52
SOCIAL ENGINEERING: The Hacking of the Mind November 5, 2015
SOCIAL ENGINEERING:
The Hacking of the Mind
November 5, 2015
Gamelah Palagonia – Willis FINEX North America
1
Gamelah Palagonia, CIPM, CIPT, CIPP/US, CIPP/G, ARM, RPLU+
Senior Vice President
Willis Americas Administration, Inc.
Brookfield Place, 200 Liberty Street
212.915.8575
Gamelah Palagonia is a Senior Vice President and national resource for Network
Security, Data Privacy and Technology Errors & Omissions.
Gamelah brings over 25 years of risk management and insurance brokerage
experience. She is one of the first insurance professionals to specialize in online
media, intellectual property, technology errors & omissions liability and cyber
risks. Gamelah is a recognized thought leader in the Cyber & Privacy Liability
insurance and risk management industry. She is a frequent speaker and author
on the topic. Prior to joining Willis, Gamelah was the founder of Privacy
Professionals LLC, a Cyber & Privacy Risk Advisory firm.
Credentials
Gamelah holds an Associate Risk Management (ARM) and Registered
Professional Liability Underwriter/PLUS (RPLU+) designation, and several
information privacy certifications including Certified Information Privacy Manager
(CIPM); Certified Information Privacy Technologist (CIPT); Certified Information
Privacy Professional/United States (CIPP/US); Certified Information Privacy
Professional/Government (CIPP/G).
Keith Swiat – RSM
2
Keith Swiat
Director, Security and Privacy
RSM LLP
New York
212.372.1687
Keith Swiat brings over 20 years of experience in information technology,
including 10 years of experience in management and network/application security
with a strong technical expertise with mobile platforms. He is an expert advisor on
best practices and compliance for software vendors developing
mobile/web/desktop applications.
As an active participant in the payment card industry, Keith has collaborated with
standards organizations, merchants and software vendors to create new data
security standards and best practices. His proven leadership skills focus on
utilizing the individual strengths of team members to build productive and
cohesive practices.
Credentials
•International Association of Privacy Professionals (IAPP) Member
•Certified Ethical Hacker (CEH)
•Computer Forensics and Incident Response, SANS Institute
•PCI-DSS Certifications: QSA (PCI-DSS), PA-QSA (PA-DSS), PA-QSA (P2PE)
Stephen Leggett – Willis of New York
3
Stephen Leggett
Senior Vice President, National Fidelity Practice Leader
Willis of New York
Brookfield Place, 200 Liberty Street
212.915.7901
Steve provides Fidelity Bond expertise to offices throughout the U.S. responding
to complex coverage and claim issues surrounding Financial Institution Bond and
Commercial Crime policies. He has more than 30 years of experience.
Steve is also responsible for the broking and servicing of Fortune 500 companies
and Financial Institution Bond placements within the practice. Broking
responsibilities also include ancillary bond products, such as Excess SIPC and All
Risk Form J policies.
Prior to joining Willis, Steve worked with two global brokerage firms handling
Fidelity Bond placements for money centre institutions, stockbrokerage firms,
insurance companies and Fortune 500 companies. He began his career with an
insurance carrier underwriting Fidelity and Surety Bond accounts.
Credentials
Steve has spoken at numerous conferences on the subject of Financial Institution
Bonds and Comprehensive Crime Policies, including the American Bankers
Association, RIMS, PLUS and the American Bar Association. Steve graduated
from the State of University of New York at Oswego with a BA. He has completed
numerous accounting and business law postgraduate courses.
Judy Selby – BakerHostetler
4
Judy Selby, Esq.
Co-Leader, Information Governance Team
BakerHostetler
45 Rockefeller Plaza, NY, NY 10111
212.589.4208
Judy Selby is co-leader of BakerHostetler's Information Governance team and founded the
E-discovery and Technology Management team. She also defends class action lawsuits and
recently won the complete dismissal of a data breach class action. Judy handles cutting
edge privacy, data breach, and information governance matters, and supports due diligence
concerning information-related and Big Data issues in merger and acquisition transactions.
She also provides counseling with regard to cyber insurance and handles a variety of
insurance coverage matters, including TCPA claims. She has more than 20 years of
experience in large scale first- and third-party complex insurance coverage matters,
providing a full range of services from opinion work, coverage gap analysis, claims
counseling, broker liability, settlement negotiations, international arbitration, and all phases
of insurance coverage litigation.
Credentials
Judy is a member of the Law360 Insurance Editorial Advisory Board, the Editorial Advisory
Board of Law Technology News, the Professional Liability Underwriters Association, and the
Defense Research Institute. She is also a contributor to InsuranceThoughtLeadership.com,
Datfloq.com, and BigDataMadeSimple.com. Judy was honored as LawCrossing's Law Job
Star in July 2014, featured in Law Technology News as a leading woman in technology, and
has been quoted in Forbes, Reuters, Law360,Bloomberg BNA, Insurance Business
America, The National Law Journal, and Law Technology News regarding information-
related issues. She was selected as the LXBN Leader in May 2015 and as a finalist for
CLM's 2015 Outside Counsel of the Year award.
Dan Twersky – Willis of New York
5
Dan Twersky
Senior Claims Specialist, FINEX North America
Willis Americas Administration, Inc., Brookfield Place, 200 Liberty Street, New
York, NY 10281
Direct: 212 915 8580
Dan is a Senior Claims Specialist for the FINEX Practice of Willis, where he
advocates on behalf of his clients in connection with Directors and Officers
Liability, Financial Institutions Professional Liability, Employment Practices
Liability, Fiduciary Liability, Cyber Liability, and Fidelity insurance policies.
Prior to joining Willis, Dan was most recently a Claim Consultant at CNA,
focused on Cyber Liability, Technology and Professional Services Liability, and
Media Liability matters. He has worked with a variety of primary and excess,
admitted and non-admitted, duty-to-defend coverage forms in connection with
both first-party and third-party claims involving a wide range of entities
including hardware and software companies, cloud service providers, payment
processors, law firms, media conglomerates, engineering firms, non-profits,
publishers, web developers, accounting firms, retailers, data brokers, and
healthcare providers.
WHAT IS SOCIAL
ENGINEERING?
Section one
6
Gamelah Palagonia, Willis – FINEX North America
“Human beings are social
creatures that are shaped as
individuals through social
interactions and influences.”
“
7
“Social science is a field of study
focused on relationships among
individuals within a society, such
as sociology, anthropology,
competitive intelligence, and
political science.”
8
“Social Engineering is a
discipline in social science that
refers to efforts to influence
popular attitudes and social
behaviors on a large scale.”
“
9
There are
positive
aspects to
social
engineering
but…
today our
discussion is
focused on the
criminal aspect
as it relates to
data privacy and
security.
10
Social
Engineering:
The Human
Exploit
Social engineering is a
broad term for a wide
range of tactics and
techniques used by
criminal attackers that
exploit the human element.
While cyber attacks
combine a range of
different tactics, it is clear
that there is one very
common risk denominator
– us humans.
11
Verizon 2015 Data Breach Investigations Report (DBIR)
“While the threats against us may “seem” innumerable,
infinitely varied, and ever-changing, the reality is they
aren’t. The common denominator across the top four
patterns of security incidents – accounting for nearly
90% of incidents – is people. Whether it’s goofing up,
getting infected, behaving badly or losing stuff.”
12
90% Miscellaneous Errors
Crimeware
Insider Misuse
Physical Theft or Loss
2014 Top Four Patterns
Symantec 2015 Internet Security Threat Report (ISTR)
“Almost no company, whether large or small, is immune to
spear-phishing. Five out of six large (2,500 + employees)
companies were targeted with spear-phishing attacks
during 2014 – a 40% increase over the previous year.
Small and medium-sized businesses also saw an uptick,
with attacks increasing 26% and 30%, respectively.”
13
40% Increase
14
The Targets
15
Malicious Insiders
Third-Party Vendor
Compromise
Hacktivists
Negligent Insiders
Threat Sources
Hacked!
The Costs
Source: 2015 Ponemon Institute Research Report: The Cost of Phishing & Value of Employee Training, sponsored by Wombat Security Technologies, Inc.
16
The average annual cost to contain a credential compromise that
originated from a successful phishing attack:
$381,920 The average total cost on an annual basis for
an average-sized company to contain
malware:
Uncontained malware costs an average
sized company:
$1,900,000
$105,900,000 The cost of business disruption due to phishing is:
$66,900,000
Solutions:
Data Privacy
and Security
Training
Businesses that roll out
training programs see
improvements of between
26 and 99% in their
phishing email click rates,
with an average
improvement of
64%.
17
Source:
2015 Ponemon Institute Research Report: The Cost of Phishing & Value
of Employee Training, sponsored by Wombat Security Technologies, Inc.
Cyber & Privacy
Liability Insurance
Crime
Insurance
18
19
CRIME COVERAGE FOR
SOCIAL ENGINEERING
Section two
20
Steve Leggett – Willis of New York, Inc.
Social Engineering – Crime Policy
Crime Policy
• loss resulting “directly” from…..
• Indirect or consequential loss exclusion
• Purchase & exchange exclusion
FI Bond
• loss resulting “directly” from…..
• fraudulent entry of “electronic data” or “computer programs”….
• Indirect or consequential loss exclusion
Where is the coverage under a standard FI Bond or Comprehensive Crime
Policy?
21
Social Engineering
Insurance
• FI Bond
Fraudulent Transfer Instruction Endorsement (covers fraudulent
emails, telefaxes and VIT)
Limit – full
Warranties (sender includes password, PIN or other security code/
recipient was authorized to receive / call back)
Impersonation of Insured’s client, another financial institution or
Insured’s employee acting on behalf of client
• Crime Policy
Limit – sub-limited with few exceptions (excess drop down for
sub-limits)
Warranties (call back to a pre-determined number)
Impersonation of Insured’s client, employee or vendor
Can coverage be purchased?
22
Social Engineering
Insurance
• ISO conundrum
Strong argument for coverage under the Wire Fraud Insuring Agreement
Definition of “Fraudulent Instruction” – “an electronic … instruction
received by you which purports have been transmitted by an
employee but which was in fact transmitted by someone else…”
Purchase & Exchange Exclusion – limited to Premises & Transit
Insuring Agreements
Confidential Information Exclusion – not intended to apply to loss
otherwise covered under the policy
• Acceptance of Impersonation Fraud Agreement will likely result in
sub-limit of liability
Coverage Warranties (why buy coverage)
Does following policy authentication warranties eliminate potential
for loss?
Coverage Issues
23
IT AND SECURITY ISSUES
Section three
24
Keith Swiat – RSM
25
Northeast Director of Privacy and Security
Based out of the NYC office
20+ years experience in:
• Penetration Testing (network and application)
• Vulnerability Assessments
• Code Review
• Crypto analysis
• PCI Compliance
Sensitive Data Security Expert
Who is Keith Swiat
And what is he doing here?
26
Before We Go Any Further
Some Definitions… “Hackers vs. Attackers”
hack·er noun \ˈha-kər\
A person who’s technologically savvy and enjoys finding solutions to problems.
Being a hacker is more of a mindset. It’s about wanting to improve and fix
things rather than one of wanting to do harm.
We are the good guys.
at·tack·er noun \əˈtakər\
Driven by either personal gain or by promoting political/philosophical ideologies.
These are the guys that:
• Steal identities and commit fraud
• Infect computers with malware, trojans, or viruses
• Phish
• Use denial of service attacks
• Breach security systems to steal or destroy data
• Take intellectual property
They are not true hackers.
27
Security Misconceptions
The Attackers Are Not Exactly Who You Think They Are
The underground economy has lowered the knowledge threshold
Skilled attackers make more money at less risk by selling their
knowledge in packaged form
• Kits, automation, subscriptions, malware pre-packs, etc.
Result: Pseudo “APT” attackers
• a.k.a. “Idiots with nuclear weapons”
28
Attack Vectors
Three Most Prevalent Attack Vectors
1. Social Engineering • Why bother to do all the heavy lifting
involved with “hacking” when you can just
ask someone to do something for you?
• While there is a technical component the
attack is against human nature
2. Malware • Finding and purchasing non-detectable
malware in the underground market is
trivial
• Modern anti-virus is an 80-20 proposition at
best
3. Client-Side Attacks • “Traditional” hacking is used post-breach
not as the original entry point
• Current methods focus on web apps and
browser plugins
29
Social Engineering
The “Gateway” Vector
Why hack hardened electronic defenses when is easier to hack the human.
• Preys on trust between people.
• Very hard to defend against.
Can’t just buy software to protect yourself.
Requires a cultural shift in security mindset.
Morphs an external threat to in internal threat.
Two flavors:
• Electronic (phishing, IM, voice)
• Physical Infiltration (impersonation, piggy backing, malware delivery)
30
Phising Emails
The New Face of Phishing
Phishing emails no longer look like a third grader created them.
31
Phising Emails
What is Real and What Isn’t
Example of malicious link.
32
Data Security Targets
The Bounty
Credential Harvesting
• Attackers stand up fake versions of popular cloud services in order
to get victims to enter credentials.
• Victims are redirected to actual cloud services site without knowing
they have been attacked.
Confidential Data Breach
• Stolen credentials can lead to breach of confidential data stored
within cloud services.
Unauthorized System Use
• Phishing emails may include malware that is can allow attacker to
gain control of systems inside an organization’s network,
effectively turning an external threat to an internal threat.
33
What Should Organizations Do?
The Human Response vs. The Machine Response
The Human Response
Security awareness programs
• To be effective, programs need to explain the threat, not just tell
people what to do.
• Make employees understand that ALL data they have access to on
the network could be valuable to an attacker.
The Machine Response
Email sandboxing
• Systems the review emails before they are delivered.
Environment Logging (SIEM)
• Scans for anomalous behavior that could be malicious.
Endpoint Protection (A/V)
• Catch malicious software when it is run on a system.
LEGAL ASPECTS
Section four
34
Judy Selby – BakerHostetler
Complexities of Privacy and Data Security Compliance
COMPLIANCE
PCI-DSS
HIPAA
HITECH
STATE
PRIVACY
LAWS
(e.g. TX, CA)
INDUSTRY
SELF
REGULATION
FTC
GLBA
STATE
BREACH
NOTIFICATION
LAWS
35
SEC
DISCLOSURE
GUIDANCE
INTERNATIONAL
DATA
PROTECTION
(e.g. EU,
CANADA)
35
State Laws
47 states, D.C., and U.S. territories
• Laws differ by jurisdiction
• National breach notification law on the table
Varying levels of enforcement by state attorneys general
36
Decisions, Decisions, Decisions
37
Is it a breach?
• If yes, who needs to be notified?
Do you retain counsel?
Do you involve law enforcement? Regulatory authorities?
Do you hire a forensics company?
Is crisis management necessary?
Do you offer credit monitoring/identity theft protection?
Litigation: Clapper
Fear from the heightened risk of future identity theft or fraud from a data
breach does not give legal standing to sue by a party whose data may
have been compromised.
“Allegations of future harm can establish Article III standing if that harm
is “certainly impending,” but “allegations of possible future injury are
not sufficient.” Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138, 1147 (2013).
“Our cases do not uniformly require plaintiffs to demonstrate that it is
literally certain that the harms they identify will come about. . . . we have
found standing based on a ‘substantial risk’ that the harm will occur ….”
Clapper at 1150 n.5.
38
Post-Clapper
Courts accepting defendants’ standing arguments and dismissing the lawsuit
Lewert v. P.F. Chang’s China Bistro, Inc., No. 14 C 923 (N.D. Ill. Dec. 10, 2014)
Remijas v. Neiman Marcus, No. 14 C 1735 (N.D. Ill. Sept. 16, 2014)
In re Science Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., No. 12–347 (JEB),
2014 WL 1858458 (D.C. May 9, 2014)
Galaria v. Nationwide Mutual Insurance, No. 2:13-cv-118 (S.D. Ohio, Feb. 10, 2014)
Polanco v. Omnicell Inc., 988 F. Supp. 2d 451 (D.N.J. 2013)
Courts rejecting defendants’ standing arguments and letting the lawsuit proceed
In re: Target Corporate Customer Data Security Breach Litigation, MDL No. 14-2522
(PAM/JJK) (D. Minn. Dec. 18, 2014)
In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942 (S.D.
Cal. 2014) (settled for $15 million)
Moyer v. Michaels Stores, Inc., No. 14 C 561 (N.D. Ill. July 14, 2014) (court found that there
was standing but found that plaintiffs failed to state a claim for breach of contract and a
violation of the Illinois Consumer Fraud Act)
In re Adobe Sys., Inc., Privacy Litig., No.: 13–CV–05226–LHK, 2014 WL 4379916 (N.D. Cal.
Sept. 4, 2014)
39
Neiman Marcus
“The plaintiffs allege that the hackers deliberately targeted Neiman Marcus in
order to obtain their credit-card information. . . . [t]here is ‘no need to
speculate as to whether [the Neiman Marcus customers’] information has
been stolen and what information was taken. . . . The Neiman Marcus
customers should not have to wait until hackers commit identity theft or credit-
card fraud in order to give the class standing, because there is an ‘objectively
reasonable likelihood’ that such an injury will occur.” Remijas v. Neiman
Marcus Group, LLC, 794 F.3d 688, 693 (7th Cir. 2015).
“At this stage in the litigation, it is plausible to infer that the plaintiffs
have shown a substantial risk of harm from the Neiman Marcus data
breach. Why else would hackers break into a store’s database and steal
consumers private information? Presumably, the purpose of the hack is,
sooner or later, to make fraudulent charges or assume those consumers’
identities.”
40
Issuing Banks Class Actions: Real Harm
Standing has not been an issue in cases where the harm is readily ascertainable:
“Target does not challenge Plaintiffs’ allegations with respect to the elements of
causation and damages.” In re Target Corp. Customer Data Sec. Breach
Litigation, 64 F.Supp.3d 1304, 1310 (D. Minn. 2014).
41
Regulatory & Administrative
In January 2014, SEC indicated that the new standard of care for companies may
require policies in place for:
• Prevention, detection, and response to cyber attacks and data breaches,
• IT training focused on security, and
• Vendor access to company systems and vendor due diligence.
FTC’s Order required business to follow three steps when contracting with third-
party service providers, In re GMR Transcription Svcs, Inc., 2014 WL 4252393 (Aug.
14, 2014):
• Investigate by exercising due diligence before hiring data service providers.
• Obligate their data service providers to adhere to the appropriate level of data
security protections through contractual agreements with provider.
• Verify that the data service providers are adequately protecting data as required
by the contractual standards.
42
SEC’s Cybersecurity Guidance
SEC Division of Investment Management Cybersecurity Guidance (Apr. 2015)
Contains recommendations that are applicable to all financial firms, including:
Periodically assess their firms’ (i) information and processes, (ii) internal and
external cybersecurity threats and vulnerabilities, (iii) security controls and
processes, (iv) impact of cyber-related events, and (v) governance structures.
Devise cybersecurity strategy to (i) control access to systems and data, (ii)
encrypt data, (iii) restrict use of removable media, (iv) deploy monitoring
software, (v) employ data backup and retrieval, and (vi) develop an incident
response plan.
Implement written police and procedures and training to provide appropriate
guidance.
Assess cybersecurity measures of vendors and business partners.
43
The SEC’s Long Awaited Cybersecurity “Message” Case
The federal security laws require registered investment advisors to adopt written policies and procedures reasonably designed to protect customer records and information. S.E.C. v. R.T. Jones Capital Equities Management, Consent Order (September 22, 2015).
“Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
R.T. Jones violated this “safeguards rule” during a four-year period when it had no such policies and hackers accessed more then 100,000 records of individuals, including its clients. The attack was traced to China; no individuals have reported financial harm.
This violated Rule 30(a) of Regulation S-P of the Securities Act of 1933. In settling, R.T. Jones agreed to censure and a $75,000 penalty.
44
Recent SEC Speeches Suggest CCO Cybersecurity
Cases
June 25, 2015 SEC Commissioner Aguilar: SEC is “currently
investigating multiple data breaches….[,] examining how it can bring more
cybersecurity enforcement actions using its existing authority, and
[determining] how that authority might need to be broadened to meet
emerging cybersecurity threats.”
October 14, 2015 SEC Chief of Staff Donohue: SEC will continue to bring
enforcement actions against CCOs for not addressing compliance issues,
including cybersecurity.
October 16, 2015 SEC Chair Mary Jo White: “While cybersecurity attacks
cannot be entirely eliminated, it is incumbent upon private fund advisers to
employ robust, state-of-the-art plans to prevent, detect, and respond to
such intrusions.”
45
OCIE Second Cybersecurity Sweep Exam
OCIE’s 2015 Cybersecurity Examination Initiative (September 15, 2015)
OCIE announced second round of cybersecurity examinations to focus on, among
other things: (i) governance and risk assessment, (ii) access rights and controls, (iii)
data loss prevention, (iv) vendor management, (v) training, and (vi) incident
response.
Included with the Risk Alert was a sample document request seeking information on
those topic areas (as highlighted below) that is a helpful guide to regulatory focus
and priorities
• Policies and procedures
• Board minutes and briefing materials
• Info on the Chief Information Security Officer or equivalent position
• Risk assessment findings and remediation
• Training to employees, vendors, and business partners
46
UNITED STATES SECURITIES AND EXCHANGE COMMISSION
WASHINGTON, D.C. 20549
FORM 8-K
CURRENT REPORT PURSUANT TO SECTION 13 or 15(d) OF THE
SECURITIES EXCHANGE ACT OF 1934
Date of Report (Date of earliest event reported): August 4, 2015
UBIQUITI NETWORKS, INC. (Exact name of registrant as specified in its charter)
Delaware (State or other jurisdiction of incorporation)
001-35300 32-0097377 (Commission File Number) (IRS Employer Identification No.)
2580 Orchard Parkway San Jose, CA 95131
(Address of principal executive offices, including zip code) (408) 942-3085
(Registrant’s telephone number, including area code) N/A
(Former name or former address, if changed since last report)
47
UBIQUITI NETWORKS
Item 8.01 Other Events
48
Business Fraud
On June 5, 2015, the Company determined that it had been the victim of a criminal fraud. The incident
involved employee impersonation and fraudulent requests from an outside entity targeting the
Company’s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held
by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.
As soon as the Company became aware of this fraudulent activity it initiated contact with its Hong Kong
subsidiary’s bank and promptly initiated legal proceedings in various foreign jurisdictions. As a result of
these efforts, the Company has recovered $8.1 million of the amounts transferred. Furthermore, an
additional $6.8 million of the amounts transferred are currently subject to legal injunction and reasonably
expected to be recovered by the Company in due course. The Company is continuing to pursue the
recovery of the remaining $31.8 million and is cooperating with U.S. federal and numerous overseas law
enforcement authorities who are actively pursuing a multi-agency criminal investigation. The Company
may be limited in what information it can disclose due to the ongoing investigation. The ultimate amount
of the loss will depend, in part, on the Company’s success in recovering the funds. The Company may
not be successful in obtaining any insurance coverage for this loss. The Company currently believes this
is an isolated event and does not believe its technology systems have been compromised or that
Company data has been exposed. While this matter will result in some additional near-term expenses,
the Company does not expect this incident to have a material impact on its business or its ability to fund
the anticipated working capital, capital expenditures and other liquidity requirements of its ongoing
operations.
UBIQUITI NETWORKS
Item 8.01 Other Events (cont.)
49
The Audit Committee of the Company’s Board of Directors has conducted an
independent investigation into this matter with the assistance of outside advisors. The
investigation concluded on July 17, 2015. The investigation uncovered no evidence
that our systems were penetrated or that any corporate information, including our
financial and account information, was accessed. The investigation found no evidence
of employee criminal involvement in the fraud. As a result of this investigation, the
Company, its Audit Committee and advisors have concluded that the Company’s
internal control over financial reporting is ineffective due to one or more material
weaknesses. The Company has implemented enhanced internal controls over
financial reporting since June 5, 2015 and is in the process of implementing additional
procedures and controls pursuant to recommendations from the investigation.
Officer & Director Liability
Boards that choose to ignore, or minimize the importance of cybersecurity oversight
responsibility do so at their own peril.
SEC Commissioner Luis A. Aguilar, June 10, 2014
Shareholder Derivative Litigation
Target: Verified Shareholder Derivative Complaint, In re Target Corporate Shareholder Derivative
Litig., No. 0:14-cv-00203-PAM-JJK (D. Minn. Jan. 21, 2014)
Wyndham: Verified Shareholder Derivative Complaint, Palkon v. Holmes, No. 2:14-cv-01234-
SRC-CLW (D. N.J. May 2, 2014)
TJX Companies, Inc.: Verified Shareholder Derivative Complaint, Louisiana Municipal Police
Employees Retirement Fund v. Alvarez, Civ. No. 5620-VCN (Del. Ch. July 2, 2010)
Securities Fraud Class Action Litigation
Heartland Payment Systems: In re Heartland Payment Sys., Inc., No. 09-1043, 2009 WL
4798148 (D. N.J. Dec. 7, 2009)
50
51
Questions?
The observations, comments and suggestions we have made herein are advisory and are not intended
nor should they be taken as legal advice. Please consult your professional advisors on legal, tax,
accounting and human resource issues for an analysis of your specific facts and circumstances.
FOR FURTHER INFORMATION, PLEASE CONTACT:
Shahri Griffin, Senior Vice President, Co-Practice Leader
Financial Institutions Group, Client Advocacy
Willis of New York, Inc., Brookfield Place, 200 Liberty Street, New York, NY 10281
Direct: 212-915-8715 Mobile: 973-715-8282 [email protected]
