While commentators (like me) were predicting a blitz of data breach-related D&O litigation, the anticipated onslaught failed to materialize. The few cases that were filed –in the form of shareholder derivative suits — were unsuccessful. More recently, however, plaintiffs’ lawyers have been taking a different approach to data breach-related D&O lawsuits, filing their cases in the form of securities class action lawsuits. These more recent suits involve cases against Equifax (about which refer here) and PayPal (here). Now plaintiffs’ lawyers have filed yet another data breach-related securities suit, this one against Qudian, a Chinese company that just completed its IPO in October 2017.   


Qudian is a Chinese online microlender. Its ADSs are listed on the New York Stock Exchange. The company raised $900 million in its October 17, 2017 IPO, making it one of the largest IPOs this year. Barely a month after the company’s debut, a couple of developments rocked the price of the company’s ADSs. First, the Chinese government initiated a crackdown on high-interest payday loans.  Second, and at more or less the same time, news began circulating that Chinese regulators and police are investigating a leak of data from the company. Specifically, news reports suggested that “officials are probing allegations that data from more than a million students” who are Qudian clients as leaked and possibly sold online. By early December, the company’s ADSs were trading approximately 45% below the IPO price.


In a December 12, 2017 press release (here), plaintiffs’ lawyers announced that they had filed a securities class action lawsuit in the Southern District of New York against Qudian, certain of its directors and officers, and its offering underwriters. According to the press release, the complaint (a copy of which can be found here) alleges that there were material misrepresentations or omissions in the company’s offering documents.


Specifically, the complaint alleges that the offering documents failed to disclose “the fact that Qudian’s data systems and procedures were materially inadequate to safeguard sensitive borrower data against breach, and that breaches had occurred.” The complaint also alleges that the offering documents failed to disclose “that Qudian’s loan collection practices were materially deficient and/or nonexistent as the Company treated bad loans as welfare.”


The complaint alleges that these misrepresentations and omissions violated the liability provisions of Sections 11 and 15 of the Securities Act of 1933 and seeks to recover damages on behalf of a class of persons who purchased the company’s ADSs in the IPO.


The lawsuit against Qudian is the latest data breach-related D&O lawsuit to be filed in the form of a securities class action lawsuit. Many of the prior data breach-related suits were filed in the form of shareholder derivative lawsuits, for the simple reason that the share price of the company involved had not declined on news of the company’s data breach. Here, the price of Qudian’s ADSs unquestionably has declined since the company’s IPO. However, the plaintiffs are going to have a very difficult time showing that the ADS price decline is attributable to the alleged misrepresentations, given that the price of its ADSs unquestionably declined in response to the news of the Chinese authorities’ crackdown on payday lenders.


The other thing about the plaintiffs’ data breach-related allegations is that that the data breach allegations represent only a part of the alleged misrepresentations on which the plaintiffs rely in asserting their claims. So it is probably most accurate to say that this new lawsuit is partly data breach-related, and partly unrelated to the alleged data breach. The data breach allegations are nowhere near as central to the plaintiffs allegations in this lawsuit as the data breach allegations are in, say, the Equifax lawsuit.


Nevertheless, the arrival of this lawsuit with its data breach-related allegations, along with the lawsuits previously filed against Equifax and PayPal, does suggest that plaintiffs’ lawyers seem increasingly motivated to try to leverage news of a data breach into a securities lawsuit against the company involved. As we head into 2018, these kinds of allegations could represent an increasingly important part of securities class action filings, to the extent plaintiffs’ lawyers continue to file these kinds of lawsuits in reliance on data breach-related allegations.