Commentators (including me) have long speculated about the possible future direction of data breach-related litigation. There have of course been a number of very high profile data breach-related consumer class action suits, but so far relatively few data breach related D&O lawsuits. Of course, more recently investors filed a securities class action lawsuit involving the high-profile data breach at Equifax. Now investors have filed another data breach securities class action lawsuit, in this case involving PayPal Holdings.
The new PayPal data security related securities lawsuit involves developments at the company following its July 18, 2017 acquisition of bill-pay management company TIO Networks Corp. In a November 10, 2017 press release (here), Pay Pal announced that to protect its customers, TIO had “suspended operations.” The press release said PayPal had discovered “security vulnerabilities on the TIO platform and issues with TIO’s data security program that do not adhere to PayPal’s information security standards.” (PayPal’s network was not affected.) PayPal said it had initiated an internal investigation of TIO and was consulting with third-party cybersecurity experts.
In a December 1, 2017 press release (here), PayPal provided an update on the suspension of operations at TIO. The press release said that as a result of the review of TIO’s network, the company had identified “a potential compromise of personally identifiable information for approximately 1.6 million customers.” The press release also said that the ongoing investigation had “identified evidence of unauthorized access to TIO’s network, including locations that stored personal information of some of TIO’s customers and customers of TIO billers.” TIO is working with companies it services to notify potentially affected individuals.
In a December 6, 2017 press release (here), plaintiffs’ lawyers announced that they had filed a securities class action lawsuit in the Northern District of California against PayPal and certain of its officers. The complaint purports to be filed on behalf of investors who purchased PayPal shares between February 14, 2017 (when the TIO Networks acquisition was first announced) and December 1, 2017.
According to the press release, the plaintiff’s complaint (a copy of which can be found here) alleges that the defendants made false and misleading statements or failed to disclose that: “(i) TIO’s data security program was inadequate to safeguard the personally identifiable information of its users; (ii) the foregoing vulnerabilities threatened continued operation of TIO’s platform; (iii) PayPal’s revenues derived from its TIO services were thus unsustainable; (iv) consequently, PayPal had overstated the benefits of the TIO Acquisition; and (v) as a result, PayPal’s public statements were materially false and misleading at all relevant times.”
The complaint alleges that on December 4, 2017, the first trading day after PayPal’s December 1 announcement, PayPal’s share price declined by 5.75%. The plaintiff alleges that the defendants violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 as well as Rule 10b-5. The complaint seeks to recover damages on behalf of the allegedly harmed shareholders.
The PayPal lawsuit joins the recently filed lawsuit against Equifax as data breach-related lawsuits that have been filed in recent months. Interestingly, the Equifax and PayPal lawsuits were both filed as securities class action lawsuits. Many of previously filed data breach-related D&O lawsuits were not filed as securities class actions but rather were filed as shareholder derivative lawsuits. (Notably, these early lawsuits were uniformly unsuccessful as well). The reason the earlier cases were filed as derivative suits rather than as securities class action lawsuits was that in each case there had not been a significant drop in the defendant company’s share price when the company’s data breach was disclosed.
In Equifax’s case, its share price declined approximately 40% on the data breach disclosure, which explains why the lawsuit against Equifax was filed as a securities class action lawsuit. However, the securities class action lawsuit filing against PayPal is a little harder to understand, as the company’s share price declined less than six percent on the data breach news.
In the past, a share price decline of only six percent almost certainly would not have attracted a securities suit. However, in the current environment, where the number of securities suits is up sharply even though the number of publicly traded companies has declined sharply, suits that might not have been filed in the past are now being filed. In that regard, it is noteworthy that the plaintiffs’ law firm that filed the PayPal lawsuit is one of the so-called “emerging law firms” that have been responsible for so much of the increased securities class action lawsuit filing activity.
While the PayPal lawsuit has only just been filed and it remains to be seen how it will fare, one obvious hurdle the complaint will face is the scienter pleading requirement. The company’s press releases show that PayPal discovered the security problems at TIO, that PayPal investigated the security problems, and PayPal then announced that its investigation had unearthed the apparent compromise of 1.6 million customers’ personally identifiable information. One obvious interpretation of this timeline is that the company has been proactive and transparent.
The plaintiff’s complaint against PayPal does not allege that there has been any inside trading or any other activity to suggest that the defendants were financially motivated to deceive investors. Indeed, the complaint does not identify anything that supposedly motivated the defendants to mislead investors. In order to try to meet the scienter pleading requirement, the complaint alleges only that the defendants and senior company officials had “actual knowledge” of the material misrepresentations and omissions and “intended to deceive” investors, or in the alternative, “acted with reckless disregard for the truth when they failed to ascertain and disclose the true facts in the statements made by them or other PayPal personnel.”
The complaint does not provide any factual basis for these allegations of knowledge, intent, and recklessness. Based on the current allegations, the plaintiff will be hard pressed to argue that the allegations in the complaint support an inference of scienter as plausible as any other inference. Indeed, as I noted above, as far as I can tell, the only plausible inference from the available record is that the company proceeded proactively and transparently in order to try to protect TIO’s customers.
While it remains to be seen how the new PayPal lawsuit will fare, the case does raise the question of what it portends in terms of the likelihood for future data breach-related D&O litigation. Certainly if a stock price drop on the order of magnitude that PayPal experienced is enough to attract a lawsuit we could expect to see more of these kinds of lawsuits in the months ahead. How many of these lawsuits we might see is an interesting and important question for companies and their D&O insurers alike.
One final note. It used to be that securities lawsuits were about financial misrepresentations. Anymore it seems that what securities lawsuits are about is events. The new PayPal lawsuit is yet another example of what I have called event-driven litigation. That is, like the securities class action filed against Arconic after the Grenfell Tower fire, the PayPal lawsuit represents an example of the way in which an incident or event can be transformed into a securities suit. The problem for everyone is that the advent of this event-drive litigation phenomenon is that just about any time any company experiences an adverse development, the company gets hit with a securities suit. This phenomenon is one of the significant factors in the increased numbers of securities lawsuit filings this year. It is also largely being driven by those same “emerging law firms.”