As the number and scale of data breaches in recent years have grown, the question for many companies is not if but when they will be compromised by a cybersecurity attack. In addition to responding to front-page headlines and trying to mitigate reputational harm, companies are required to navigate the shifting landscape of cybersecurity litigation and regulatory actions.
For years, practitioners have been predicting that cybersecurity breaches will bring a wave of shareholder derivative suits and securities fraud class actions. Yet plaintiffs pursuing such derivative litigation, generally against corporate directors and officers for breach of fiduciary duties in connection with data breaches, have fared poorly in the face of strong defenses regarding the pre-suit demand requirement and the protective standard of the business judgment rule. Shareholders seeking to pursue securities fraud litigation face a separate set of hurdles, given that disclosures of even large data breaches have not historically been accompanied by a significant decline in stock price.
While the future of cybersecurity derivative and securities litigation remains uncertain, there is reason to believe that the volume and success of such suits may be on the rise. With respect to shareholder derivative lawsuits, as cybersecurity issues become more ubiquitous, directors and officers will be increasingly on notice of data breach risks, and plaintiffs will more easily be able to argue that directors and officers should have been aware of the company’s susceptibility to a cyberattack and should have taken efforts to remedy the company’s vulnerabilities.