In the wake of credit monitoring and reporting firm Equifax’s announcement last week that it had sustained a data breach involving 143 million U.S. customers, a wave of consumer class action lawsuits has followed. In addition, the litigation wave now also includes at least one securities class action lawsuit; more securities suits are likely to follow. Although data breach-related D&O claims have not fared particularly well in the past, there are features of the Equifax situation that may put the securities suits against Equifax in a different category. An even more interesting question is the extent to which the new lawsuit portends further data breach-related securities litigation going forward.
On September 7, 2017, Equifax announced a “cybersecurity incident” potential impacting 143 million U.S. customers. The company’s press release stated that during the period mid-May through July 2017 criminals had exploited a U.S. website vulnerability to gain access to customer information. The company discovered the breach on July 29, 2017. The information accessed includes names, Social Security numbers, birth dates, addresses, and in some instances driver’s license numbers. The credit card numbers of about 209,000 U.S. consumers were also breached. Upon discovering the breach, the company launched a forensic review to determine the scope of the breach. The company also notified law enforcement officials.
Later in the day on September 7, 2017, Bloomberg reported that the company’s SEC filings showed that on August 1, 2017 – that is, just days after the company discovered the data breach — Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 trading plans. The company later issued a statement saying that none of these officials were aware of the data breach at the time they sold their shares, which in each case represented only a small percentage of their holdings.
The Equifax Consumer Litigation
Consumer class action lawsuits soon followed. On September 11, 2017, USA Today reported that at least 23 proposed consumer class action lawsuits had already been filed, adding that “additional cases are likely to come.” The newspaper noted that the number of cases and the speed with which they were filed “show an eagerness by plaintiff law firms to stake swift claims on behalf of consumers who eventually might be in line for a share of either a court judgment against Equifax or a settlement by the company.”
Among other things, the consumer lawsuits allege security negligence by Equifax, as well as the company’s delay in alerting the public. The lawsuits also refer to earlier, smaller data breaches the company sustained in 2013, 2016, and earlier this year. According to one of these lawsuits, the company “knew and should have known of the inadequacy of its own data security.”
The Equifax Securities Litigation
Along with the consumer lawsuits, the avalanche of litigation that followed Equifax’s data breach announcement now includes at least one securities class action lawsuit. Just as USA Today said with respect to the consumer lawsuits, with respect to the securities lawsuits as well, more are likely to follow.
With respect to the recently filed Equifax securities suit, the plaintiffs’ lawyers announced in a September 11, 2017 press release that they had filed in the Northern District of Georgia and on behalf of a plaintiff shareholder a securities class action lawsuit against certain executive officers and directors. According to the press release, the complaint (a copy of which can be found here) alleges that the defendants issued materially false or misleading statements or failed to disclose that “(1) the Company failed to maintain adequate measures to protect its data system; (2) the Company failed to maintain adequate monitoring systems to detect security breaches; (3) the Company failed to maintain proper security systems, controls and monitoring systems in place; and (4) as a result of the foregoing the Company’s financial statements were materially false and misleading at all relevant times.”
The complaint purports to be filed on behalf of all Equifax shareholders who purchased company shares between February 25, 2016 and September 7, 2017. The complaint names as defendants, in addition to the company itself, the company’s Chairman and CEO, Richard F. Smith, and its CFO, John W. Gamble, Jr. The complaint specifically references the trading in company shares by Gamble and other company executives. The complaint also references a variety of alleged statements by the company during the class period relating to the quality of its data protection and security measures. The complaint alleges that on the news of the company’s data breach the company’s shares fell nearly 17%.
Although observers (including me) have long been predicting that we would see significant amounts of data breach related D&O litigation, at least up to this point the litigation has never really materialized, at least not in volume.
Among the most significant reasons that we have not seen much data breach related securities class action litigation is that by and large, companies’ share prices have not really reacted significantly to the companies’ announcements that they had sustained a data breach. In the absence of significant stock price movement, the potential suits were unattractive to the plaintiffs’ lawyers.
In the absence of the kind of stock price drop that might support a securities class action lawsuit, the plaintiffs’ lawyers have filed shareholder derivative suits, at least in the few instances where a data breach has led to any kind of D&O claim. Data breach-related shareholder derivative lawsuits have fared particularly poorly, as these kinds of cases generally have been dismissed. The one exception is the Home Depot data breach-related shareholder derivative lawsuit. The Home Depot case also was dismissed but it eventually settled while the appeal of the dismissal was pending; the case settled for the company’s agreement to pay the plaintiffs’ attorneys’ fees of about $1.1 million.
The one recent exception to the generalization about the absence of data breach-related securities litigation is the securities class action lawsuit filed earlier this year relating to the massive data breach that Yahoo! announced late last year. The Yahoo! lawsuits materialized after public announcements that because of the news about the data breach, Verizon’s planned acquisition of the company was to be postponed and the terms renegotiated. The Yahoo! securities data breach-related securities class action lawsuit remains pending.
The recent Equifax securities class action lawsuit arguably represents the exceptional case where the company’s share price declined significantly after the announcement of the data breach. The share price decline following Equifax’s data breach announcement undoubtedly reflected the fact that the company’s business model depends on maintaining the confidentiality of the customers’ sensitive financial information. The sheer magnitude of the breach likely was also a factor; although the Equifax breach is not the largest data breach of all times, it may represent one of the highest profile breaches involving sensitive personal information.
The alleged insider trading may also make the Equifax case more attractive to prospective litigants. To be sure, the company has claimed that the officials were not aware of the breach when they traded. In addition, the sales themselves are relatively small and reportedly only involve small portions of the officials’ holdings. Nevertheless, the plaintiffs undoubtedly will try to argue that the officials sought to capture trading profits by trading in their shares before the news of the breach was publicly released.
The fact that the insider trading took place after the breach had been discovered but before the breach was publicly disclosed highlights the danger involved when a company delays publicly disclosing that it had sustained a cybersecurity incident. The company’s press release states that the company delayed disclosing the breach while it conducted a forensic examination of the breach to determine its scope. One of the issues that undoubtedly will be examined in great depth in the wake of Equifax’s data breach disclosure is the question of how quickly companies should disclose information about the breach, particularly if the cause, scope, and seriousness of the breach is unknown when a company discovers that it has been hacked.
How the Equifax case ultimately will fare remains to be seen; in particular it remains to be seen whether the specifics of the plaintiffs’ allegations are sufficient for the case to survive motions to dismiss. It probably should be added that there undoubtedly will be other securities complaints filed; additional lawsuits may contain additional allegations — including, for example, reference to the supposed earlier data breaches the company has sustained. Carmen Germaine’s September 11, 2017 Law 360 article entitled “Investors Could Find Litigation Success With Equifax Breach” (here) states that “a confluence of factors, including a sharp stock price drop and suspiciously timed trading, could make the credit monitoring company’s massive hack fodder for securities liability.”
Notwithstanding the lack of success plaintiffs have had with data breach-related shareholder derivative lawsuits, Equifax may seek to file derivative lawsuits against company officials as well. Several media reports have suggested that the SEC may be looking into the insider trading as well.
Whatever else might be said, the Equifax securities litigation will be interesting to follow. An even more interesting question is whether it portends further data breach-related securities class action litigation in the future. The fact that the company’s share price reacted so significantly suggests the possibility that going forward at least some companies announcing a cybersecurity incident may also experience significant stock price movement, which in turn likely would lead to securities litigation. The Equifax lawsuit, and the Yahoo! data breach securities lawsuit before it, represents a specific and relatively new category of securities class action litigation. How many of these kinds of lawsuits that will emerge is an interesting question that has important implications for the companies and for their D&O insurers.
One final note about the Equifax securities suit. The new lawsuit arguably represents the latest example of a securities lawsuit filings phenomenon I noted earlier this year – that is, the event-driven securities suit filing. That is, like the securities class action filed against Arconic after the Grenfell Tower fire, the Equifax lawsuit represents an example of the way in which an incident or event can be transformed into a securities suit
With respect to the consumer class action litigation filed against Equifax, the possibility that the cases against the company will be able to go forward will depend in large part on where the cases are consolidated for purposes of multidistrict litigation. As Alison Frankel discusses in detail in a September 8, 2017 post on her On the Case blog (here), a variety of recent decisions in various courts reaching different conclusions on standing issues creates a situation where the Equifax claimants’ ability to proceed with their consumer lawsuits will very much depend on where the cases are multi-districted.