One of the most-watched corporate and securities litigation trends in recent years has been the incidence of D&O claims after companies experience data breaches. Although there have been a number of high profile claims along the way, the volume of data breach-related D&O claims has never quite lived up to the hype. Just the same, these kinds of claims have continued to be filed. The most recent case is a securities class action lawsuit that has now been filed against educational services company Chegg, Inc., after its recent announcement of a data breach involving customer data. The Chegg lawsuit, filed on September 27, 2018 in the Northern District of California, can be found here.
Chegg is a direct-to-student learning platform providing educational materials and services to high school and college students. In a September 25, 2018 filing on Form 8-K, the company announced that on September 19, 2018, the company learned that on or around April 29, 2018, an unauthorized party “gained access” to a company database that hosts user data for Chegg.com and certain of the company’s family of brands.
The information obtained “could include a Chegg user’s name, email address, shipping address, Chegg username, and hashed Chegg password.” The company’s investigation of the breach, supported by third-party forensics is continuing. The company says that the “no social security numbers or financial information such as users’ credit card numbers or bank account information was obtained. The company intended to start notifying approximately 40 users as of September 26, 2018.
According to the subsequent complaint, the company’s share price fell $3.91, or approximately 12% in trading the day following the release of the data breach news.
The September 27, 2018 Complaint
On September 27, 2018, a Clegg shareholder filed a securities class action lawsuit in the Northern District of California against Chegg and its CEO, Daniel Rosensweig. The complaint purports to be filed on behalf of Clegg investors who purchased between July 30, 2018 and September 25, 2018.
The complaint alleges that the defendants failed to disclose to investors: (1) that the company “lacked adequate security measures to protect users’ data”; (2) that the company “lacked the internal controls and procedures to detect unauthorized access”; (3) that as a result of the foregoing the company “would incur additional expense and litigation risks”; (4) that defendants’ positive statements about the company’s business, operations, and prospects were “material false and/or misleading and/or lacked a reasonable basis.
The complaint asserts claims against both defendants and seeks to recover damages under Section 10 of the Securities and Exchange Act of 1934 and Rule 10b-5 thereunder, and against defendant Rosensweig under Section 20 of the ’34 Act.
One way in which the circumstances involving Chegg differ from those involving other companies that have been hit with data breaches is that unlike many other companies in that situation, Chegg’s share price declined a significant amount on the news of the breach. In many other instances, companies’ share prices have not declined materially on news of a data breach, which is one reason why there have not been more securities suits following the release of data breach news. (Of course, there have been some notable exceptions, including, for example, Yahoo and Equifax, both of which were hit with securities suits.)
The Chegg lawsuit has only just been filed and it remains to be seen how it will fare. It is worth noting that there apparently was only a small delay of only a few days’ time between the discovery of the breach on September 19, 2018 and its public disclosure on September 25, 2018, so the case lacks the dramatic appeal that a protracted delay might provide for a plaintiffs’ case (as, for example, was the case in the Yahoo securities suit).
Another factor that could affect the success of the Chegg lawsuit is the absence of dramatic circumstances to support the plaintiff’s scienter allegations. There are, for example, no insider trading allegations or any other allegations to suggest that the company or its executives profited by withholding news of the breach or misrepresented the readiness of the company’s security measures and internal controls. Instead, the plaintiffs allege only that the defendants “knew” the alleged omissions were false and misleading but nevertheless participated in or acquiesced in the public dissemination of the misleading information. (See paragraph 32 of the complaint.)
I will say that the complaint is pretty bare bones. It does not contain detailed examples of the ways that the company supposedly misled investors about its data security or internal controls, and it contains little by way of examples of the ways in which the company’s actual data security conditions or internal controls differed from what was represented to investors. In the absence of these kinds of allegations, the complaint reads more like a mismanagement case (at best), rather than a misrepresentation case.
But regardless of the potential merits of the new Chegg lawsuit, the fact of its filing is, for me at least, noteworthy. Earlier this year, when news emerged that the Yahoo data breach-related securities class action lawsuit had settled for $80 million, I thought the news of the settlement might hearten prospective claimants and potentially encourage further data breach-related D&O claims. Up until that point, there had not been any significant recoveries in any data breach-related D&O claims; the significant amount of the Yahoo settlement, I thought, might encourage plaintiffs’ lawyers to file more of these kinds of claims. Up until now, however, there really have not been more of these kinds of data breach-related D&O lawsuits filed. There is nothing about the new case to suggest any particular relation to the earlier settlement of the Yahoo lawsuit, but it is at least another instance of a D&O claim.
Though there have been relatively few data breach-related D&O claims, this area has been and will continue to be one of the key D&O litigation trends that observers will continue to watch. Though these kinds of cases have never really materialized in the numbers that some feared, this continues to be an important area of potential D&O liability.