FEATURE
 120. In the Matter of Altaba Inc., at ¶ 14, Securities Act of 1933 Release No. 3937, Fed. Sec. L. Rep. (CCH)¶75167 (Apr. 24, 2018). 121. 2016 Yahoo! Inc., Annual Report
47 (Form 10-K) (Mar. 1, 2017),
h t t p s : // w w w . s e c . g o v / A r c h i v e s / e d g a r / data/1011006/000119312517065791/ d293630d10k.htm.
122. Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million, SEC, (Apr. 24, 2018), https://www. sec.gov/news/press-release/2018-71.
123. Determinations of mission criticality might also be made where a business is specifically regulated. For example, in addition to its cybersecurity oversight efforts for issuers, the SEC has also initiated enforcement activity in connection with
its oversight of registered-broker-dealers, investment companies and investment advisers. Under Regulation S-P, these entities must adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information. Bank- related entities have similar requirements with even greater specificity under Interagency Guidance issued in connection with Gramm- Leach-Blilely. Additional requirements
for such entities include a board-approved incident response plan and other prescriptive requirements. See 16 C.F.R. Part 314.
124. See Dura Pharms., Inc. v. Broudo, 544 U.S. 336, 341-42 (2005).
125. Memorandum of Points and Authorities In Support of Plaintiffs’ Motion for Preliminary Approval of Class Action Settlement at 3, In Re Yahoo! Inc. Customer Data Security Breach Litigation, No. 16-md- 02752-LHK (N.D. Cal. Oct. 22, 2018).
126. Id.
127. Id.
128. In Re Yahoo! Inc. Securities Litigation, No. 5:17-cv-00373 (N.D. Ca. Jan. 24, 2017). In addition to the securities litigation, Yahoo also paid a civil penalty of $35 million to
the SEC and entered into a settlement in connection with customer data security breach litigation. See In re Yahoo! Inc. Customer Data Sec. Breach Litig. , No. 5:16- md-02752 (N.D. Cal.), brief supporting amended settlement 4/9/19 .With respect
to the settlement fund, Judge Lucy H. Koh of the U.S. District Court for the Northern District of California denied the first class settlement value at $50 million regarding the Yahoo breaches. Ultimately, the settlement agreement required “Yahoo to pay $117.5 million into a Settlement Fund.” Moreover, “[e]nhanced and improved data security [was] a critical aspect of the Settlement.”
129. SHAREHOLDER ALERT: Pomerantz Law Firm Announces the Filing of a Class Action against Yahoo Inc. and Certain Officers – YHOO, YAHOO! FINANCE (Jan.
24, 2017), https://finance.yahoo.com/ news/shareholder-alert-pomerantz-law- firm-032600940.html.
130. Complaint at ¶¶ 7, 10, In Re Yahoo! Inc. Securities Litigation, No. 5:17-cv-00373 (N.D. Cal. filed Jan. 24, 2017).
131. Irina Ivanova, Verizon slashes offer price for Yahoo over data breaches, CBS News (Feb. 21, 2017), https://www.cbsnews.com/news/
verizon-yahoo-merger-price-data-breaches/ (“Verizon Communications (VZ) is slicing $350 million off its acquisition offer for Yahoo (YHOO) after the internet company revealed a series of data breaches affecting more than a billion customers.”).
132. Complaint at ¶ 85, In Re Yahoo! Inc. Securities Litigation, No. 5:17-cv-00373 (N.D. Cal. Jan. 24, 2017).
133. Marriott is also undergoing a multidistrict litigation in a Maryland federal court. See Complaint at ¶ 4, Vetter, et al. v. Marriott Int’l, Inc., Case No. 19-cv-00094, (D. Md. Jan. 9, 2019).
134. Marriott acquired Starwood’s portfolio in 2016, making Marriott the largest hotel chain in the world. The Starwood portfolio includes, among others, W Hotels, the
St. Regis, Sheraton Hotels, and Westin Hotels. Gaby Del Valle, Marriott’s data breach may be the biggest in history. Now it’s facing multiple class-action lawsuits, Vox (Jan. 11, 2019), https://www.vox.com/ the-goods/2019/1/11/18178733/marriott- starwood-hack-lawsuit.
135. See e.g. Rober McMillan, Marriott’s Starwood Missed Chance to Detect Huge
Data Breach Years Earlier, Cybersecurity Specialists Say, WALL ST. J. (Dec. 2, 2018), https://www.wsj.com/articles/marriotts- starwood-missed-chance-to-detect-huge- data-breach-years-earlier-1543788659; Kate Fazzini, The Marriott hack that stole data from 500 million people started four years ago — investors should ask how the company missed it, CSNBC, (NOV. 30, 2018), https://www. cnbc.com/2018/11/30/marriott-hack-raises- questions-about-merger-diligence-tools-in- use.html.
136. Complaint at ¶ 4, Vetter, et al. v. Marriott Int’l, Inc., No. 19-cv-00094, (D. Md. filed Jan. 9, 2019).
137. Complaint at ¶ 1, McGrath v. Marriott Int’l, Inc., et. al., No. 1:18-cv-06845, (E.D.N.Y. filed Dec. 1, 2018).
138. Id.
139. Id. at ¶ 23.
140. Id. at ¶ 25.
141. $3.2 million has been identified as the “mean total cost of a data breach.” See Larry Ponemon, What’s New in the 2019 Cost of a Data Breach Report, Security Intelligence (July 23, 2019), https://securityintelligence. com/posts/whats-new-in-the-2019-cost-of-a- data-breach-report/.
142. See Syed, supra note 7. 143. See supra Section II.B.
144. See 15 USCS § 6801 (The Gramm- Leach-Bliley Act requires that “each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.”); see Board of Governors of the Federal Reserve System, Interagency Guidelines Establishing Information Security Standards, 79 FR 37166 (July 1, 2014) (see 12 C.F.R 208 Appendix D-2 and 225 Appendix F)
(The guidelines articulate standards for implementing section 501(b) of the Gramm- Leach-Bliley Act (GLB Act) and section 216 of the Fair and Accurate Credit Transactions Act of 2003. Specifically, under the guidelines
“a financial institution’s board of directors,
or an appropriate committee of the board, must satisfy specific requirements designed
to ensure that the institution’s information security program is developed, implemented, and maintained under the supervision of those who are ultimately responsible. At the outset, the board, or appropriate committee, must approve the written information security program. Thereafter, the board or appropriate committee must oversee the implementation and maintenance of the program. These duties include assigning specific responsibility for implementing the program and reviewing management reports. ¶III.A of the Security Guidelines. Correspondingly, management must provide a report to the board, or an appropriate committee, at least annually that describes the overall status of the information security program and compliance with the Security Guidelines. The report should describe material matters relating to the program.”)
145. The 2019 IBM Cost of a Data Breach Report highlights that in addition to avoiding liability under Caremark, these solutions can work to mitigate the cost of data breaches. Specifically, the report outlined the top cost mitigating factors to include (1) formation of an incident response team, (2) extensive use of encryption, and (3) extensive tests of the incident response plan. Specifically, the report found that the formation of an incident response team reduced the average total cost of a data breach by $360,000. Conversely,
the report found that a third-party partner increases the total cost of a data breach by $370,000. See Larry Ponemon, What’s New in the 2019 Cost of a Data Breach Report, Security Intelligence (July 23, 2019), https:// securityintelligence.com/posts/whats-new- in-the-2019-cost-of-a-data-breach-report/.
146. See About NACD, NACD, https:// www.nacdonline.org/about.
147. NACD, NACD Director’s Handbook on Cyber-Risk Oversight, at 8 (2017).
148. Id. at 4. 149. Id. at 9. 150. Id. at 9. 151. Id. at 10. 152. Id.
153. Id. at 11.
154. Id.
155. The NACD considered whether
all boards should have cybersecurity expertise but declined to recommend this course of action given that it “would take the important responsibility for board composition and director recruitment out of the hands of the only group with firsthand knowledge about a specific board’s current and future skill requirements.” Id. at 14.
156. NACD, NACD Director’s Handbook on Cyber-R isk Oversight, at 13 (2017).
157. Id.
158. Id. at 14.
159. Id. at 15.
160. Id. at 16.
161. Id.
162. NACD, NACD Director’s Handbook on Cyber-Risk Oversight, at 18 (2017).
163. Id.
28 DELAWARE LAWYER SPRING 2020