As I have noted in several recent posts, plaintiffs’ lawyers seem to have a renewed interest in trying to pursue securities class action lawsuits against companies that have experienced a data breach. Just to cite one recent example, as discussed here, within a day of Marriott’s recent high-profile announcement of a data breach involving its Starwood unit’s customer database, plaintiffs’ lawyers filed a securities class action lawsuit against the company. While plaintiffs’ lawyers may be drawn to these data breach cases, the cases may or may not prove to be successful for them. For example, in a recent ruling in the data breach-related securities class action lawsuit filed against PayPal late last year, the court granted the defendants’ motion to dismiss. The ruling highlights many of the problems plaintiffs’ lawyers will have in trying to pursue these kinds of cases. Northern District of California Judge Edward Chen’s December 13, 2018 ruling in the case can be found here.
The PayPal data breach-related securities lawsuit involved developments at the company following its July 18, 2017 acquisition of bill-pay management company TIO Networks Corp. In a November 10, 2017 press release (here), Pay Pal announced that it had discovered “security vulnerabilities on the TIO platform and issues with TIO’s data security program that do not adhere to PayPal’s information security standards.” (PayPal’s network was not affected.) PayPal said it had initiated an internal investigation of TIO and was consulting with third-party cybersecurity experts.
In a December 1, 2017 press release (here), PayPal provided an update on the suspension of operations at TIO. The press release said that as a result of the review of TIO’s network, the company had identified “a potential compromise of personally identifiable information for approximately 1.6 million customers.” The press release also said that the ongoing investigation had “identified evidence of unauthorized access to TIO’s network, including locations that stored personal information of some of TIO’s customers and customers of TIO billers.” On December 4, 2017, the first trading day following the December 1 announcement, PayPal’s share price declined 5.75%.
On December 6, 2017, plaintiffs’ lawyers filed a securities class action lawsuit in the Northern District of California against PayPal, certain of its operating units, and certain of its directors and officers. The plaintiffs contend that the initial release failed to fully disclose the seriousness of the security breach. They contend that the defendants knew there had been an actual security breach before the November 10 press release, but instead referenced only “vulnerabilities.” The omission, the plaintiffs allege, was materially misleading and that the defendants knew the omission was misleading.
The Court’s December 13, 2018 Decision
In a December 13, 2018 Order, Judge Edward Chen granted the defendants’ motion to dismiss. While ruling that the plaintiffs had adequately pled falsity, noting that the plaintiffs had adequately pled that the initial November 10 disclosure “plausibly … created the impression that only a potential vulnerability and not an actual breach had been discovered, and certainly not one which threatened the privacy of 1.6 million users,” the plaintiffs had not adequately pled scienter.
In ruling on the scienter issue, Judge Chen noted that the plaintiffs had alleged that the public’s awareness of a data breach of 1.6 million customers had caused the 5.75% stock drop. In order to establish scienter, Judge Chen said, the plaintiffs had to show that as of the November 10 disclosure, the defendants knew not only of an actual breach, but that the privacy of 1.6 million customers had been potentially compromised.
In order to try to make this argument, the plaintiffs relied on the supposed testimony of three confidential witnesses. Reviewing the confidential witness statements, Judge Chen concluded that the statements at most establish that some of the defendants may have known that there was some kind of breach in TIO’s platform. None of the confidential witnesses, Judge Chen said, state that the defendants knew on November 10 of the magnitude of the breach affecting 1.6 million customers or even the fact that customers’ personal information had been compromised.
Accordingly, Judge Chen concluded that the plaintiffs’ reliance on the three confidential witnesses’ statements “fail(s) to satisfy the scienter of the falsity upon which their alleged loss is predicated.” Judge Chen also concluded that the plaintiffs had failed to establish control person liability under Section 20, as well.
I have to say, this was always going to be a tough case for the plaintiffs, because their theory that the defendants were lying on November 10 before telling the truth on December 1 doesn’t make any sense. Why would the defendants lie on November 10 only to reveal the truth three weeks later? Doesn’t common sense tell you that the defendants first revealed the problem when it was discovered and then revealed how bad it was once they knew how bad it was? The plaintiffs’ version lacks any plausible theory why the defendants would have deceived investors for three weeks but not after that.
Judge Chen’s discussion of the scienter issues here not only shows why the plaintiffs allegations in this case were insufficient, but also shows why plaintiffs’ allegations in many of the other data breach-related securities suits – and indeed in most of the other event-driven securities litigation – are vulnerable to motions to dismiss. Plaintiffs lawyers seem eager to file the data breach cases, and event-driven securities cases generally, but most of the cases, like this case, lack allegations sufficient the scienter pleading requirements.
It is worth noting that this lawsuit, like many of the recent event-driven lawsuits, was filed by one of the very small handful of “emerging” law firms that is responsible for a very significant part of the increased volume of securities class action lawsuit filings in recent months. The fact is that most of the lawsuits being filed, particularly the event-driven lawsuits, are – like this lawsuit – not very good lawsuits. Indeed, as I have noted before, the whole phenomenon of the event-driven lawsuit filings is one of the significant factors that has recently driven business groups to call for securities litigation reform.
There is one thing worth noting about this lawsuit, and that is the fact that the underlying data breach issues involved an operating division that had recently been acquired by the defendant company, that was discovered after the acquisition was completed. That is more or less what happened at Marriott as well, where the recent data breach issues arose out of the company’s Starwood division, which Marriott had recently acquired. Clearly, data security represents an important vulnerability for M&A activity, a consideration that could have underwriting implications for D&O as well as for Cyber coverages.
Earlier this year, when the $80 million settlement of the Yahoo data breach-related securities lawsuit was announced (as discussed here), I thought the size of the settlement might hearten plaintiffs lawyers and encourage more of them to file data breach-related D&O lawsuits. I believe that has happened, as there have been a number of data breach-related securities suits filings this year. But as the ruling in the PayPal case shows, even if plaintiffs’ lawyers are drawn to these kinds of cases, the suits still have to pass muster. Many of the recent filings – both of the data breach-related cases and of the event-driven securities lawsuits generally – like the PayPal case may not meet the threshold pleading requirements, particularly with respect to scienter.