For some time now, some observers had been predicting that we would be seeing a bunch of data breach-related securities class action lawsuits, but the predicted wave never seemed to materialize. However, with a recent uptick in these kinds of cases, that could be changing. On October 8, 2018, in the latest of these kinds of lawsuits to be filed, a plaintiff shareholder filed a securities class action lawsuit against China-based Huazhu Group. As discussed below, there are a number of interesting features of this latest data breach-related securities suit.
Huazhu operates hotels in China. Its ADRs are listed on NASDAQ. On August 28, 2018, Shanghai police issued a statement on social media that they had been alerted to a possible data breach at the company. Media reports circulated stating that “nearly 500 million pieces of customer-related information from the group had emerged in an online post.”
According to the reports, the customer information included “123 million pieces of registration data on Huazhu’s official website, such as name, mobile number, ID number and log-in pin; 130 million pieces of check-in records, such as name, ID number, home address and birthday; and 240 million pieces of hotel stay records, such as name, credit card number, mobile number, check-in and check-out time, consumption amount and room number.”
According to a later statement by Huazhu, the company reported the incident to the police, initiated an internal investigation, and identified outside experts to identify the source of the leak. In a September 17, 2018 statement (here), the company also said that “To comply with police protocols, Huazhu has not disclosed the status of the investigation in the past several weeks.”
The company’s September 17 statement added that “the police have arrested the suspects who posted the reported message on a Dark Web forum in an attempt to sell certain data. The attempted sale was not successful. The suspects also attempted to blackmail Huazhu by leveraging public pressure, without success.” The statement added that the police investigation is continuing and “to comply with laws and police protocols, the Company cannot disclose additional information on the case at this time.”
On October 8, 2018, a Huazhu shareholder filed a securities class action lawsuit in the Central District of California against Huazhu and the company’s CEO. The complaint, a copy of which can be found here, refers to the media reports about the leak of client information. The complaint alleges that the price of the company’s ADRs declined over 12% in the five trading days following the news of the customer data leak.
The complaint alleged that the defendants failed to disclosed to investors: “(1) that the Company lacked adequate security measures to protect customer information; (2) that, as a result of the foregoing, the Company would be susceptible to increased litigation risk and higher expenses; (3) that as a result of the foregoing, the Company’s goodwill would potentially suffer, leading to lower revenues; and (4) that as a result of the foregoing, Defendants’ positive statements about the Company’s business, operations, and prospects were materially false and/or misleading and/or lacked a reasonable basis.”
Huazhu joins a growing list of companies, along with online education company Chegg, that have been hit with data breach-related securities class action lawsuits – a list that also includes higher-profile companies, such as Yahoo and Equifax, that also were hit with data breach-related securities suits. (The recently filed lawsuit against Chegg is discussed here.)
One aspect of the Huazhu lawsuit that distinguishes the company from the other companies that have been hit with data breach-related securities suits is that Huazhu is based and operates exclusively outside the U.S. The data breach also took place outside the U.S. The sequence of events involving Huazhu, including the filing of the securities suit, highlight the fact that there the threat of a data security breach is not a risk that is exclusive to the U.S. Companies outside the U.S. that experience a data breach and whose securities trade on U.S. exchanges are also vulnerable to a data breach-related securities suit in the U.S. courts, an exposure the companies take on with their U.S. listing.
The Huazhu lawsuit has only just been filed. It remains to be seen how the case will fare. One specific feature of the Huazhu suit that is similar to the recently filed lawsuit against Chegg is that in both cases, the supposed scienter allegations are thin at best. In both cases, the complaints read more like mismanagement cases than securities fraud cases.
But regardless of the merits of the Huazhu complaint, the lawsuit’s filing is noteworthy to me because it represents the latest example of a data breach-related securities suit. While commentators had been predicting that we would be seeing data breach-related securities suits, the predicted lawsuits never really materialized, in large part because companies’ share prices were not declining significantly on data breach news. Indeed, while Huazhu’s share price did drop over 12%, it was a gradual decline over a number of trading days, raising certain questions about the connection between the decline and the data breach news.
Earlier this year when parties to the Yahoo data breach related securities suit announced an $80 million settlement of the case, I thought the magnitude of the settlement might hearten prospective plaintiffs’ lawyers and encourage them to file more data breach-related lawsuits. However, until recently, there hadn’t really been any of these kinds of lawsuits filed. Now with this lawsuit against Huazhu and the earlier lawsuit against Chegg, the question is whether there will be more of these kinds of lawsuits filed. At least based on the most recent lawsuit, there does seem to be a greater willingness to pursue these kinds of cases.