As large-scale data breaches become regular occurrences and new regulations are implemented, shareholder derivative suits are increasingly being used by investors seeking to be made whole after data breaches. Boards of directors need to take note and understand the increasing costs and risks these suits pose. In a two-part article series for the Cybersecurity Law Report, associates Marc Elzweig (Menlo Park-Privacy & Data Protection) and David Lee (New York Corporate Group) review the evolving understanding of the board of directors’ responsibility for cybersecurity and consider recent shareholder derivative suits filed in the wake of data breaches as case studies in Part one.  Part two draws on the recent cases and identifies five lessons that boards may learn from these suits – lessons that are applicable to companies seeking to assess litigation risks related to data breaches and that also provide a practical starting point for managing cybersecurity risks in general.

Read part one of the article.
Read part two of the article.