One of the most watched and commented on corporate and securities litigation trends over the last several years has been the rise of management liability related lawsuits arising from cybersecurity-related incidents. While there has never been the volume of cases that some commentators expected, there have been a number of cases filed. The latest of these lawsuits is the securities class action lawsuit filed this week against FedEx, in which the plaintiff shareholder alleges the company did not fully disclose the extent of the disruption at its European operation after it was hit with the NotPetya malware virus in June 2017. A number of the allegations in the new FedEx complaint are similar to those raised in prior cybersecurity-related securities suit, suggesting some of the factors that might lead to this type of cybersecurity follow-on lawsuit. A copy of the complaint, filed in the Southern District of New York on June 26, 2019, can be found here.
Background
In June 2016, FedEx completed the $4.8 billion acquisition of TNT Express, N.V., a Netherlands based logistics company. FedEx hoped the acquisition would significantly expand its European footprint and would prove significantly accretive to earnings. However, on June 27, 2017, the TNT operation were, according to the complaint, “crippled” by the NotPetya cyberattack, which some consider one of the largest cyberattacks in history and that affected many companies on a global scale. The NotPetya cyberattack spread a malware virus throughout TNT’s systems during a critical period of TNT’s integration into FedEx’s operations.
The class period in the complaint starts on September 19, 2017, when the company released its fiscal first quarter results and noted that the cyberattack had negatively affect the company’s financial performance. However, allegedly in this disclosure and in subsequent disclosures during the class period, the company provided reassurance’s that TNT’s systems were fully restored , that it customers “stuck with us,” and that its revenue and earnings targets for the TNT acquisition remained on track.
The full extent of the disruption at TNT was, according to the complaint, not fully disclosed until December 18, 2018, when the company again announced disappointing quarterly results, which it attributed to lower package volumes in Europe and a negative shift in TNT’s product mix to lower margin freight business after the cyberattack that had taken place more than a year previously. The complaint alleges that the company’s share price decline over 12% on the news.
As plaintiff’s counsel states in their June 26, 2017 press release about the lawsuit (here), the complaint alleges that notwithstanding the reassurances the company gave the markets during the class period, the defendants made false and misleading statements and/or failed to disclose that: “(1) TNT’s overall package volume growth was slowing as TNT’s large customers permanently took their business to competitors after the Cyberattack; (2) as a result of the customer attrition, TNT was experiencing an increased shift in product mix from higher-margin parcel services to lower-margin freight services; (3) the anticipated costs and timeframe to integrate and restore the TNT network were significantly larger and longer than disclosed; (4) FedEx was not on track to achieve TNT synergy targets; and (5) as a result of these undisclosed negative trends and cost issues, FedEx’s positive statements about TNT’s recovery from the Cyberattack, integration into FedEx’s legacy operations, customer mix, customer service levels, profitability, and prospects lacked a reasonable basis.”
The complaint names as defendants the company itself and certain of its directors and officers. The complaint purports to be filed on behalf of a class of investors who purchased the company’s common stock during the period September 19, 2017 to December 18, 2018. The complaint alleges that as a result of their alleged misrepresentations to the class, the defendants are liable to the class for damages under Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder.
Discussion
As I noted at the outset, there have not been as many cybersecurity securities lawsuits as some may have expected. I think the main reason for this is that as the financial markets have gotten used to the steady drumbeat of disclosures about data breaches and cyberattacks, the share prices of the companies involved typically do not react significantly to the news. Nevertheless there have been a few companies that have been hit with cybersecurity-related securities suit in recent years, and the complaint that was just filed against FedEx has a number of features in common with the complaint previously filed against other companies.
First, the FedEx complaint and many of the prior complaints involve a cybersecurity incident that took place at a newly acquired business or operation. The securities class action lawsuit filed last year against Marriott related to a data breach that occurred at the company’s recently acquired Starwood division. In addition, as discussed here, the securities class action lawsuit that was filed in 2017 against PayPal involved data security issues that arose at the company’s recently acquired bill-pay management company.
Second, among the important allegations in the FedEx complaint is that the company delayed fully informing investors of the extent that the malware attack caused its TNT operation. A delay in making disclosure was also an important element of the data breach-related securities class action lawsuit that was filed against Yahoo, a securities suit that ultimately settled for $80 million. (A related shareholder derivative suit was later settled for $29 million.) Although it should be noted that the allegation is not report the incident itself in a timely way; rather, the allegation in the FedEx lawsuit is that the disruption the malware attach caused was not fully disclosed in a timely way.
While the FedEx complaint has certain features in common with some of the previous cybersecurity-related securities suit, there are also some important differences. For example, the FedEx complaint does not involve data breach allegations. There is no suggestion that the cyber incident at the company’s TNT division resulted in the disclosure of sensitive or private information. Instead, the FedEx complaint relates to financial and operational harm that the malware attack caused.
The fact that the FedEx complaint arises out of a coordinated, global attack raises some interesting issues. As far as I know, FedEx is the first publicly traded company to get hit with a D&O lawsuit arising out of the NotPetya attack, but it was far from the only company affected. I understand that dozens of companies globally had their operations disrupted by the attack. Even though FedEx is the only one that has been sued (so far), it is not hard to imagine a similar set of circumstances that could in fact result in multiple lawsuits, even dozens of lawsuits.
It is a common (though poorly appreciated) observation that cyber insurance carries with it the imbedded risk of a massive aggregation problem. It doesn’t require much imagination to see how a coordinated global attack like NotPetya could simultaneously hit many companies in an insurer’s cyber insurance portfolio. However, it had never previously occurred to me that there is a cybersecurity aggregation risk imbedded in D&O insurance as well. A cyber attack that shut down New York or London or that affected companies even more broadly than the NotPetya attack could at least theoretically result in scores of claims and massive losses for insurers. To be sure, some might say that this observation is alarmist crazy talk, and they might be right. It is just that this possibility, no matter how theoretical, had never previously occurred to me.
Because the FedEx lawsuit arises out of the malware incident at the company’s TNT division, it could be said that this lawsuit represents yet another example of event-driven litigation. However, I am not quite sure that this case quite fits the event-driven litigation model. Yes, the supposed misrepresentations and omissions all relate back to the malware incident, but the alleged deception relates to the way the company soft-pedaled the news and allegedly failed to fully disclose the disruptive impact of the incident. The allegations of deceptive disclosure arguably make this lawsuit more like a more traditional securities class action lawsuit and less like the recently prevalent phenomenon of event-driven litigation.
In any event, the recently filed FedEx complaint does reconfirm that the possibility for companies to get hit with D&O lawsuits following a cybersecurity incident. This possibility exists not just for companies experiencing a data breach, but also for companies involved in privacy violations or that are hit by a malware attack. Even if we have not seen as many of these kinds of lawsuits as might have been expected, they seem likely to continue to be an important part of the corporate and securities litigation environment.