I wouldn’t ordinarily write about the same company or set of circumstances two days in a row, but because of developments following in the wake of the data breaches Yahoo announced last year, the company’s name has come up again. Yesterday, I wrote about the investigation the SEC reportedly is pursuing in connection with Yahoo’s alleged delays in disclosing the data breaches. It turns out that yesterday a plaintiff shareholder also filed a securities class action lawsuit in the Northern District of California against Yahoo and certain of its directors and offices relating the company’s reported data breaches. A copy of the complaint the plaintiff filed on January 24, 2017 can be found here.
As I noted yesterday, and as discussed in detail here, Yahoo announced two data breaches during 2016. The first, which Yahoo announced in September 2016, took place or at least began sometime during 2014, and resulted in hackers obtaining data from over 500 million user accounts. A separate data breach, which apparently took place or began during 2013 but that Yahoo first announced in December 2016, affected over 1 billion user accounts.
The plaintiff’s securities class action complaint names as defendants the company, its CEO, Marissa Meyer, and its CFO, Kenneth Goldman. In their January 24, 2017 press release (here), the plaintiff’s lawyers state that the complaint alleges that Defendants made false or misleading statements or failed to disclose that:
(i) Yahoo failed to encrypt its users’ personal information and/or failed to encrypt its users’ personal data with an up-to-date and secure encryption scheme; (ii) consequently, sensitive personal account information from more than 1 billion users was vulnerable to theft; (iii) a data breach resulting in the theft of personal user data would foreseeably cause a significant drop in user engagement with Yahoo’s websites and services; and (iv) as a result, Yahoo’s public statements were materially false and misleading at all relevant times.
The complaint alleges that following the company’s September 2016 disclosure, the company’s share price declined 3.06%. The complaint alleges that following the company’s December’s 2016 data breach disclosure, the company’s share price declined 6.11%.
The complaint also references Yahoo’s July 25, 2017 announcement that it would be selling its core business to Verizon Communications. The complaint alleges that following the company’s December 2016 data breach disclosure, “several news sources reported that Verizon was considering ways to amend the terms of tis deal with Yahoo to reflect the impact of the data breach and would likely seek ‘major concessions’ from Yahoo.”
Finally, the complaint also references January 23, 2017 Wall Street Journal article (here), discussed in yesterday’s post, in which the Journal reported that the SEC had opened an investigation into the timing of Yahoo’s disclosures regarding the data breach.
The plaintiff’s complaint does not allege that the defendants engaged in insider trading or personally benefitted from the transaction. Rather, and in order to try to satisfy the requirements for pleading scienter, the plaintiff alleges (in paragraph 85 of the complaint) that the individual defendants acted with scienter “in that they knew that the public documents issued or disseminated in the name of Yahoo were materially false and misleading; knew that such statements or documents would be issued or disseminated to the investing public; and knowingly or substantially participated or acquiesced in the issuance or dissemination of such statements or documents as primary violations of the securities laws.”
The plaintiff purports to represent a class of persons who acquired common shares of Yahoo between November 12, 2013 and December 14, 2016. The class period commencement date coincides with the date on which Yahoo filed its Form 10-Q for the third quarter of 2016; the significance is that the first of the two reported data breaches (the one the company disclosed in December 2016), appears to have taken place or at least commenced in August 2013, during 3Q2013.
As I suggested in yesterday’s post, despite the poor track record plaintiffs have had so far in pursuing data breach-related D&O claims, it is far too early to set off the all clear signal. Even after the November 2016 dismissal in the Home Depot case, I suspected that the plaintiffs’ lawyers would continue to experiment and continue to try to file data breach-related D&O lawsuits; sure enough, within days after the Home Depot dismissal, a plaintiff filed a shareholder derivative lawsuit against Wendy’s (about which refer here). We now have this latest lawsuit, filed in the form of a securities class action against Yahoo.
There have been relatively few data breach-related securities class action lawsuits filed, in part because as everyone has become inured to news about data breaches, companies share prices generally don’t react to data breach disclosures. Indeed, while the plaintiff in the Yahoo case expressly relies on the movement in Yahoo’s share prices following the company’s data breach disclosures, it has to be said that the share price declines on which the plaintiff is relying are not huge.
The plaintiff and his counsel have their own reasons for filing the complaint now (I suspect it has something to do with the appearance of the Wall Street Journal article), but there is an argument that this complaint is premature. The complaint tries to rely on the fact that the news about the data breach might affect the proposed Verizon transaction. However, it isn’t yet clear whether or to what extent the data breach news will affect the transaction. Yesterday, Verizon did on January 23, 2017 report (as part of its quarterly earnings release) that the Verizon transaction, which had been planned to close in Q17, now will not close until Q217. As things stand, it isn’t clear (other than with respect to the delay itself) what impact if any the data breach disclosures will have on the Verizon transaction. It just seems like the complaint would make more of an impact once it is clear whether the data breach disclosures will affect the transaction.
In any event, it will remain to be seen whether there claimant will be any more successful than the other claimants that have tried to pursue data breach related D&O claims. The plaintiff will undoubtedly face certain hurdles, such as proving that the allegedly withheld information was material and whether the plaintiff has sufficiently pled scienter.
One complaint does not represent a trend and so it is hard to generalize from the filing of this one complaint to generalize about what it might represent as far as future claims. The one thing it does show is that, as I have previously suggested, the plaintiffs’ lawyers will continue to experiment in this area as they seek to find the way that they are going to be able to make money off of these kinds of circumstances.