During 2017 and 2018, plaintiffs’ lawyers filed a number of securities class action lawsuits against companies that had experienced data breaches. Among the highest profile of these cases was the securities lawsuit filed in 2017 against the credit rating firm, Equifax, which in September 2017 announced that hackers had breached its consumer database and accessed millions of records containing personally identifiable information. On January 28, 2019, in a ruling that will be closely analyzed in connection with the several other recently filed data breach-related securities lawsuits, Northern District of Georgia Judge Thomas W. Thrash, Jr. entered an order granting in part and denying in part the defendants’ motion to dismiss. A copy of the January 28 order can be found here.
On September 7, 2017, Equifax announced a “cybersecurity incident” potential impacting 143 million U.S. customers. The company’s press release stated that during the period from at least mid-May through July 2017 criminals had exploited a U.S. website vulnerability to gain access to customer information. The company discovered the breach on July 29, 2017. The information accessed included names, Social Security numbers, birth dates, addresses, and in some instances driver’s license numbers. The credit card numbers of about 209,000 U.S. consumers were also breached. Upon discovering the breach, the company launched a forensic review to determine the scope of the breach. The company also notified law enforcement officials.
Among other things, following the news of the data breach, press reports began circulating that on August 1, 2017 – that is, just days after the breach was discovered — Chief Financial Officer John Gamble sold shares worth $946,374 (about 13% of his holdings) and that Rodolfo Ploder, president of workforce solutions, had sold $250,458 of stock (about 4% of his holdings) on Aug. 2.
On September 8, 2017, the first trading day after the release of the data breach news, Equifax’s stock price had dropped nearly fifteen percent. Over the next few days, further news and information about the breach became public. By September 15, 2017, Equifax’s share price had dropped a total of nearly 36 percent since the initial data breach disclosure.
The Plaintiffs’ Complaint
As discussed here, on September 8, 2017, plaintiffs’ lawyers filed a securities class action lawsuit against the company and certain of its directors and officers. The data breach-related securities lawsuits against Equifax ultimately were consolidated and in April 2018 the plaintiffs’ counsel filed a consolidated amended complaint (here). The amended complaint named as defendants the company itself; the company’s former CEO, Richard Smith (who resigned from the company in September 2017 shortly after the initial data breach disclosure); the company’s CFO, John Gamble; the President of the company’s Workforce Solutions division; and the company’s Senior Vice President for Investor Relations, Jeffrey Dodge.
In the amended complaint, the plaintiff alleged that the defendants made multiple misleading statements and omissions about the sensitive information in Equifax’s custody; about the vulnerability of the company’s systems to cyberattack; and about the company’s compliance with data protection laws. The complaint alleges that despite these assurances, the company “failed to take the most basic precautions” to protect its systems from hackers. The complaint alleges that these statements artificially inflated the company’s share price and caused a loss in the value of the company’s shares when “the truth was revealed.”
Among other allegations in the amended complaint, the plaintiff alleged that the company’s cybersecurity was “dangerously deficient” as a result of the company failure to implement appropriate protocols; failure to remediate known deficiencies; failure to encrypt sensitive data; failure to implement appropriate authentication measures; and failure to adequately monitor its networks and systems.
Of particular relevance to the court’s subsequent ruling on the motion to dismiss, the plaintiff alleged that the company ignored a number of warnings that its data security measures were inadequate. Of particular importance to the dismissal motion ruling, in March 2017, the company hired Mandiant, a cybersecurity firm, to investigate weaknesses in its data protection system. This investigation was later referred to in a news report as a “top secret project” that was personally overseen by CEO Smith. The Mandiant report supposedly concluded that the company’s data protection systems were “grossly inadequate.” Also, the amended complaint also concluded that the company had experienced other, smaller data breaches prior to the Data Breach the company announced in September 2017.
The complaint alleges that despite the “woeful” state of the company’s cybersecurity systems, the company made a number of statements “touting the strength” of its data systems and cybersecurity practices. The defendants filed a motion to dismiss.
The January 28, 2019 Ruling
On January 28, 2019, in a massive 109-page Opinion and Order, Judge Thrash granted in part and denied in part the defendants’ motion to dismiss. As a result of Judge Thrash’s various rulings, the motion to dismiss was granted in its entirety as to defendants Gamble, Ploder, and Dodge, but denied in part as to Equifax itself and as to its CEO, Smith.
Judge Thrash first rejected the defendants’ arguments that the various statements on which the plaintiff sought to rely about the state of Equifax’s cyber security were not actually false or misleading or merely constituted. Among other things, in the referenced statements, Equifax had said it was a “trusted steward” of personal data and employed “strong data security and confidentiality standards.” The defendants argued that the mere fact of that the data breach happened did not make these statements false.
Judge Thrash said that the plaintiff had alleged more than the mere occurrence of the data breach; instead, he said, the plaintiff had pleaded a “multitude of specific, detailed factual allegations demonstrating that Equifax’s systems were grossly deficient and outdated, below industry standards, and vulnerable to attack.” Judge Thrash also said that while some of the statements viewed in isolation might constitute puffery, “the fact that they were repeated to assure investors that Equifax’s systems were secure could lead a reasonable investor to rely upon them as reflecting the state of Equifax’s security.”
Judge Thrash also found that the statements that the company was making ongoing efforts to comply with data protection laws and regulations to be actionable. In rejecting the defendants’ arguments, Judge Thrash found that the statements went beyond merely stating that the company was making an effort to comply with applicable standards, but “instead assured that Equifax took steps to remain in compliance” (emphasis added). Even if the statement only conveyed that the company was only making an effort to comply, “they would still be false and actionable” as they would lead an investor to believe the company was “making good faith efforts to maintain a data security protocol” when in reality, according to the amended complaint “data security was not a priority.”
However, Judge Thrash granted the defendants’ motions to dismiss relating the plaintiffs’ allegations that the defendants’ should have disclosed the breach earlier. Judge Thrash also said that the occurrence of the data breach itself did not, by itself, created a duty to disclose or update earlier disclosures. Judge Thrash also found the Sarbanes Oxley internal control certifications to be inactionable, as the certifications related only to the company’s internal controls over financial reporting, not as to controls over data security.
With respect to scienter, Judge Thrash concluded that the plaintiff’s allegations “provide sufficient circumstantial evidence to conclude that Smith was aware of the warnings concerning the deficiencies in Equifax’s cybersecurity.” Judge Thrash specifically cited the Mandiant audit (which Smith allegedly personally oversaw) and warnings in March 2017, as well as the prior smaller data breaches. In reaching this conclusion, Judge Thrash referenced and relied on allegations in the plaintiff’s amended complaint about the Mandiant audit that relied on newspaper articles that cited only anonymous sources, which Judge Thrash said were “entitled to due consideration.” However, Judge Thrash said that the plaintiff had not adequately pleaded scienter as to the other individual defendants, as there were no allegations that these individuals had received warnings.
In finding that the allegations of scienter were sufficient to Smith, Judge Thrash also relied on statements that Smith had made in a presentation at a local college in August 2017 (that is, after the breach had been discovered but before it was disclosed). In response to an audience question about data security, Smith had said that data security was “a huge priority” for the company and that it was “our number one worry.” The speech allegedly was later posted on YouTube. Despite the anodyne nature of these statements, Judge Thrash said these allegations were sufficient to raise a strong inference that Smith made these statements with the requisite scienter.
Interestingly, Judge Thrash rejected the plaintiff’s arguments that the stock sales were indicative of scienter. In reaching this conclusion, he noted that the failure of any of the other defendants to engage in trading “undermines” any inference of scienter. Even though, as Judge Thrash noted, the timing of the sales is “suspicious, there was not enough about the sales to make them sufficient on their own to raise a strong inference of scienter.
Until recently, plaintiffs seeking to assert securities class action lawsuits based on data breach-related allegations have largely been unsuccessful. Indeed, in his opinion, Judge Thrash specifically referred to one of the important earlier data breach-related securities class action lawsuits, the 2009 securities class action lawsuit filed against Heartland Payment Systems. In that earlier case, the defendants had succeeded in getting the case entirely dismissed. In rejecting the defendants’ motion to dismiss in part in this case, Judge Thrash expressly distinguished the Heartland Payment Systems dismissal ruling.
Judge Thrash’s willingness to distinguish the Heartland Payment Systems case is one of several factors about this decision that may hearten prospective future claimants considering filing data breach related securities suits, along with the larger message that this case survived – at least in part – the defendants’ motion to dismiss. The survival of at least a part of this case, along with the March 2018 settlement of the Yahoo data breach related securities class action lawsuit for $80 million, could well encourage others to pursue securities lawsuits against other companies experiencing data breaches.
While these developments, including the ruling on the motion to dismiss here, could encourage other prospective claimants, there are a number of features about this case that may make it distinct or at least different from many other situations that are likely to arise.
The first is that in part because of the sensitivity of the information exposed in the breach, the company’s share price declined significantly following the news of the data breach. In many instances where companies disclose that they have been hit with a data breach, their share price does not react. Indeed, the absence of significant share price declines following data breach disclosures is the probable reason why there haven’t already been more date breach related securities lawsuits.
There were also a number of key factual details about the circumstances here that allowed the case to survive the dismissal motion that may not be present in other cases. For example, the fact of the “top secret” Mandiant audit in March 2017, and Smith’s awareness of the audit, as well as the fact of the prior smaller data breaches, were critical to Judge Thrash’s rulings on scienter. Without the ability to make allegations related to these facts, the amended complaint might well not have survived the dismissal motion. Other cases may lack facts like these that would enable the case to survive the dismissal motion.
There are also some strange things about Judge Trash’s ruling that might be less than reassuring for other prospective claimants. Most of the allegations that the plaintiffs relied on and that Judge Thrash cited in his scienter rulings about the Mandiant audit came from two media reports that cited only anonymous sources. These allegations seem pretty slender to me, and I am unconvinced that relying on unidentified sources in random news articles is anywhere remotely sufficient to allow a massive securities class action lawsuit to go forward.
By the same token, Judge Thrash’s reliance on Smith statements in a presentation at a local college, and in response to an audience question, that data security is “a huge priority for us” and our “number one worry,” is also very unconvincing to me. I am not sure how these obviously booster-ish statements in their specific context in any way support a “strong inference” of scienter, much less misled anybody. I seriously doubt a single investor on the single planet paid even the slightest attention to these completely nothing statements.
All of that said, there is no doubt that plaintiffs and defendants in other pending and prospective data breach related securities suits will scour Judge Thrash’s opinion in the Equifax case. There is a lot to consider in his bulky opinion. I am sure his analysis in this case will be making cameo appearances in many briefs in these other cases.
The bottom line here is that the Equifax case survived the motion to dismiss, even if only just in part. The name of the game for plaintiffs in securities case is to live to see another day. The fact that a complaint in a data breach-related securities class action lawsuit survived a motion to dismiss represents something of a milestone, given the prior track record. Along with the $80 million settlement in the Yahoo case, the dismissal motion denial here provides substantial ground from which to believe that we may be seeing more data breach-related securities class action lawsuits in the weeks and months ahead.