As securities class actions are being filed at a slower pace over the past year, a few notable developments continued into the second quarter of 2021. In particular, the U.S Supreme Court clarified an important issue governing motions for class certification; the SPAC market plummets but the risk of securities-related litigation continues; and cybersecurity incidents in the U.S. continue to be a focus of securities related enforcement and litigation.

SCOTUS Creates Flexibility to Deny Class Certification in Securities Fraud Suits

Last month, the U.S. Supreme Court clarified an important issue governing motions for class certification in securities fraud litigation: whether the generic nature of a misrepresentation is relevant to price impact.1 The key takeaways included:

  • The Supreme Court clarified its prior securities class-action decisions in Basic v. Levinson2, Halliburton Co. v. Erica P. John Fund, Inc.3 , and Amgen Inc v. Connecticut Retirement Plans and Trust Funds4 to hold that, when deciding whether a defendant has adequately rebutted the fraud-on-the-market presumption of class-wide reliance, trial courts must consider whether the generic nature of the alleged misstatements shows that they did not impact the price of the defendant’s stock.
  • This ruling is particularly important for cases involving the “inflation-maintenance” theory, where the Court recognized that a sufficient “mismatch” between a generic misstatement and a specific disclosure will usually strengthen a defendant’s efforts to rebut the fraud-on-the-market presumption.
  • Although the Supreme Court agreed with the Second Circuit that a defendant bears the burden of persuasion to disprove price impact at the class certification stage, the Supreme Court’s description of that burden will likely be much more favorable to defendants in practice.

Indeed, the Court’s key holding that lower courts must consider all potentially relevant evidence on a motion for class certification, regardless of whether particular facts typically relate to the merits, is likely to be an important tool for defendants in securities class actions. In particular, defendants in litigation concerning generic disclosures about business ethics or environmental, social and governance issues on an “inflation-maintenance” theory should carefully consider whether there may have been a “mismatch” between the alleged misrepresentation and the alleged “corrective disclosure,” as the Justices unanimously agreed that, holding all else equal, defendants are more likely to succeed in their efforts to rebut the Basic presumption.

SPAC Market Plummets but the Risk of Securities-Related Litigation Continues

Recent guidance from the U.S. Securities and Exchange Commission (“SEC”) on Special Purpose Acquisition Companies (“SPACs”) has had a chilling effect on the SPAC market.5 SPAC participants are concerned about “risks from fees, conflicts, sponsor compensation, . . . celebrity sponsorship and the potential for retail participation drawn by baseless hype, and the sheer amount of capital pouring into SPACs.”6 After a record breaking number of SPAC transactions in the first quarter of 2021, the number of SPACs has decreased dramatically this quarter. However, given the vast number of SPACs formed in 2020 and early 2021, there are hundreds of SPACs actively looking for potential targets and many more who have restated their financials in response to statements by the SEC. Thus, the risk of securities litigation relating to SPACs is far from over.

On April 12, 2021, the Acting Director of the SEC’s Division of Corporate Finance issued a statement addressing the accounting treatments of warrants issued in conjunction with SPACs (the “April 12 Statement”).7 The April 12 Statement encouraged SPACs with warrants that may settle upon a SPAC shareholder tender offer to consider accounting for the warrants as liabilities at fair value rather than as equity instruments. This provision is standard in SPAC warrants, and SPACs have not typically treated warrants as liabilities for financial statement purposes. In addition, SPAC registrants who have accounted for warrants as a component of stockholders’ equity rather than liabilities are encouraged to consider if the issuer should (i) restate historical financial statements, and (ii) file a non-reliance 8-K for its historical financial statements.

In response to the April 12 Statement, hundreds of SPACs reclassified their warrants and restated their financials to ensure SEC compliance.8 One such company was Richard Branson’s SPAC-acquired spaceflight company, Virgin Galactic (“VG”).9 Shareholders brought a securities class action lawsuit against VG after VG announced it was restating its financials to comply with the April 12 Statement.10 Plaintiffs alleged VG made materially false and misleading statements in failing to disclose that its SPAC warrants were required to be treated as liabilities rather than equities at the time of VG’s de-SPAC transaction.11 Such SPAC-related lawsuits are currently pending and more may be forthcoming.

The Virgin Galactic lawsuit is one of the approximately fifteen SPAC-related action filed in the first six months of 2021.12 Comparatively, less than ten SPAC-related cases arose in both 2019 and 2020.13 In response to the SPAC filings, some D&O insurance carriers have increased premiums for SPAC D&O-affiliates.14 To protect against securities litigation and SEC enforcement actions, SPAC boards should seek fairness opinions and use extreme caution when relying on financial earnings projections, among other methods.15 In addition, SPAC boards should thoroughly review financial statements before publication and properly ensure sufficient disclaimers and cautionary statements accompany such statements.16

Continuing Significance of Shareholder Lawsuits Arising from Cybersecurity Incidents

In the last several years, there has been an increased focus on cybersecurity disclosures by public companies. This year, shareholders have filed at least two data breach-related securities lawsuits; courts have handed down several decisions; and the SEC has conducted at least one significant investigation. Company officers and directors should take heed of these recent filings and decisions in preparing for potential cybersecurity related issues.17

First, the SEC staff is conducting an investigation regarding a cyberattack involving the compromise of software made by the SolarWinds Corp., which was widely publicized in December 2020. As part of the investigation, the staff issued letters in June to companies that it believes were impacted by the breach, requesting that certain entities provide information to the SEC staff on a voluntary basis. Subject to certain limitations and conditions, the SEC’s Division of Enforcement will not recommend that the Commission pursue enforcement actions against recipients that meet the requirements set out in the Letter that recipients received with the voluntary request for information.18

In addition, in the second quarter of 2021, courts issued opinions in two significant data breach-related securities suits, continuing to underscore the continued significance of cybersecurity issues. To start, in In re Alphabet, Inc. Securities Litigation, the Ninth Circuit reversed in part the dismissal of the Google+ user data securities lawsuit.19 In 2019, Rhode Island brought a securities fraud action against Alphabet, Google, and certain Google executives, alleging that Google failed to disclose certain security issues with the Google+ social network.20 The Court found that the complaint adequately alleged that statements in Google’s April and July 2018 Form 10-Qs were materially misleading.21 In particular, the Court noted that despite learning of cybersecurity issues in early April 2018, Google failed to disclose the issues in its 10-Qs. Instead, Google stated that there were “no material changes” to its risk factors. Eventually, in October 2018, the Wall Street Journal published a story about Google’s purported security issues.22

In addition to adequately alleging false and misleading statements, the Court also determined that the complaint adequately alleged facts raising a strong inference that Google knew about the specific cybersecurity issues and intentionally did not disclose them in its 10-Q statements, thus meeting the scienter pleading requirement.23 In the end, the Court reversed the district court’s dismissal of the federal securities claims, finding that plaintiff adequately alleged falsity, materiality, and scienter for the 10-Q statements.24 Thus, the case will proceed to discovery.

Also in the second quarter, Judge Paul W. Grimm of the District of Maryland dismissed federal securities and derivative data breach actions filed against Marriott International in the merger context.25 The lawsuits arose from Marriott’s 2016 acquisition of Starwood Hotels and Resorts Worldwide and a subsequently identified breach of Starwood’s guest reservations database (the “database”).26 During the merger, Marriott continually updated investors on the merger’s progress in its SEC filings and other public statements, and those statements formed the basis of plaintiff’s federal securities claims. On September 8, 2018, Marriott first learned of a possible database breach, but a forensic investigation determined that the breach began as early as July 2014, two years before Marriott acquired Starwood.27 On November 30, 2018, Marriott issued a press release announcing that hackers breached the database and compromised over 500 million people’s personal information.28

In both the securities and derivative actions, the Court looked favorably upon Marriott for swiftly updating its risk factor disclosures regarding cybersecurity incidents after it learned of the breach. Indeed, the Court pointed to the extensive cautionary language about the risks surrounding the merger, noting that “these cautionary statements are detailed and highly specific to Marriott and the Starwood transaction.”29 Conversely, the Court admonished the plaintiff for taking a “cookie-cutter approach” that “miss[ed] the mark”.30 The Court dismissed plaintiff’s securities claims with prejudice, determining that plaintiff failed to allege (i) a material misrepresentation or omission; (ii) a strong inference of scienter; and (iii) loss causation.31 The Court also dismissed plaintiff’s derivative actions for demand futility and lack of standing because plaintiff did not adequately plead contemporaneous Marriott stock ownership.32

The cases brought against Google and Marriott along with the recent SEC investigation continue to serve as a reminder that companies must make security a key priority. The cases continue to demonstrate that plaintiffs will continue to comb public filings and point to statements relating to its security. Thus, companies should not only adopt well-designed disclosure practices, but also review their current disclosures to ensure accuracy. Indeed, companies should ensure statements related to protecting customer data actually state the measures taken, and companies should only use data for the purpose it was collected. In addition, the Court in In re Marriott praised Marriott for quickly disclosing its cybersecurity incident, while the Ninth Circuit criticized Google for concealing its security and privacy issues. Directors should not only be proactive and attend to substantial breach risks, but should prepare response plans in advance of any issue arising. And companies should continue to develop and publish an insider trading policy to minimize the risk of sales after a data breach and before disclosure. Such steps will help to minimize securities liability.