Post-breach litigation can be costly and the rise of one type in particular — shareholder derivative suits filed against boards of directors of companies that have suffered data breaches — merits further attention. Regulatory changes, including the GDPR, may make such suits more frequent in addition to creating other data breach response expenses. Boards of directors need to take note and understand these increasing costs and risks. In part one of this guest article series, Jeewon Kim Serrato, David Lee and Marc Elzweig, attorneys at Shearman & Sterling, review the evolving understanding of the board of directors’ responsibility for cybersecurity and consider several shareholder derivative suits filed in the wake of data breaches as case studies. In part two, they will consider some of the lessons that boards may learn from these suits. See “Key Post-Breach Shareholder Litigation, Disclosure and Insurance Selection Considerations” (Aug. 3, 2016).