More Companies Face Securities Fraud Suits After Data Breaches

Keep up with the latest developments and legal issues in the telecommunications and emerging technology sectors, with exclusive access to a comprehensive collection of telecommunications law news,...

By Alexis Kramer

Litigious shareholders are eyeing fresh opportunities in cyberattacks.

A particular strand of shareholder lawsuits—securities fraud class actions following data breaches on publicly traded companies—are rising in tandem with the frequency of such attacks.

Shareholders have filed nine such class actions since January 2017 under federal securities law, Bloomberg Law data show. None were filed the year before, according to the data. Equifax Inc. and Intel Corp. are among the companies named in those suits, which typically allege that data breaches or system vulnerabilities led to falling stock prices. Two of the suits have been voluntarily dismissed, the rest are ongoing.

These securities-related lawsuits could be more problematic for companies than the shareholder derivative suits more typically seen after cyberbreaches. Courts have often dismissed derivative suits—in which a shareholder can sue a company board on behalf of the company for breach of fiduciary duty—due to a high legal hurdle for plaintiffs.

Publicly traded companies are under pressure to shore up data systems amid rising attacks and the ensuing publicity and recovery costs. The growing prominence of securities actions—and shareholder lawyers’ evolving legal tactics—heighten the pressure. But companies can, and should, take steps to mitigate risks, such as tightening disclosure policies, attorneys say.

The average cost of a data breach for companies around the world, including detection and notification work, totaled $3.62 million, according to a 2017 report by Ponemon Institute, a privacy and data protection research firm.

Investor Sensitivity

Stock investors’ increasing sensitivity to cyberattacks could explain why more securities fraud actions are being filed, Joseph L. Motto, a securities law attorney and partner at Winston & Strawn LLP in Chicago, told Bloomberg Law. Data breaches are leading to larger stock drops than in the past, in part because the public is more aware of their risks and consequences, he said.

Companies’ heightened emphasis on publicly disclosing their cybersecurity practices also opens the door to more securities fraud suits, Jonathan Meyer, a cybersecurity attorney and partner at Sheppard Mullin Richter & Hampton LLP in Washington, said. Securities fraud cases generally hinge on alleged misinformation in public disclosures, Meyer said.

Some plaintiffs’ attorneys also may opt for securities fraud actions because they may be easier to pursue than shareholder derivative suits. Claims under Section 10(b) of the Securities Exchange Act of 1934 require a showing by plaintiffs that a company misrepresented or omitted a material fact in connection with the sale of a security.

Misrepresentation of a company’s data security standards before a breach occurs may be difficult to prove. But a company’s failure to disclose a breach fast enough is a “more concrete situation"—and more likely to move forward, Meyer said.

Shareholders who have opted for shareholder derivative suits often have their cases dismissed due to the high bar that must be met to show that a board “completely failed” to implement a reporting system or consciously failed to monitor the company’s operations, Melissa Krasnow, a partner at VLP Law Group LLP in Minneapolis, told Bloomberg Law.

Target Corp., for example, fought a shareholder derivative suit alleging the company’s directors breached their duties to protect customers’ information and promptly notify them of a payment card breach. The suit was ultimately dismissed.

Intel Is Latest Target

Intel is the latest company to face a securities fraud class action, which alleges that the company failed to timely disclose a security flaw in its computer processor chips.

Plaintiff Meerain Ali alleged that Intel’s shares dropped more than 5 percent since the company disclosed in a Jan. 3 article on its website that its chips are susceptible to hacking. Class members bought Intel shares at artificially-inflated prices while relying on previous company statements that failed to mention the security flaw, Ali alleged in a Jan. 23 complaint filed in the U.S. District Court for the Northern District of California.

Yahoo! Inc., PayPal Holdings Inc., Qudian Inc., and Advanced Micro Devices Inc. are facing similar class actions. An amended complaint against Yahoo filed Feb. 2 in the same court alleges that Yahoo misrepresented the quality of its data security methods and failed to disclose four separate data breaches. Yahoo is no longer traded after Verizon closed its acquisition in June 2017.

A decision in any of those cases could provide companies with guidance on when and how to disclose their data security practices and breaches. “You’ll likely see more decisions over time that will give additional guidance about the disclosures the law expects in particular circumstances,” Michael S. Flynn, a securities law attorney and partner at Davis Polk & Wardwell LLP in New York, told Bloomberg Law.

Mitigate Risks

Companies can take precautionary steps to mitigate the risk of securities fraud suits. They must make robust public disclosures about data security risks before breaches happen, attorneys said.

Companies should also check existing disclosures to ensure they accurately describe their data security environment, Motto said. And if a breach happens, they should not sit on it too long, he said. “The longer they wait, the longer the class period becomes,” he said.

But determining the proper time to disclose a breach can be tricky, since companies need to learn as much about it as they can, Krasnow said.

“There is a tension between taking time to learn the facts and disclosing quickly,” Krasnow said. “A risk of disclosing quickly is that additional facts are later learned and the disclosure will need to be modified.”

Scrutiny on publicly traded companies over their data policies will only increase, despite legal uncertainties surrounding the issue. “But with each court decision it is likely to get a bit clearer,” Meyer said.

To contact the reporter on this story: Alexis Kramer in Washington at akramer@bloomberglaw.com

To contact the editor responsible for this story: Roger Yu at ryu@bloomberglaw.com

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Tech & Telecom on Bloomberg Law