February 1, 2019
Shareholders are using the European Union’s data protection rules to help bolster privacy-related securities fraud claims against publicly traded companies.
Investors have filed 14 class actions since January 2018 against companies such as Alphabet Inc.'s Google and Facebook Inc., alleging that bad publicity around data breaches or security flaws, or changes in the data privacy landscape, caused their stock prices to drop, Bloomberg Law data show. Eleven of the lawsuits were filed after the EU’s General Data Protection Regulation (GDPR) took effect last May.
The number of securities fraud actions are on the rise amid a series of high-profile data incidents, despite the high legal bar for such cases. As the cases tick up, shareholders are looking to strengthen their arguments. The latest strategy, used in four of the eleven complaints filed in 2018 after the GDPR took effect, involves citing compliance with the law and its impact on financial growth.
“Plaintiffs will absolutely leverage that as best as they can in complaints,” Joseph L. Motto, a securities law attorney at Winston & Strawn LLP in Chicago, told Bloomberg Law. The mere existence of data privacy regulations will “make it less defensible for companies to plead ignorance as to whether their data protection standards are up to par,” he said.
Shareholders started pursuing claims in 2017 that alleged a company’s failure to disclose a breach or its misrepresentation of data security quality artificially inflated stock prices. Publicly traded companies faced nine such class actions that year—with a lawsuit against Yahoo! Inc. being among the first.
Most of the cases are still unresolved. The case against Yahoo, for failing to properly disclose four data breaches, was settled for $80 million last September. A federal court in Georgia Jan. 28 allowed class action claims to proceed against Equifax Inc. over its 2017 data breach. Another federal judge in California tossed a complaint against PayPal Holdings Inc. in December but said the plaintiffs could refile.
“Plaintiffs are trying to throw different arguments in front of judges to see what sticks,” Avi Gesser, a principal member of Davis Polk & Wardwell LLP’s cybersecurity and data privacy practice in New York, said.
The latest securities fraud litigation tactic: claiming that a company didn’t disclose its regulatory obligations under the GDPR.
Three nearly identical securities fraud complaints filed in 2018 against Nielsen Holdings PLC allege that the market research firm “recklessly disregarded” how the GDPR and other regulations could affect financial growth.
A complaint filed in the same court alleges Facebook failed to disclose that its GDPR compliance efforts would hurt its revenue growth. That complaint was consolidated with related cases in the U.S. District Court for the Northern District of California.
The GDPR and other recent data breach notification and security laws, such as Canada’s mandatory breach notification requirements that took effect last November, could provide plaintiffs’ attorneys with “additional bases for these claims,” according to Melissa Krasnow, a privacy and data security partner at VLP Law Group LLP in Minneapolis.
Motto said the laws give investors “more ammunition to bulk up their complaints.”
In the Equifax case, a federal district court in Georgia allowed securities fraud claims to move forward against the company because the plaintiffs adequately alleged Equifax knowingly or recklessly made misleading statements about its cybersecurity systems.
The plaintiffs also sufficiently alleged that Equifax misled the public about complying with cybersecurity regulations, the U.S. District Court for the Northern District of Georgia said. The plaintiffs had amended their complaint in April 2018 to say, among other things, that Equifax falsely stated it complied with federal data privacy laws such as the Gramm-Leach-Bliley Act, state data protection laws, and industry standards.
The Jan. 28 decision will encourage more plaintiffs to include data protection regulations like the GDPR in their allegations, Gesser said. “Companies now will need to be even more careful in making affirmative statements about cybersecurity compliance, including compliance with cybersecurity and privacy regulations,” he said.
Still, securities fraud claims are difficult to pursue because plaintiffs have to show the defendant acted with fraudulent intent or knowledge, Craig Newman, a partner at Patterson Belknap Webb & Tyler LLP who leads the firm’s privacy and data security group, said.
The Northern District of California court dismissed claims against PayPal because the plaintiffs didn’t show the company knowingly or recklessly misled investors. The shareholders alleged that PayPal never said how many customers were affected by a 2017 breach. But the Paypal court said the shareholders didn’t provide enough facts to suggest the company knew the full extent of the hack at the time.
Companies have to determine the proper time to disclose a breach to ensure the information they have is accurate, Newman said. It’s hard to claim a company’s “good faith judgment call was purposefully misleading,” he said.
The Equifax decision shows that securities fraud class actions involving data incidents can be viable, Gesser said. But there is still a high pleading threshold, and depending on the facts available, plaintiffs may have to get creative for their complaints to survive the early stages of litigation, he said.