In the wake of high-profile cyberattacks, boards of directors are increasingly being scrutinized by regulators, shareholders, and the public over their oversight of cybersecurity risk. In a chapter of “Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers” – a first-of-its kind publication by the New York Stock Exchange – we explore the legal obligations of boards of directors and board members to oversee cybersecurity risk, the potential exposure that boards face in the current cybersecurity landscape if they do not meet those obligations, and strategies that boards may consider in mitigating that risk to strengthen the corporation and their standing as dutiful directors.
Daniel Dunne, a partner in Orrick's Seattle office, is a member of the Litigation Division, specifically the Securities Litigation, Investigations and Enforcement Group.
Dan Dunne focuses his practice on defense of financial institutions, corporations, directors and officers, and accountants in complex litigation in federal and state courts. Dan has tried more than a dozen cases to verdict in state and federal courts.
Dan has enjoyed considerable success in high-profile national matters with the finest law firms in the country, from arguing in the Delaware Court of Chancery on behalf of Blucora’s directors, to arguing in October in the Washington Supreme Court on behalf of Credit Suisse on a critical issue of first impression under the Washington State Securities Act, to a complete victory following a two-week trial in the Western District of Washington in a major tax dispute against the United States and the Tulalip Tribes, dismissal of an activist investor proxy lawsuit against a Seattle-based bank, and an October 2018 dismissal of a National Rifle Association suit challenging a City of Seattle safe gun storage ordinance. Dan also has active matters advising Washington’s most sophisticated legal clients with respect to shareholder matters, including Microsoft, Seattle Genetics (Washington’s most successful independent biotechnology company) and HomeStreet Bank.
Dan has also been a key part of the winning Orrick team, leading the defense of Credit Suisse against an avalanche of litigation related to claims involving residential mortgage-backed securities (RMBS).
Posts by: Daniel Dunne
On August 11, 2015, the SEC announced that it was bringing fraud charges against 32 defendants for their alleged participation in a five-year, international hacking and insider trading scheme. According to the SEC, two Ukrainian men hacked into at least two major newswire services, stole non-public copies of embargoed corporate announcements containing quarterly and annual earnings data, and provided the announcements to 30 other defendants, who traded off the information. In parallel actions, the U.S. Attorney’s Offices for the District of New Jersey and the Eastern District of New York also announced criminal charges against some defendants named in the SEC’s action. The SEC’s enforcement action may be a harbinger of events to come. As we have written, cybersecurity is emerging as the SEC’s newest area of focus for enforcement actions.
Yesterday, the United States Supreme Court granted certiorari in Spokeo, Inc. v. Robins, to consider a question critical to the viability of data breach class actions: standing. Since the Court’s most recent standing decision in Clapper v. Amnesty Int’l USA, a majority of lower courts have dismissed data breach claims for failing to satisfy Article III’s injury-in-fact requirement; however, a growing chorus of lower courts have sanctioned such actions. As the Supreme Court prepares to wrestle with that split of authority during oral argument this fall, it will be tasked with deciding whether a plaintiff’s allegations concerning violations of statutory rights under the Federal Credit Reporting Act (“FCRA”) are sufficient to establish standing irrespective of any tangible injury. The ramifications of that determination are deeply significant, as the decision may either open or close the floodgates to data breach litigation throughout the country.
On Feb. 3, the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) each released reports regarding cybersecurity issues for brokerage and advisory firms, both of which should be considered required reading for chief information security officers, chief information officers, legal teams and anyone else responsible for managing cybersecurity risk. These reports highlight best practices for managing cybersecurity risk and areas for potential improvement, and should encourage firms to consider further investments in cybersecurity because, as FINRA specifically points out, it ‘‘expects firms to consider the principles and effective practices presented in the report as they develop or enhance their cybersecurity programs.’’ As a result, firms should anticipate that elements covered in the reports will be benchmarks for measuring the effectiveness of a firm’s cybersecurity program in any enforcement action brought by either the SEC or FINRA.
* Reprinted with permission from Bloomberg BNA Privacy & Security Law Report, April 6, 2015
On February 3, 2015, the U.S. Securities and Exchange Commission released a Risk Alert addressing cybersecurity issues at brokerage and advisory firms, along with suggestions to investors on ways they can protect themselves and their online accounts. FINRA issued a similar, more extensive “Report on Cybersecurity Practices” on the same day.