Among other things, 2018 was the year of the shareholder data breach stock-drop lawsuit. As we’ve previously reported, it was the year that shareholders began routinely suing companies after an announcement of a data breach, seeking damages for a hit to the company’s stock price.
Now, in one of the first substantive decisions issued by a court in a breach-related stock drop suit, a federal judge in California dismissed the case without prejudice and has signaled that shareholders face an uphill slog in making it past the motion to dismiss stage. Since this ruling is early in the game, it’s too early to tell whether fraud claims based on a public company’s data-breach related disclosures will – or will not – over time suffice to support a fraud claim under the federal securities laws.
In late 2017, PayPal disclosed a data security vulnerability it discovered with respect to a company it recently acquired, TIO Networks, a Canadian cloud-based bill payment processor. PayPal issued a press release on November 10, 2017 disclosing that it had suspended TIO’s operations as a result of its “discovery of security vulnerabilities on the TIO platform and issues with TIO’s data security program that do not adhere to PayPal’s information security standards.” PayPal further explained that an internal investigation was ongoing.
Three weeks later, on December 1, 2017, PayPal made a second public disclosure stating that, as a result of the investigation, it found “a potential compromise of personally identifiable information for approximately 1.6 million customers.” In their complaint, plaintiffs allege that PayPal’s share price dropped by $4.33, or 5.75%, based on the disclosure.
Within the week, shareholders filed a securities fraud lawsuit in a California federal court. The shareholders claimed that the November 10th disclosure was materially false or misleading because it “disclosed only a security vulnerability, rather than an actual security breach, which PayPal and TIO did not acknowledge had been detected.” Under the shareholder’s theory, the nondisclosure of the actual breach on November 10th meant that PayPal’s stock was artificially inflated between the first and the second announcements.
The law requires pleading falsity as an essential element for a securities fraud claim, and PayPal, in asking the court to dismiss the case, argued that the shareholders had not satisfied the pleading standard. As PayPal’s lawyers saw it, the November 10th announcement was accurate when made. The company had indeed discovered a data security vulnerability and had truthfully alerted users (and the public) that their information was not safe. That PayPal did not disclose the actual breach until three weeks later – after its internal review – did not mean that the first announcement of the vulnerability was false or misleading.
Although the court found that the November 10th announcement “could plausibly have created an impression that only a potential vulnerability and not an actual breach had been discovered at that time, and certainly not one which threatened the privacy of 1.6 million users,” the judge noted that didn’t mean that the company had yet acquired detailed knowledge of the breach at the time of the announcement.
“[T]o succeed based on Plaintiffs’ theory of loss causation, they must plead (in a manner that meets the heightened pleading requirements for scienter) that Defendants knew not only of an actual breach, but that the privacy of 1.6 million customers had been potentially compromised.” In support of this argument, plaintiffs relied on the testimony of three confidential witnesses, which the judge summarily rejected as insufficient and “failed to satisfy the scienter of the falsity upon which their alleged loss is predicated.”
Bottom line: Allegations that PayPal was aware of a breach – in and of itself – didn’t mean the company had determined that the intruder had accessed or compromised user records.
Although PayPal won dismissal, the ruling underscores the dilemma faced by public companies when victimized by a cyberattack: Going public with news of a cyberattack isn’t always an easy call. Doing so too quickly can risk tipping off the bad guys and imperil investigations. Law enforcement often encourages, or even demands, that the incident not be disclosed. At the same time, companies know they have a duty to their investors to provide prompt information about any real risks to their businesses.
Companies facing the unfortunate news that their systems may have been breached need time to investigate and learn the facts. It may be sensible to require immediate disclosure of an issue to some extent, but how much detail can companies reasonably be expected to disclose at the first possible instance in these fast-moving scenarios? The investigation of a data security incident doesn’t happen overnight. It’s often a lengthy process with dribs and drabs of information coming out slowly.
If a company is forced to provide the details of a data security incident at the soonest possible instance, there is a risk that companies will provide inaccurate or incomplete information and ultimately confuse users, investors, and the public. But if a company discloses the issue promptly while waiting to provide details until they come into focus, then it risks being accused of misleading shareholders by omitting the details from the earlier disclosures.
Earlier this year, the SEC has issued guidance that calls upon companies to transparently disclose material data security incidents in a “timely fashion.” However, the instruction is tempered by the SEC’s recognition that “some material facts may not be available at the time of the initial disclosure.”