For several years now, one of the perennial questions in the corporate and securities arena has been the extent to which cybersecurity-related issues will contribute to D&O claims. There has never really been the volume of securities and derivative lawsuits that some observers expected, but there has been a small scattering of occasional suits filed from time to time. Now, in what is the latest cybersecurity-related D&O suit, a plaintiff shareholder has filed securities class action lawsuit against pay-TV services provider, Dish Networks, related to a network service disruption at the company caused by a cyber-security incident. A copy of the March 23, 2023, complaint can be found here.
Dish Networks provides pay-TV services in the United States. Throughout the class period described in the subsequently filed securities lawsuit complaint, the company, in a series of filings and other public statements, emphasized the importance to the company of providing reliable customer services and of maintaining systems and technology that assured reliable and stable customer services. The company also disclosed the investments and efforts the company deployed to ensure the security and reliability of its technology networks.
On February 23, 2023, the company disclosed during its earnings call that it had experienced a network outage that affected internal servers and IT telephony. The company activated its incident response and business continuity plans, and retained outside cyber-security experts and outside advisors to evaluate the situation.
On February 27, 2023, the comp[any became aware that, as part of the previously reported incident, data had been extracted from its IT systems. The company disclosed that it was possible that the extracted data included personal information, and that its investigation of the incident with the assistance of third-party advisors was continuing. The company also disclosed that while its wireless and data networks remain operations remained operational, but that its internal communications, customer call centers, and internet sites were affected by the incident.
The subsequently filed securities class action lawsuit alleged that on this news, the company’s share price declined over 6 percent.
On March 23, 2023, a plaintiff shareholder filed a securities class action lawsuit in the District of Colorado against Dish Networks and certain of its directors and officers. The complaint purports to be filed on behalf of a class of company investors who purchased the company’s securities between February 22, 2021, and February 27, 2023.
The complaint, which consists of extensive block quotations from the company’s filings pertaining to the company’s efforts to secure and maintain the reliability of its networks and a description of the February 2023 incident, alleges that the during the class period the defendants failed to disclose that: “(i) the Company overstated its operational efficiency and maintained a deficient cybersecurity and information technology infrastructure; (ii) as a result of the foregoing, the Company was unable to properly secure customer data, leaving it vulnerable to access by malicious third parties; (iii) the foregoing cybersecurity deficiencies also both rendered Dish’s operations susceptible to widespread service outages and hindered the Company’s ability to respond to such outages; and (iv) as a result, the Company’s public statements were materially false and misleading at all relevant times.”
The complaint alleges that the defendants violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. The complaint seeks to recover damages on behalf of the plaintiff class.
As I noted at the outset, the volume of cybersecurity-related securities and derivative litigation some commentators expected has never really materialized, at least to extent the commentators expected. Although shareholders have in this instance filed a securities suit against Dish Networks following the company’s February 2023 incident, the circumstances involved may illustrate why the volume of litigation never really developed.
That is, even though this company experienced what appears to be a serious and seriously disruptive cybersecurity-related event, the consequent share price decline of 6% was relatively modest. In fact, that has pretty much been the pattern; the share prices of companies disclosing cybersecurity issues generally have not declined enough to attract the interest of the plaintiff’s lawyers. To be sure, the plaintiff’s lawyers had filed a suit here notwithstanding the relatively modest share price decline, but it seems that in most other instances, the plaintiffs’ lawyers are not interested.
And so, while cybersecurity-related D&O lawsuits like this one are being filed from time to time, this kind of lawsuit is still not being filed in volume. Indeed, here we are nearly at the end of the year’s first quarter and this lawsuit is the first cybersecurity-related securities suit to be filed this year. Given that there were approximately four cybersecurity-related securities suits filed in 2022, a pace of one cybersecurity-related securities suit per quarter is consistent with recent filing patterns for these kinds of cases.
There is one other reason why there have not been as many cybersecurity-related suits as some observers expected, and that is that the cases that have been filed have not fared particularly well. As I noted in my year-end wrap-up of top D&O stories of 2022, the pattern for the cybersecurity-related cases that have been filed is that mostly the cases get dismissed, with a few noteworthy exceptions where the cases ultimately settled.
This case has only just been filed, and it remains to be seen how it will fare. I will say that when the case gets to the point where the sufficiency of the pleading is to be considered, the courts will have to look long and hard to find anything in the complaint sufficient to satisfy the scienter pleading requirements.
Whatever the merits of the lawsuit, the underlying cybersecurity incident apparently was quite disruptive for the company. A March 27, 2023 Wall Street Journal article, entitled in the print edition “Dish is Still Reeling from Hack Disclosed Last Month” (here), that a month after the incident the company is “still working to get all of its operations up and running.” The company, the Journal reports, is “still struggling to access certain services such as HBO Max and other third-party streaming services, get into their accounts and reach customer-service call centers.” Many customers are “waiting for updates” on whether “their information was compromised in the data breach.”