Shareholders may have found a new hook for data security lawsuits.
Over the past year, plaintiffs have filed nine federal class action securities fraud lawsuits against public companies after data security incidents, according to a recent Bloomberg Law study. And in each case, the company’s stock dropped after the disclosure of either a data breach or alleged data security vulnerability. The study did not find any data security related class actions filed in 2016.
In earlier data breaches, it was unusual to see declines in stock price – a necessary element of a securities fraud claim. But the Yahoo! and Equifax hacks changed that with stock prices tumbling and billions of dollars in market capitalization lost.
Let’s first start with a quick review of the basics. The core issue in securities fraud litigation is often whether the public company made a material misrepresentation or omission that deceived the market. Therefore, what companies say about data security in their SEC filings, press releases, and other communications is critical. And notwithstanding the uptick in breach-related securities fraud filings, these lawsuits are far from easy to win or even get past a motion to dismiss. Depending on the nature of the claimed misstatement or omission at issue, plaintiffs must allege scienter or intentionality with specificity as required by the Private Securities Litigation Reform Act.
To do so, shareholders have generally used one of two legal theories: First, shareholders have alleged that the company’s pre-breach public disclosures didn’t adequately disclose the risk of a data security incident or that the company overstated its cybersecurity strength or capabilities. Or second, that the company withheld or was too slow in disclosing a breach after it was detected. This way, the claims cover both shareholders who purchased stock before the breach as well as those who purchased after the breach but before the public disclosure.
Earlier attempts by shareholders to sue public companies based on data breaches haven’t gotten much traction. Shareholder derivative suits – where a shareholder sues the board on the company’s behalf based a fiduciary duty claim – are difficult to prosecute. The bar for such lawsuits is high since directors are protected by the business judgment rule and shareholders must show that the board “completely failed” or “consciously failed” to exercise its oversight responsibilities. See our earlier blog posts for more on cyber-related derivative litigation (e.g., here or here).
For companies on the receiving end of a data security-related class action securities fraud complaint during the past year, we have found that the lawsuits fall into three general categories.
Companies That Tout Their Data Security: The poster child for this category is Equifax. The company’s 10-Ks for 2015 and 2016 described the credit monitoring service as “delivering security” and touted Equifax’s development of “new technology to enhance the . . . security of the services we offer.” As 145.5 million Americans have found out, that’s not quite how it worked out. Once news about the Equifax breach broke, it wasn’t long before Kuhns v. Equifax Inc. was filed, with the plaintiff’s complaint pointing to those statements, among others, as “false and/or misleading” in light of the company’s actual, undisclosed vulnerabilities.
In particular, the complaint alleges that the company failed to maintain adequate measures to protect its data, failed to adequately monitor its systems to detect breaches, failed to maintain proper security systems and controls, and as a result, the company’s financial statements were materially false and misleading.
Companies That Said Nothing about Data Security (Allegedly): Silence on data security isn’t an option, either, because securities fraud lawsuits can be premised on omissions as well as affirmative misrepresentations. Consider Ali v. Intel Corp. The complaint in that case points to this seemingly innocuous explanation of Intel’s business in two of the company’s quarterly reports: “We offer platforms that incorporate various components and technologies.” What’s the problem with that? According to the complaint, the statement was misleading insofar is it failed to disclose that Intel’s processor chips contained latent flaws that rendered them susceptible to breach.
But on closer examination, Intel’s public disclosures said a lot more. We pulled Intel’s 10-K filing for 2016 (which is referenced in the 10-Q quarterly reports), and sure enough, in the “Risk Factors” section is a lengthy explanation of Intel’s possible exposure to a variety of cybersecurity risks, including those presented by attacks from malicious hackers targeting the company or its products. Such attacks, even if unsuccessful, the report explains, could result in significant costs, including costs connected to product modifications.
That brings us to the third category of data security-related securities fraud lawsuits we’ve seen over the past year.
Companies That Concededly Disclose Risks Connected to Data Security But Are Sued Nonetheless: Consider Kim v. Advanced Micro Devices, Inc. AMD’s annual report disclosed, as acknowledged by the plaintiff’s complaint, that “secure maintenance of [sensitive data] is critical to our business and reputation.” The report further explained that “cyber-attacks have become more prevalent and much harder to detect and defend against.” AMD was at risk of such a cyber-attack, the report explained, which could lead to disclosure of confidential information, business disruption, exposure to liability and expense, and other harm to the business and its reputation. So, since AMD publicly disclosed these risks from a data breach, what was the basis for the lawsuit? According to the complaint, this disclosure was inadequate because it failed to disclose a specific flaw in AMD’s processor chips that, like Intel’s chips, rendered them susceptible to breach.
The AMD case expressly – and the Intel case implicitly – present the same question: In a securities fraud lawsuit, can a company’s stock be found to be artificially inflated by the company’s failure to disclose a specific data security vulnerability if the company has in fact disclosed as a general matter the potential risks connected to a data breach? Since both the AMD and Intel cases were only filed last month, that question hasn’t been answered.
These recent cases underscore the challenge public companies face in crafting appropriate disclosures that cover the range of data security risks faced by the organization – be it a potential breach, a latent vulnerability, or otherwise. We suspect that these nine cases are only the beginning and additional cases will be filed whenever a data security incident is followed by a decline in stock price. We’ll be watching.