Stuart Gerson, Member of the Firm, presents "Litigation and Legislation Developments Enhance Cyber Risk for Companies, Their Officers, and Their Directors: What to Do About It" at the 2015 New York Metro Joint Cyber-Security Conference (NYMJCSC).

Companies and their officers and directors, all of whom have experienced or will experience data breaches, often entirely unrelated to negligence, are being bombarded by expansive litigation fomented by private class-action lawyers but also government agencies, particularly the Federal Trade Commission, Securities and Exchange Commission, and the Office of Civil Rights of the Department of Health & Human Services. Legislative initiatives actively being considered in Congress are likely to be counterproductive in this area without substantial industry motivation.

Topics include:

  • A government that can’t protect its own data, and which follows standard industry practices when its data are compromised, is attempting to impose standards on private parties that it cannot meet itself.
  • Those private parties are often victims of hacker initiated crime but are treated as law violators themselves.
  • Congress has been considering cybersecurity legislation for over two years but the tension between allowing information sharing and protecting privacy has prevented resolution. Ironically, neither of these issues has much to do with addressing the needs of cyber-crime victims whose customers’ and clients’ data are being stolen. They need an industry standard of due care to insulate themselves from liability unless there is gross negligence.
  • Federal and state administrative agencies increasingly are bringing regulatory cases based on laws like HIPAA, consumer protection statutes, and the securities laws. Companies are being fined millions and regulatory sanctions increasingly are being directed, not only at companies themselves, but also at officers and directors.
  • Notwithstanding the fact that, because of credit monitoring and other after-the-fact protections, consumers are rarely injured economically even in mass data breaches, the risk of standing and class action status being allowed by state courts and, increasingly by federal courts, too (although there is no relevant federal cause of action) is growing.
  • There is a substantial risk that companies that are providers to government programs in areas like health care, defense, and education might be subjected to punitive treble damages cases under the federal False Claims Act.
  • Since companies are unable truly to protect themselves against cyber risk, cyber insurance, specifically tailored to individual company conditions, is a necessity.
  • Federal legislation of a preemptive nature is needed to establish practice standards that create a presumption of compliance. The NIST guidelines are a useful basis for this.
  • Courts must be challenged to hold the line on requiring injury in fact and typicality of claims before acknowledging plaintiff standing or certifying class actions. Getting strong appellate and Supreme Court rulings is key.
  • Every cyber data holder must have a thoroughgoing compliance program that reports both to management and, separately, to the Board of Directors.
  • Effective compliance doesn’t just include the easy stuff like encryption and backup, but systems that are constantly monitored and subject to “war games” testing.
  • Especially given the threat of state-sponsored data invasions, effective policy depends on industry/government cooperation at a level not currently present.

For more information, visit

Event Detail

New York City, NY
Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.