In the wake of major cybersecurity incidents, it is becoming increasingly common for shareholders to bring derivative lawsuits alleging that the officers or board members failed to exercise proper governance over cybersecurity. Some companies have paid settlements to resolve such matters, but few derivative actions have ended in judgment on the merits in favor of plaintiffs, largely because plaintiffs are rarely able to show that directors failed to execute their oversight responsibilities. A recent ruling by the Delaware Court of Chancery dismissing a derivative lawsuit against Marriott International, Firemen’s Ret. Sys. of St. Louis v. Sorenson, No. 2019-0965-LWW (Del. Ch. Oct. 5, 2021), reiterates that directors who monitor cybersecurity governance, work to mitigate cyber risks, and seek outside advice on data protection issues will usually not face liability.
Continue Reading Marriott Data Breach Ruling Puts Corporate Boardrooms on Notice
Network Security
State Department Makes Cybersecurity a Priority
Recognizing the persistent and increasingly sophisticated nature of cyber incidents threatening the safety and security of the U.S., the Biden administration is launching a new bureau focused on cybersecurity and digital policy. On October 27, 2021, Secretary of State Antony Blinken formally announced a plan to establish a Bureau of Cyberspace and Digital Policy, which includes appointing a special envoy to address critical and emerging technologies. The new bureau and special envoy will address issues such as cyber threats, digital freedom, and surveillance risks, and will coordinate with the U.S.’s allies to establish international standards on emerging technologies.
Continue Reading State Department Makes Cybersecurity a Priority
Meet the US’s New Federal IoT Cybersecurity Law
On Friday, December 4, 2020, H.R. 1668, the Internet of Things (IoT) Cybersecurity Improvement Act of 2020, was signed into law. The bipartisan bill was sponsored by Senators Mark Warner (D-VA) and Cory Gardner (R-CO) in the Senate and Representatives Robin Kelly (D-IL), and Will Hurd (R-TX) in the House. The new law will require IoT devices “owned or controlled” by the federal government to meet minimum security standards that address network vulnerabilities, and it may have significant implications for government contractors. It was introduced in response to a series of distributed denial of service (DDoS) attacks in 2016, in which the Mirai malware variant was used to compromise tens of thousands of IoT devices, causing a severe disruption in commercial web services.Continue Reading Meet the US’s New Federal IoT Cybersecurity Law