One of the reasons there have not been as many cybersecurity-related securities lawsuits as some commentators (including me) expected is that the plaintiffs’ track record in the cases that have been filed has been decidedly mixed. To be sure, there have been some very noteworthy successes for the plaintiffs, including the Equifax cybersecurity-related securities suit, which settled for $149 million. But though there have been some noteworthy successes, many of the other cybersecurity related securities suits have ended in dismissal.

Among the more significant recent cybersecurity-related securities suit dismissals was the ruling  in the securities lawsuit relating to the massive Marriott data breach. Now, on appeal, the Fourth Circuit has affirmed the district court’s dismissal in the Marriott case, the latest in a series of high-profile setbacks plaintiffs have experienced in cybersecurity-related securities suits. A copy of the Fourth Circuit’s April 21, 2022 opinion can be found here.
Continue Reading Fourth Circuit Affirms Dismissal of Marriott Data Breach-Related Securities Suit

Last month, when the Delaware Court of Chancery sustained the breach of the duty of oversight claim against the Boeing board, some observers suggested we could see an increase in board oversight breach lawsuits. We may yet see more breach of the duty of oversight claims, but another more recent Delaware Chancery Court decision in the Marriott data breach shareholder derivative suit suggests claimants still face an uphill battle in asserting these kinds of claims. On October 5, 2021, Delaware Vice Chancellor Lori Will granted the defendants’ motion to dismiss in the case, in part on grounds related to the plaintiff’s breach of the duty of oversight claims. As discussed below, the ruling could have particular significance with respect to the prospects for claims of breach of the duty of oversight relating to cybersecurity issues. A copy of Vice Chancellor Will’s opinion can be found here.
Continue Reading Cybersecurity-Related Oversight Duty Breach Claim Against Marriott Board Dismissed

Shortly after Marriott International’s November 2018 announcement that it had uncovered a data breach in the guest registration system of Starwood (which Marriott had acquired two years earlier), the company was hit with a raft of litigation, including both securities class action lawsuits and shareholder derivative lawsuits. In twin June 11, 2021 opinions, the federal district judge presiding over the various Marriott data breach-related lawsuits granted the defendants’ motions to dismiss both the  consolidated securities suits and the consolidated derivative suits. The lengthy and detailed opinions make for interesting reading and underscore the challenge plaintiffs face in trying to turn a cybersecurity incident into a D&O claim. The opinion in the securities suit can be found here and the opinion in the derivative suit can be found here.
Continue Reading Marriott Data Breach-Related Securities and Derivative Suits Both Dismissed

John Reed Stark

In the following guest post, John Reed Stark President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a look at questions of confidentiality surrounding a discovery dispute between class action plaintiffs and a data breach victim company relating to forensic work conducted by Crowdstrike, Inc. in connection with a 2018 data security incident at Marriott International, Inc. As Stark notes, the issue of protecting the confidentiality of post-data breach forensic findings (when the forensic firm is typically engaged by counsel) has become of critical importance and has significant consequences. A version of this article previously was published on Cybersecurity Docket. I would like to thank John for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: More Battles Over Digital Forensic Findings

John Reed Stark

As discussed in the following guest post from John Reed Stark, a recent development in the class action litigation arising out of the massive Marriott International data breach could have significant ramifications for other claimants asserting class action claims — including securities class action claims — based on data breaches or other cybersecurity incidents. Stark is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. A version of this article originally appeared on Securities Docket. I would like to thank John for allowing me to publish his guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: Some Good News for the Cybersecurity Class Action Bar

When news of the recent massive data breach at Marriott began circulating late last week, a colleague emailed and asked me how long I thought it would take for a D&O lawsuit to be filed. I emailed back that I thought there would be a securities class action lawsuit before the end of business on Monday (December 3). Turns out, I didn’t give the plaintiffs’ lawyers nearly enough credit for haste. The plaintiffs’ lawyers managed to file a securities class action lawsuit against the company on December 1, 2018, just one day after Marriott announced the breach. The lawsuit is the latest example both of a data breach-related D&O lawsuit and an event-driven securities suit, as discussed further below.
Continue Reading Marriott Hit with Data Breach-Related Securities Lawsuit