For several years now, one of the perennial questions in the corporate and securities arena has been the extent to which cybersecurity-related issues will contribute to D&O claims. There has never really been the volume of securities and derivative lawsuits that some observers expected, but there has been a small scattering of occasional suits filed from time to time. Now, in what is the latest cybersecurity-related D&O suit, a plaintiff shareholder has filed securities class action lawsuit against pay-TV services provider, Dish Networks, related to a network service disruption at the company caused by a cyber-security incident. A copy of the March 23, 2023, complaint can be found here.

Background

Dish Networks provides pay-TV services in the United States. Throughout the class period described in the subsequently filed securities lawsuit complaint, the company, in a series of filings and other public statements, emphasized the importance to the company of providing reliable customer services and of maintaining systems and technology that assured reliable and stable customer services. The company also disclosed the investments and efforts the company deployed to ensure the security and reliability of its technology networks.

On February 23, 2023, the company disclosed during its earnings call that it had experienced a network outage that affected internal servers and IT telephony. The company activated its incident response and business continuity plans, and retained outside cyber-security experts and outside advisors to evaluate the situation.

On February 27, 2023, the comp[any became aware that, as part of the previously reported incident, data had been extracted from its IT systems. The company disclosed that it was possible that the extracted data included personal information, and that its investigation of the incident with the assistance of third-party advisors was continuing. The company also disclosed that while its wireless and data networks remain operations remained operational, but that its internal communications, customer call centers, and internet sites were affected by the incident.

The subsequently filed securities class action lawsuit alleged that on this news, the company’s share price declined over 6 percent.

The Lawsuit

On March 23, 2023, a plaintiff shareholder filed a securities class action lawsuit in the District of Colorado against Dish Networks and certain of its directors and officers. The complaint purports to be filed on behalf of a class of company investors who purchased the company’s securities between February 22, 2021, and February 27, 2023.

The complaint, which consists of extensive block quotations from the company’s filings pertaining to the company’s efforts to secure and maintain the reliability of its networks and a description of the February 2023 incident, alleges that the during the class period the defendants failed to disclose that: “(i) the Company overstated its operational efficiency and maintained a deficient cybersecurity and information technology infrastructure; (ii) as a result of the foregoing, the Company was unable to properly secure customer data, leaving it vulnerable to access by malicious third parties; (iii) the foregoing cybersecurity deficiencies also both rendered Dish’s operations susceptible to widespread service outages and hindered the Company’s ability to respond to such outages; and (iv) as a result, the Company’s public statements were materially false and misleading at all relevant times.”

The complaint alleges that the defendants violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. The complaint seeks to recover damages on behalf of the plaintiff class.

Discussion

As I noted at the outset, the volume of cybersecurity-related securities and derivative litigation some commentators expected has never really materialized, at least to extent the commentators expected. Although shareholders have in this instance filed a securities suit against Dish Networks following the company’s February 2023 incident, the circumstances involved may illustrate why the volume of litigation never really developed.

That is, even though this company experienced what appears to be a serious and seriously disruptive cybersecurity-related event, the consequent share price decline of 6% was relatively modest. In fact, that has pretty much been the pattern; the share prices of companies disclosing cybersecurity issues generally have not declined enough to attract the interest of the plaintiff’s lawyers. To be sure, the plaintiff’s lawyers had filed a suit here notwithstanding the relatively modest share price decline, but it seems that in most other instances, the plaintiffs’ lawyers are not interested.

And so, while cybersecurity-related D&O lawsuits like this one are being filed from time to time, this kind of lawsuit is still not being filed in volume. Indeed, here we are nearly at the end of the year’s first quarter and this lawsuit is the first cybersecurity-related securities suit to be filed this year. Given that there were approximately four cybersecurity-related securities suits filed in 2022, a pace of one cybersecurity-related securities suit per quarter is consistent with recent filing patterns for these kinds of cases.

There is one other reason why there have not been as many cybersecurity-related suits as some observers expected, and that is that the cases that have been filed have not fared particularly well. As I noted in my year-end wrap-up of top D&O stories of 2022, the pattern for the cybersecurity-related cases that have been filed is that mostly the cases get dismissed, with a few noteworthy exceptions where the cases ultimately settled.

This case has only just been filed, and it remains to be seen how it will fare. I will say that when the case gets to the point where the sufficiency of the pleading is to be considered, the courts will have to look long and hard to find anything in the complaint sufficient to satisfy the scienter pleading requirements.

Whatever the merits of the lawsuit, the underlying cybersecurity incident apparently was quite disruptive for the company. A March 27, 2023 Wall Street Journal article, entitled in the print edition “Dish is Still Reeling from Hack Disclosed Last Month” (here), that a month after the incident the company is “still working to get all of its operations up and running.” The company, the Journal reports, is “still struggling to access certain services such as HBO Max and other third-party streaming services, get into their accounts and reach customer-service call centers.” Many customers are “waiting for updates” on whether “their information was compromised in the data breach.”

In a recent short opinion, the Ninth Circuit held that the California statute precluding insurance coverage for loss caused by a willful act bars coverage for the underlying malicious prosecution claim even though the claim settled and there was no adjudication that the alleged willful act took place. For reasons set out below, I believe the court’s interpretation of the statute –-even though apparently well-grounded in established authority — goes beyond the statute’s purpose and plain language and produces a result that undermines the very purposes of the insurance policy. The Ninth Circuit’s March 15, 2023, opinion can be found here. A March 22, 2023 post on the Wiley Law Firm’s Executive Summary Blog about the decision can be found here.

Continue Reading Adjudication Not Required for California’s Statutory Willful Act Coverage Preclusion

The collapse of Silicon Valley Bank is one of those singular events, charged with implications and fraught with dangerous possibilities, but that is also still so recent that it is difficult to discern what it ultimately will mean. Earlier this week, in an excellent webinar presented by the Rock Center for Corporate Governance at the Stanford Law School and entitled “Silicon Valley Brawl: Litigation, Accounting, and Regulatory Implications of SVB’s Collapse,” Stanford Law Professors Joseph Grundfest and Colleen Honigsberg and University of California Berkeley Law Professor Robert Bartlett took a detailed look at the causes and potential consequences SVB’s failure. This presentation, a video recording of which may be found here, is excellent, and the accompanying slides, which may be found here, make for indispensable reading for anyone who wants to try to understand what happened at SVB and what it might mean from a legal, financial, and regulatory standpoint. My thanks to the Rock Center and Stanford Law School for permission to link here to the webinar recording and to the slides.

Delaware’s courts traditionally have said that breach of the duty of oversight claims (sometimes referred to as Caremark claims) are “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.” However, in series of cases following the Delaware Supreme Court’s 2019 decision in Marchand v. Barnhill, Delaware courts have sustained a number of breach of the duty of oversight claims. More recently, Vice Chancellor Laster, in a pair of decisions in the McDonald’s case, elaborated significantly on the reach of duty of oversight. Among other things, Laster made it clear that the duty extends to corporate officers as well as to directors. Some commentators (including me) were concerned that Laster’s elaborations could lead to further lawsuits alleging breach of the duty of oversight.

Now, in what is the first high-profile post-McDonald’s Caremark claim of which I am aware, a group of four institutional investors has brought a breach of the duty of oversight claim against certain directors and officers of Meta, alleging that the executives failed to take sufficient action with respect to allegations that the company’s social media sites were being used for human trafficking. The new complaint appears to have been shaped to reflect many of the implications arising from Laster’s decisions in the McDonald’s case. A copy of the redacted public version of the plaintiffs’ March 20, 2023, complaint in the Meta case can be found here.

Continue Reading Meta Board and Execs Hit with Oversight Duty Breach Claim Based on Trafficking Allegations
Planet Earth

Many readers may have seen that earlier this week, President Biden made his first use of his Presidential veto powers to block a Congressional measure that would have reinstated Trump-era Labor Department ban on retirement plans considering factors such as climate change, social impacts or pending lawsuits when making investment choices. However, readers may not have seen that last week, in apparent anticipation of the Presidential veto, a group of governors of 19 states announced that they had formed an alliance, led by Florida Governor Ron DeSantis, to “push back against President Biden’s environmental, social, and corporate governance agenda that is destabilizing the American economy and the global financial system.”

The 19 state governors issued a joint statement that further explained their reasoning for forming the alliance. The March 16, 2023, press release from Governor DeSantis’s office about the alliance can be found here. The March 16, 2023, joint statement of the governors can be found here. A March 21, 2023 memo from the Cadwalader law firm about the governors’ alliance can be found here. The details of the Department of Labor guidelines, the Congressional measure, and President Biden’s veto are discussed in a March 20, 2023 post on The Nickel Blog, here.

Continue Reading Governors Form Alliance to Fight ESG

At the beginning of the year, when I surveyed the D&O claims landscape and predicted the factors that I thought might drive D&O claims volume in 2023, one set of factors I projected might make significant contributions to the number of claims to be filed during the year were the number of macroeconomic challenges – for example, rising interest rates, economic inflation, labor supply disruption, and the war in Ukraine. The recent failure of Silicon Valley Bank and the ensuing securities litigation provides one illustration of how these macro factors can translate into D&O claims.

Now, in the latest illustration of these forces at work, investors have filed a securities lawsuit against the organic foods company United Natural Foods, following the company’s recent disappointing earnings announcement in which the company disclosed a decline in profitability, despite increasing sales, due to inflationary pressures. A copy of the March 20, 2023, lawsuit against United Natural Foods can be found here.

Continue Reading Inflation Hits Organic Food Company’s Quarterly Results, Draws Securities Suit

The opioid crisis in the United States is not a new development; sadly, it has been around for years, as has D&O litigation relating to the crisis. Indeed, more than five years ago, I published a post in which I noted the outbreak at the time of a number of opioid-related securities suits. Now, in the latest of these opioid-related securities suits to be filed, and in the wake of the U.S. Department of Justice’s filings of a complaint in intervention in an opioid-related False Claims action against the company, a securities class action lawsuit has now been filed against the pharmacy company, Rite Aid Corporation. The March 20, 2023, Rite Aid complaint can be found here.

Continue Reading Rite Aid Hit with Opioid-Related Securities Suit

       

The securities class action lawsuits filed last week against failing or troubled banks felt as if the plaintiffs’ attorneys filing the suits were typing their complaints directly from the text of the day’s newspapers. Another suit filed last week referred to a slightly earlier but even more dramatic news story, the tragic train derailment in East Palestine, Ohio, of a Norfolk Southern freight train. The events surrounding the train disaster undoubtedly will be the subject of personal and environmental lawsuits for years to come. Now, the high-profile event is also the subject of a securities class action lawsuit, in the most recent example of the ways that operational events, rather than financial disclosures, increasingly can lead to securities litigation. A copy of the March 16, 2023, complaint can be found here.

Continue Reading Ripped from the Headlines: Norfolk Southern Hit with Securities Suit      

Scott Schechter
Paul Curley

Readers will recall that month when Cornerstone Research issued its annual report on securities class action lawsuit filings, the report showed that the number of crypto-related securities suits had soared, with 21 crypto-related suits filed in 2022, compared to only 11 in 2021. In the following guest post, Scott Schechter and Paul Curley take a look at this emerging new trend in securities class action lawsuit filings involving cryptocurrency and other digital asset-related securities suits. Scott and Paul are Partners in Kaufman Borgeest & Ryan’s Coverage Group in New York. I would like to thank Paul and Scott for allowing me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul and Scott’s guest post.

Continue Reading Guest Post: Crypto is the New Frontier in Securities Fraud Litigation

Earlier this week, securities class action lawsuits were filed against the recently failed U.S. banks, Silicon Valley Bank and Signature Bank. The turmoil that surrounded those banks’ failure sent ripples into the global banking industry; one of the institutions particularly affected by the ensuing turbulence was the European banking giant, Credit Suisse. After a series of events at the bank earlier this week (described below), the company’s share price tanked, the Swiss banking regulator extended the bank a financial lifeline – and the bank was hit with a securities class action lawsuit, the third this week involving a bank caught up in the sudden wave of banking industry disorder. The new lawsuit filed on March 16, 2023, against Credit Suisse can be found here.

Continue Reading Now It’s Credit Suisse’s Turn: Swiss Bank Hit with Securities Suit