In the latest securities class action lawsuit to be filed against a company that has experienced a data breach or other cybersecurity incident, a plaintiff shareholder has filed a securities suit against Capital One in connection with the company’s recent massive data breach. While there have been a number of data breach-related securities suits before, there are some unique features of the Capital One situation that make it distinctive and interesting, as discussed below. The plaintiff shareholder’s October 2, 2019 complaint can be found here.
The Capital One Data Breach
In a July 29, 2019 press release, Capital One announced that on July 19 the company had determined that there had been unauthorized access to its systems by an individual who had obtained personal information of the bank’s credit card applicants and customers. The company said that the breach involved the personal information of over 100 million customers in the U.S. and another 6 million in Canada. The company’s press release announced that the company had notified the FBI of the breach and that the person responsible for the data breach had been arrested and was in custody. On the news of the breach, the company’s share price dropped approximately 6%.
In the days following the news of the breach, news reports identified the hacker responsible for the data breach as Paige Adele Thompson, a former employee of Amazon’s cloud computing division that according to the reports was responsible for running much of Capital One’s information technology infrastructure. On July 29, 2019, the U.S. Department of Justice filed a criminal complaint against Thompson that provides many of the details surrounding Thompson’s hack of the Capital One data. Subsequent filings in the criminal proceeding on behalf of the government alleged that Thompson had in fact targeted a number of companies and other organizations.
One of the features of the hack that immediately attracted attention was the fact that Thompson accessed the Capital One customer data by hacking improperly secured Amazon cloud accounts, as discussed in greater detail in a guest post on this blog (here).
The Securities Class Action Lawsuit
On October 2, 2019, a plaintiff shareholder filed a securities class action lawsuit in the Eastern District of New York against Capital One, its CEO, Richard Fairbank, and its CFO, R. Scott Blackley. The complaint purports to be filed on behalf of a class of persons who purchased Capital One securities between February 2, 2018 and June 29, 2019. [Note: the complaint identifies the class end date as June 29, 2019, but that is almost certainly a typographical error, as the date on which Capital One released the news of the data breach was July 29, 2019, not June 29, 2019, and the complaint refers extensively to the company’s July 29 press release.]
The plantiff’s brief complaint consists of a series of block quotations from various Capital One SEC filings in which the company made a number of statements about its privacy security, as well as the data security of third-party service providers. The complaint also verbatim quotes the July 29 press release and includes quotations from the criminal complaint against Thompson. The complaint alleges that the company’s share price dropped 5.9% on the news of the breach.
The complaint alleges that these various statements were materially false and misleading because the mispresented or failed to disclose that: “(1) the Company did not maintain robust information security protections, and its protection did not shield personal information against security breaches; (2) such deficiencies heighted the Company’s exposure to a cyber-attack; and (3) as a result, Capital One’s public statements were materially false and misleading at all relevant times.”
The complaint seeks to recover damages on behalf of the class based on allegations that the defendants’ alleged misrepresentations or omissions violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934.
In the wake of the news of the Capital One cybersecurity breach, a number of different people expressed surprise to me that there was not, at least not right away, a data breach-related D&O lawsuit filed against the company or its senior management. The incident was after all very high profile. In the immediate aftermath of the news of the data breach, there were in fact a number of plaintiffs’ law firm “trolling” press releases through which the plaintiffs’ lawyers sought to find a plaintiff shareholder on whose behalf they might sue the company.
In the end, the complaint that was eventually filed was filed by one of the so-called “emerging law firms” that have been responsible for so much of the elevated levels of securities class action lawsuit filing activity in recent years. In that regard, it is worth noting that in addition to being a data breach-related securities lawsuit, this lawsuit is also an example of event-driven securities litigation – that is, where the securities suit is not based on traditional allegations of accounting misrepresentations or financial fraud, but rather based on a negative development in the company’s business operations the risk of which the investors supposedly were not adequately warned. The plaintiffs’ law firm that filed this suit is one of the very small number of “emerging law firms” that have been actively filing these kinds of event-based securities suits.
As is the case with so many event-driven securities suits, the scienter allegations in this complaint are notably scarce – as in, the court is going to have a really hard time finding anything in this complaint that remotely resembles an allegation of scienter.
This lawsuit is the latest in a series of suits filed in recent months against companies that have experienced cybersecurity incidents. Recent high profile examples of these kinds of lawsuits include the suit filed in June 2019 against FedEx (about which refer here) and the securities lawsuit filed last year against Marriott related to a data breach that occurred at the company’s recently acquired Starwood division.
In many instances, data breach-related D&O lawsuits have not fared particularly well. For example, late last year the court granted the defendants’ motion to dismiss in the data breach-related securities suit that had been filed against PayPal. (The district court in that case recently granted the defendants’ renewed motion to dismiss – with prejudice, this time – the plaintiffs’ second amended complaint.)
To be sure, there have been instances where plaintiffs have been more successful in data breach-related D&O lawsuits. For example, the data breach-related securities class action lawsuit filed against Yahoo ultimately settled for $80 million. A related shareholder derivative suit was later settled for $29 million. However, the Capital One lawsuit arguably lacks many of the important features of the Yahoo lawsuits – unlike the Yahoo lawsuit, this case does not involve long delays in communicating the news of the data breach, and also does not involve the kind of direct and demonstrable financial losses that were part of the Yahoo lawsuits.
Whether or not the new lawsuit ultimately is successful, there are a number of circumstances surrounding the Capital One data breach that are relevant for corporate boards. Among the most important is that the data breach involved data storage and networking arrangements with a third-party vendor, in this case Amazon’s cloud services.
As discussed in John Reed Stark’s thoughtful guest post on this site (here), the third-party vendor aspect of the Capital One data breach has important implications for corporate boards’ cybersecurity oversight responsibilities.
The significance of these oversight responsibilities appears even greater in light of the Delaware Chancery Court’s recent decision in Marchand v. Barnhill; as discussed here, the Marchand decision has important implications for corporate boards’ liability exposures arising out of their cybersecurity and privacy oversight responsibilities.
On a slightly different note, John Reed Stark also published a separate guest post on this site (here) discussing the intriguing question of whether Amazon itself has any liability for the Capital One hack. Indeed, as Stark notes in his guest post, at least one consumer privacy lawsuit filed in the wake of the Capital One data breach names Amazon as one of the defendants.