There has been extensive litigation filed in the wake of the many high-profile data breaches over the last several years, but by and large the lawsuits have been filed on behalf of consumers or employees. Along the way, there have also been lawsuits filed against the directors and officers of the companies that experienced the data breaches – for example, shareholders derivative lawsuits were filed against directors and officers at Target (about which refer here) and Wyndham Worldwide (about which refer here).
But there have not been D&O lawsuits filed involving many of the other recent high-profile data breaches. Indeed, as I noted in a recent post, there are a number of specific reasons why there may be no D&O litigation relating to the Sony Pictures Entertainment breach. In addition, and so far at least, there has been no D&O litigation relating to the Anthem data breach, the Home Depot data breach, and of the many other high profile data breaches that have occurred over the last few months.
So in assessing the data breach-related claims to date, we have a relatively few derivative lawsuits, a couple of which were mentioned above, but so far not much in the way of securities class action litigation. To be sure, in 2009, there was a securities class action lawsuit filed against Heartland Payments Systems and certain of its directors and officers related to the company’s massive data breach. (The court granted the defendants’ motion to dismiss in that case). None of the more recent high-profile data breaches have resulted in securities class action lawsuits.
However, despite the fact the wave of high-profile data breaches has not yet led to a uptick in securities class action litigation, in a March 17, 2015 post on his D&O Discourse blog (here), Doug Greene of the Lane Powell law firm says that he “remain(s) convinced that a wave is coming, perhaps a tidal wave.” Moreover, Greene predicts that the wave will not only include shareholders derivative lawsuits of the type that were filed against Target and Wyndham Worldwide, but also securities class action lawsuits and SEC enforcement matters.
In making this prediction, Greene first focuses on the usual reason given when the question is asked about why there hasn’t been more data breach-related securities class action litigation so far. The reason, it is often suggested, is that least to this point most of the high profile data breaches have not resulted in a significant drop in the affected company’s share price. Greene reviews the reasons usually given for this absence of price decline, which is that in a world in which all companies potentially are susceptible to a cyber attack, the occurrence of a data breach is basically random and doesn’t say much about the company’s business or it future financial performance.
Greene suggests that this dynamic is about to change. In effect, he is predicting that in the future news of a data breach may well affect the share prices of at least some of the companies involved. First, he predicts that in a world where companies are now working hard to improve their cyber security, the company’s cyber security standards may become a basis of competition. Some companies may seek to secure business or even investment based on the extent of their own cyber security. If cybersecurity become a competitive issue and in particular if companies start touting the extent of their cyber protection, the companies’ statements will be “susceptible to challenge as false or misleading if they suffer a breach.” If the company’s share price reflects a widespread perception that the company has a competitive advantage based on its cybersecurity, it share price might well decline, perhaps significantly, if the company’s experiences a problem.
Green adds that the SEC is focused on cybersecurity disclosure and “inevitably will start to more aggressively police disclosures.” In addition, he predicts that whistleblowers from IT departments will start to surface, and auditors will begin to prompt disclosures as they increase their focus on the financial impact of cybersecurity breaches.
I have no way of knowing whether or not there will be significant numbers of securities class action lawsuits in the future. Indeed, in answering his own question of whether or not data breach securities class action lawsuits will become a prominent type of securities class action lawsuit, Greene himself says “I doubt it.”
There are reasons to be modest about these types of predictions; there have been past predictions and speculations about possible data breach-related securities lawsuits, but so far, there has been little action in that department. But I do think there are reasons to be concerned that there may be significant securities class action litigation related to data breaches in the future.
In addition to all of the reasons Greene cites, I think there is at least one additional reason to be concerned about possible future data breach-related securities class action litigation. That is, the plaintiffs’ bar has an incentive to try to find a way to capitalize on the adverse publicity surrounding a company that has experienced a data breach. Some plaintiffs’ lawyers are now focused on the consumer and employee privacy breach-related claims. But the plaintiffs’ lawyers will also consider possible D&O claims as well, when the right circumstances arise.
Along those lines, at the PLUS D&O Symposium in New York in February, one of the leading plaintiffs’ securities attorney, when asked to make a prediction about future litigation trends, expressly said that he expects there to be significant data breach related litigation – and he added that he hope to be the one bringing the claims. In other words, when the right circumstances present themselves, the plaintiffs’ lawyers will not hesitate to file the claims. Up until now, they have simply been considering what their opportunity might be. I would expect them to act when they think they have found their opportunity.
I also agree with Greene that the SEC will play a significant role here. The SEC has made it clear that cyber security disclosure is a priority. It has been over three years since the SEC released its Disclosure Guidance on cyber security, but many companies still have not yet adapted their disclosure practices (as discussed here). Several of the individual SEC commissioners have made it clear in individual speeches that cyber security issues generally remain an agency priority (refer for example here). What active future steps the agency might take remains to be seen, but it does seem at possible that the agency might use an enforcement action as a more aggressive way to send a message on these issues. If agency uses its enforcement authority in that way, the plaintiffs’ lawyers will not be far behind.
In the immortal words of that astute sage, Yogi Berra, it’s tough to make predictions, especially about the future. Though the future remains uncertain, I do agree with Greene that when it comes to the possibility of future data breach-related securities class action litigation, “the risk is high enough that all companies need to pay more attention to their cybersecurity disclosures.” I also agree with him that insurers, brokers and risk managers need to be mindful of the potential securities class action risk in this area.
Questions About Delaware’s Proposed Fee-Shifting Bylaw Legislation: As discussed in a recent post (here, second item), the Delaware Corporation Law Council has recently proposed draft legislation that among other things would prohibit Delaware companies from adopting a fee-shifting bylaw . In a March 16, 2015 post on the CLS Blue Sky Blog (here), Columbia Law School Professor John Coffee takes a detailed look at the draft question. Among other things, he examines the provision of the proposed legislation that restrict bylaws that shift fees in connection with “an intracorporate claim.” Coffee questions whether this provision as worded would prohibit a bylaw shifting fees for a federal securities claim, as opposed to “Delaware-style” litigation.
Coffee then examines the issues that might arise if the Delaware statutory provision as adopted only prohibits the adoption of a bylaw shifting fees for Delaware-type litigation, and a company adopts a bylaw requiring fee shifting in connection with a federal securities suit. Coffee examines the various preemption and other issues that might arise under the PSLRA and otherwise if a company were to try to adopt such a fee-shifting bylaw.
The article is technical and interesting and suggests that even if the Delaware legislature adopts the proposed legislation, fee-shifting bylaw questions could continue to follow.
More About Litigation Reform Bylaws: Along with the fee-shifting bylaws, another litigation reform bylaw that has been under recent discussion has been the possibility of a bylaw requiring the arbitration of shareholder disputes, perhaps with a class action waiver. I have discussed the possibility of these types of bylaws in prior posts on this blog, most recently here.
In a March 18, 2015 post on the CLS Blue Sky Blog (here), Visiting Duke Law School Professor Ann Lipton examines the legal theory that has supported the assertion of the validity of these types of bylaw provisions. Basically, the courts that have upheld the validity of these arbitration bylaw provisions have subscribed to the view that the Federal Arbitration Act requires the enforcement of contractual bylaw provisions, and that a bylaw is essentially a contractual provision. In her article, Professor Lipton takes issue with both aspects of this analysis and argues that the Federal Arbitration Act is “incompatible” with corporate governance issues.