of the guest post previously was published as a Weil client alert.

I would like to thank David and Paul for their willingness to publish their article on this blog. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is David and Paul’s guest post.

****************************************

Just days after the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued its second round of cybersecurity guidance for its upcoming examinations of registered investment advisers and broker-dealers,[i] the SEC settled an administrative proceeding on cybersecurity issues arising out of a breach at a registered investment adviser, R.T. Jones Capital Equities Management, Inc.  (“R.T. Jones”).[ii]  As a result of the settlement, R.T. Jones was censured and fined $75,000.  On the heels of the recent OCIE guidance and following a year of major cybersecurity breaches (especially at financial institutions),[iii] this proceeding is instructive on a number of points, especially on the question “What happens when you don’t adopt policies and procedures to safeguard client data?”
Continue Reading Guest Post: SEC’s Regulatory Action Against R.T. Jones: Did the Other Cybersecurity Shoe Just Drop?

micah skidmore
Micah Skidmore

As I discussed in a recent post, on July 20, 2015, the Seventh Circuit issued its opinion in the Neiman Marcus consumer data breach class action lawsuit. In its opinion (a copy of which can be found here), the appellate court ruled that the district court erred in concluding that the plaintiffs’ fear of future harm from the breach was insufficient to establish standing to pursue their claims. The court held that the impending injuries alleged were sufficient to support Article III standing.

 

In the following guest post, Micah Skidmore of the Haynes and Boone law firm takes a closer look at the decision and discusses some important insurance coverage issues that the court’s ruling about future injuries may present.

 

I would like to thank Micah for his willingness to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Micah’s guest post.

**********************************

The recent Neiman Marcus decision from the Seventh Circuit has lowered the bar for plaintiffs suing in the wake of a data breach.  In addition to actual injury, future “impending” injuries substantiated by an “objective,” “substantial risk of harm” and actual costs incurred to prevent or mitigate “imminent” harm are sufficient to support Article III standing.  While the Neiman Marcus decision may provide some clarity regarding standards of pleading and liability (at least for plaintiffs), for those defendants reliant on network security/privacy liability insurance to protect against data breach claims, the opinion prompts an urgent question: does my policy cover liability for future injuries and preventive measures?
Continue Reading Guest Post: Coverage for Future Injuries: Is Your Cyber Policy Up To The Neiman Marcus Challenge?