For many years, the plaintiffs’ bar has been very active in bringing class action litigation against public companies immediately after the announcement of adverse news concerning a company, which many times triggers a decline in the company’s stock price. Since at least the Yahoo data breach in 2013 (which led to a settled SEC enforcement action and a recently-settled class action lawsuit), plaintiffs’ lawyers have been increasingly drawn to using data breach problems to allege misconduct or fraud by corporate officials charged with keeping the securities markets apprised of all material information about a public company.
Disclosure about cybersecurity matters is very much a “front of mind” issue for U.S. regulators. In February 2018, the U.S. Securities and Exchange Commission issued a statement providing guidance that emphasized the importance of public companies’ attention to their “cybersecurity” disclosure duties. The SEC’s guidance notes the overarching disclosure obligation as applied to cybersecurity and cyber incidents – indicating that material information about cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the particular circumstances, not misleading.
However, fraud claims based on a public company’s faulty (or late) cybersecurity issues and/or other data breach disclosures may, or may not, prove sufficient to support a claim of fraud under the federal securities laws. A recent decision (available here) involving a 2017 acquisition by PayPal Holdings, Inc. makes this clear.
PayPal was sued in December 2017 three weeks after it made public disclosure of a data breach incident at TIO Networks Corp., a subsidiary that PayPal had recently acquired, that potentially impacted the data security of 1.6 million customers. Shareholder plaintiffs alleged that the November 2017 press release disclosures (which triggered a 5.75% drop in PayPal’s stock price) about the problems at the subsidiary were materially misleading, and that the corporate officer defendants knew that the omission was misleading, in violation of the anti-fraud provisions of the federal securities laws.
On December 13, 2018, the U.S. District Court for the Northern District of California granted PayPal’s motion to dismiss the case. Judge Edward Chen found that the plaintiffs had not established “scienter” (an intent to defraud) on the part of the Company’s officials who made public disclosure of the problem on November 10th, and then again in early December when the scope of the data breach problems was more fully understood by the Company. This type of ruling will be welcome to public companies and their directors and officers.