[BreachExchange] Federal Court Dismisses Federal Securities Class Action Based on Data Breach

Destry Winant destry at riskbasedsecurity.com
Fri Dec 21 11:58:24 EST 2018


https://www.natlawreview.com/article/federal-court-dismisses-federal-securities-class-action-based-data-breach

For many years, the plaintiffs’ bar has been very active in bringing
class action litigation against public companies immediately after the
announcement of adverse news concerning a company, which many times
triggers a decline in the company’s stock price.  Since at least the
Yahoo data breach in 2013 (which led to a settled SEC enforcement
action and a recently-settled class action lawsuit), plaintiffs’
lawyers have been increasingly drawn to using data breach problems to
allege misconduct or fraud by corporate officials charged with keeping
the securities markets apprised of all material information about a
public company.

Disclosure about cybersecurity matters is very much a “front of mind”
issue for U.S. regulators.  In February 2018, the U.S. Securities and
Exchange Commission issued a statement providing guidance that
emphasized the importance of public companies’ attention to their
“cybersecurity” disclosure duties.  The SEC’s guidance notes the
overarching disclosure obligation as applied to cybersecurity and
cyber incidents – indicating that material information about
cybersecurity risks and cyber incidents is required to be disclosed
when necessary in order to make other required disclosures, in light
of the particular circumstances, not misleading.

However, fraud claims based on a public company’s faulty (or late)
cybersecurity issues and/or other data breach disclosures may, or may
not, prove sufficient to support a claim of fraud under the federal
securities laws.  A recent decision (available here) involving a 2017
acquisition by PayPal Holdings, Inc. makes this clear.

PayPal was sued in December 2017 three weeks after it made public
disclosure of a data breach incident at TIO Networks Corp., a
subsidiary that PayPal had recently acquired, that potentially
impacted the data security of 1.6 million customers.  Shareholder
plaintiffs alleged that the November 2017 press release disclosures
(which triggered a 5.75% drop in PayPal’s stock price) about the
problems at the subsidiary were materially misleading, and that the
corporate officer defendants knew that the omission was misleading, in
violation of the anti-fraud provisions of the federal securities laws.

On December 13, 2018, the U.S. District Court for the Northern
District of California granted PayPal’s motion to dismiss the case.
Judge Edward Chen found that the plaintiffs had not established
“scienter” (an intent to defraud) on the part of the Company’s
officials who made public disclosure of the problem on November 10th,
and then again in early December when the scope of the data breach
problems was more fully understood by the Company.  This type of
ruling will be welcome to public companies and their directors and
officers.


More information about the BreachExchange mailing list