Extracted from Law360
While significant consumer litigation has become increasingly common following the announcement of a large data breach, cyber-related investor suits have historically been limited to the intermittent shareholder derivative action alleging that the breached company’s board failed to properly oversee the organization’s cyberrisks. And those few sporadic derivative suits filed over the last several years have universally been dismissed in the earliest stages of the litigation.[1]
But after almost a decade of relative calm,[2] the past 12 months saw a flurry of substantial securities fraud class action filings arising out of cyberattacks on publicly traded companies. Yahoo Inc., Equifax Inc., Intel Corp. and PayPal Holdings Inc. are just a few of the Fortune 500 companies that have been hit with cyber-related securities fraud claims over the last year.
The recent cyber-related securities fraud cases follow the same basic pattern: a publicly traded company announces that it is the latest victim of a criminal cyberattack or that it has otherwise identified a significant security vulnerability, most often resulting in the compromise of customer data; the company’s stock price drops following the announcement; and shortly thereafter, shareholders file claims for violations of the federal securities laws. The shareholder plaintiffs generally allege that the company and its executives made material misstatements or omissions regarding the state of the company’s cybersecurity program and/or that the company improperly withheld information after a breach was detected in violation of Sections 10(b) and 20(a) of the Securities Exchange Act. Finally, the plaintiffs allege that these purported misstatements or omissions caused an artificial inflation of the stock price, which fell significantly upon “corrective disclosure” or news of the breach.
Although the allegations are familiar, the startling number of recent cyber-related filings is not. Certainly, securities fraud class actions are universally on the rise,[3] but — unique to the data breach context — the surge in litigation is most likely due to a recent shift in market reaction to the announcements of cyber breaches.
Historically, investors have seemingly paid little if any attention to the “average” data breach impacting consumer data. A December 2016 study by Georgetown University’s Security and Software Engineering Research Center, for instance, reviewed the impact of disclosed breaches at 64 publicly traded companies dating back to 2005. The study assessed the effects of those breaches on the sampled companies’ stock prices compared to their peers during the same time period, and found that, “While the difference in stock price between the sampled breached companies and their peers was negative (-1.13 percent) in the first three days following announcement of a breach, by the 14th day the return difference had rebounded to +0.05 percent, and on average remained positive through the period assessed,” i.e., 180 days following announcement of the breach. The study concluded that “overall, it appears that the announcement of data breaches does not have a meaningful impact on the volatility of equities across industries, and does not meaningfully depress the stock longer than a week.”[4]
But now, for the first time in recent years, shareholder plaintiffs have been able to allege one of the requisite elements of a securities fraud claim: a drop in share price following the announcement of a breach. The Yahoo shareholder plaintiffs allege that the company’s stock price plummeted by over 30 percent following a series of breach-related disclosures, eventually leading to a $350 million price cut in Verizon Communication Inc.’s acquisition of the company. Equifax’s stock price dropped 16.8 percent following the announcement of its breach; PayPal’s price fell 5.75 percent; and Intel fell over 3.5 percent.
In short, the market’s customary “breach fatigue” and apparent indifference to cyberattack announcements has given way to increased investor focus on cybersecurity. Analysts are more closely tracking the costs associated with investigating and remedying breaches, as well as the costs of company-supplied consumer credit monitoring, post-breach litigation, state and federal investigations, and, in some instances, fee payments to payment card brands. And they are continuing to study and publish the potential short- and long-term effects of a data breach on share price.[5] This increased investor focus will likely continue as dealing with breaches becomes a measurable cost of doing business.
Shareholder litigation similarly seems unlikely to revert to pre-2017 levels, particularly in light of the U.S. Securities and Exchange Commission’s February 2018 Interpretive Guidance and the chairman’s stated intent to “promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.”[6] Among other things, the 2018 guidance encourages companies to make tailored and robust disclosures of cyberrisks and incidents that are material to investors and to continue to assess whether the company’s cybersecurity disclosure controls and procedures are sufficient. While the 2018 update does not fundamentally alter earlier SEC statements, private shareholder litigants will undoubtedly rely upon and cite to the guidance as the standard by which a company’s cybersecurity-related disclosures should be judged.[7]
So what can and should publicly traded companies do to reduce the risk of being hit with a securities fraud class action in the wake of a breach and to strengthen their defenses if a suit is filed? First, management should conduct a prophylactic review of the company’s disclosure processes and procedures in light of the SEC’s guidance and recent litigation to ensure that critical information about the company’s cybersecurity is routinely reported to the proper personnel. They should additionally analyze current risk factor disclosures to confirm alignment with the company’s actual risk profile, based in part on the type and amount of data that is potentially vulnerable to attack. As the SEC has cautioned over the last several years, “registrants should provide disclosure tailored to their particular circumstances and avoid generic ‘boilerplate’ disclosure” of cyberrisks.[8] And a more robust discussion of cyber risks may undermine a private litigant’s claim that the company omitted material information necessary to make other statements not misleading.
Finally, if a data breach does occur, companies and their counsel should continually consider whether and when the breach is material and therefore whether public disclosure may be required.[9] While there is no bright-line rule for determining the materiality of a cyberattack, the company should consider, among other things: the type of information potentially impacted (payment card data, personal identifying information, social security numbers, information protected by the Health Insurance Portability and Accountability Act, etc.); the number of records potentially impacted; the estimated length and breadth of the intrusion on the company’s systems; evidence of exfiltration of the compromised data; and anticipated financial or reputational impact. As the SEC has now cautioned, the existence of an ongoing investigation into the breach does not, standing alone, provide a basis for avoiding timely disclosures. However, while it’s best to avoid undue delay, companies should simultaneously resist the temptation to “get ahead of the news” and risk disclosing incorrect or misleading information, which could risk triggering additional litigation.
Footnotes:
[1] The shareholder derivative suits arising out of data breaches at Wyndham Worldwide Corp., Home Depot Inc. and Target Corp. were all dismissed before discovery commenced. See Palkon v. Holmes, No. 2:14-cv-01234 (D.N.J. Oct. 20, 2014) (dismissing derivative claims arising out of a data breach at Wyndham, following a Special Litigation Committee investigation); In re The Home Depot, Inc. Shareholder Derivative Litigation, No. 1:15-cv-02999 (N.D. Ga. Nov. 30, 2016) (dismissing plaintiffs’ derivative claims against Home Depot officers and directors); Davis v. Steinhafel, No. 14-cv-00203 (D. Minn. July 7, 2016) (derivative claims brought on behalf of Target dismissed by stipulation following a Special Litigation Committee investigation).
[2] Before 2017, the leading securities fraud class action case arising out of a data breach was In re Heartland Payment Systems, Inc. Securities Litigation, No. 09-cv-01043 (D. N.J. 2009). The case was dismissed for failure to adequately plead any material misrepresentations or omission and for failure to sufficiently allege scienter.
[3] Cornerstone Research, Securities Class Action Filings 2017 Year in Review.
[4] Russell Lange and Dr. Eric Burger, S²ERC Project: Market Implications of Data Breaches (Dec. 16, 2016).
[5] Paul Bischoff, Analysis: How Data Breaches Affect Stock Market Share Prices (July 11, 2017).
[6] “SEC Adopts Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures,” (Feb. 21, 2018).
[7] Securities fraud class actions are additionally unlikely to subside following the recent announcement of a proposed settlement in the Yahoo! litigation in the amount of $80 million, plus fees. While the Yahoo! case is unique in that disclosures were made in the midst of a merger and eventually led to a significant decrease in the merger price, the case could provide precedent for future settlement potential in similar actions.
[8] Division of Corporation Finance, Securities and Exchange Commission, CF Disclosure Guidance: Topic No. 2 (Oct. 13, 2011).
[9] The materiality standard asks whether there is a “substantial likelihood” that disclosure of the breach would be viewed by a “reasonable investor as having significantly altered the ‘total mix’ of information made available.” Basic v. Levinson, 485 U.S. 224 (1988).