For many years, the plaintiffs’ bar has been very active in bringing class action litigation against public companies immediately after the announcement of adverse news concerning a company, which many times triggers a decline in the company’s stock price.  Since at least the Yahoo data breach in 2013 (which led to a settled SEC enforcement action and a recently-settled class action lawsuit), plaintiffs’ lawyers have been increasingly drawn to using data breach problems to allege misconduct or fraud by corporate officials charged with keeping the securities markets apprised of all material information about a public company. 

Disclosure about cybersecurity matters is very much a “front of mind” issue for U.S. regulators.  In February 2018, the U.S. Securities and Exchange Commission issued a statement providing guidance that emphasized the importance of public companies’ attention to their “cybersecurity” disclosure duties.  The SEC’s guidance notes the overarching disclosure obligation as applied to cybersecurity and cyber incidents – indicating that material information about cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the particular circumstances, not misleading.

However, fraud claims based on a public company’s faulty (or late) cybersecurity issues and/or other data breach disclosures may, or may not, prove sufficient to support a claim of fraud under the federal securities laws.  A recent decision (available here) involving a 2017 acquisition by PayPal Holdings, Inc. makes this clear.

PayPal was sued in December 2017 three weeks after it made public disclosure of a data breach incident at TIO Networks Corp., a subsidiary that PayPal had recently acquired, that potentially impacted the data security of 1.6 million customers.  Shareholder plaintiffs alleged that the November 2017 press release disclosures (which triggered a 5.75% drop in PayPal’s stock price) about the problems at the subsidiary were materially misleading, and that the corporate officer defendants knew that the omission was misleading, in violation of the anti-fraud provisions of the federal securities laws.

On December 13, 2018, the U.S. District Court for the Northern District of California granted PayPal’s motion to dismiss the case.  Judge Edward Chen found that the plaintiffs had not established “scienter” (an intent to defraud) on the part of the Company’s officials who made public disclosure of the problem on November 10th, and then again in early December when the scope of the data breach problems was more fully understood by the Company.  This type of ruling will be welcome to public companies and their directors and officers.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Edward B. Whittemore Edward B. Whittemore

Ted Whittemore advises public, private, emerging and nonstock/non-profit businesses on a broad range of corporate, securities and governance matters with a focus on general corporate law, registered and exempt securities offerings, SEC compliance representation, mergers and acquisitions, and corporate finance. Ted has represented…

Ted Whittemore advises public, private, emerging and nonstock/non-profit businesses on a broad range of corporate, securities and governance matters with a focus on general corporate law, registered and exempt securities offerings, SEC compliance representation, mergers and acquisitions, and corporate finance. Ted has represented issuers and investors in public and private offerings of debt and equity securities and has advised securities professionals (broker-dealers, investment advisers, and their personnel) on registration, reporting and other regulatory and compliance matters. He advises public companies with their ongoing regulatory matters, including periodic reporting with the SEC, corporate disclosure and finance, stock exchange listing compliance, short-swing and insider trading matters, proxy regulation and deregistration issues. Ted has represented both buyers and sellers in merger, acquisition and divestiture transactions and has advised directors and officers with respect to their fiduciary obligations under state corporate laws. He also advises clients with respect to the formation, management and on-going operations of privately-held and nonstock/non-profit business entities. Ted has authored or co-authored a number of publications on issues including state corporate laws, SEC regulations, insider trading, securities offerings, financial privacy, and electronic financial services.