In the latest example of a securities class action lawsuit arising out of data breach or other cybersecurity incident, on October 24, 2019, a plaintiff shareholder filed a securities class action lawsuit against California-based software company Zendesk. The lawsuit follows after the company announced disappointing second quarter financial results in July and then announced in early October that customer account information had been accessed. The lawsuit is most recent in a series of lawsuits in which companies experiencing cybersecurity incidents get hit with securities lawsuits.
Background
Zendesk is a software and services company that provides a variety of tools that allow the company’s clients to manage their customer interactions. Among other things, the company’s software allows the client companies to communicate with their customers through online customer chats.
On July 30, 2019, the company issued a press release and held a conference call to discuss its second quarter 2019 results. The company announced increased net losses and revenue growth at levels below the most immediate preceding quarters. In addition, the company said that its sales growth in Europe, Middle East and Africa, as well as in its Asia Pacific region, fell below the company’s expectations. The company also lowered its guidance for the remainder of the year. According to the subsequent securities complaint, the company’s share price fell by $10 on the disappointing quarterly earnings news (about 11%).
Then, in an October 2, 2019 blog post (here, updated on October 4, 2019) Zendesk announced that a third party had alerted the company that its customer support and chat products and customer accounts had been accessed. The blog post, as updated, said that upon learning of the security concern, the company engaged a forensic team; initiated its security incident protocol; and contacted law enforcement officials.
The company said that by September 24, 2019, it had “identified approximately 15,000 Zendesk Support and Chat accounts, including expired trial accounts and accounts that are no longer active, whose account information was accessed without authorization prior to November of 2016.”
The information accessed “included some personally identifiable information (PII) and other Service Data.” The data accessed included “email addresses, names and phone numbers of agents and end-users of certain Zendesk products, potentially up to November 2016.” The accessed data may have also included “agent” [that is, Zendesk employee] passwords and customer passwords, although the company had found no evidence that the passwords had been used to gain unauthorized access. The company also found that certain account authentication information for about 7,000 accounts had been accessed. According to the subsequently filed securities complaint, the company’s share price declined an additional $2.90 on the news (about 4% from the previous day’s high).
The Complaint
On October 24, 2019, a plaintiff shareholder filed a securities class action lawsuit in the Northern District of California against Zendesk and certain of its directors and officers. The complaint (a copy of which can be found here) purports to be filed on behalf of a class of investors who purchased Zendesk securities between February 6, 2019 and October 1, 2019. The complaint seeks to recover damages on behalf of the plaintiff class for alleged violations of Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. The plaintiff’s law firm’s October 24, 2019 press release about the lawsuit can be found here.
The complaint alleges that the defendants concealed material information and/or failed to disclose that “(a) Zendesk’s clients had been subject to data breaches dating back to 2016; (b) Zendesk was experiencing slowing demand for its SaaS offerings, particularly in Germany, the United Kingdom, and Australia, due in large part to political uncertainty and China trade issues there; and (c) as a result of the foregoing, Zendesk’s business metrics and financial prospects were not as strong as defendants had led the market to believe during the Class Period. “
In purported support of these allegations, the complaint references both the company’s July 30, 2019 earnings announcement and its October 2, 2019 blog post about the cybersecurity incident.
In making allegations with respect to the cybersecurity incident, the complaint references several statements the company allegedly made in its February 14, 2019 filing on SEC form 10-K, in which the company allegedly said, among other things, that “We maintain a comprehensive security program designed to help safeguard the security and integrity of our customers’ data.” The referenced section also stated that the company regularly reviews its security program and obtains third-party security audits and examinations.
The complaint alleges the company’s 10-K states further that a data breach “could have an adverse effect” on the company’s financial results and could cause it to lose customers” if the data systems were breached. The complaint alleges that these “purported warnings were themselves materially false and misleading” because the company “had already experienced a data breach dating back to accounts opened before November 2016 that had not yet been disclosed or remedied.”
The complaint goes on to make similar allegations relating to the company’s statements about the additional expenses, compliance concerns and regulatory issues that might result from a data breach, saying with respect to these additional statements that they “tacitly and misleadingly stated that the Company’s data was then being maintained in a secure state, when it was not.”
In support of its allegations that the defendants acted with scienter, the complaint purports to rely on insider trading allegations, in addition to generalized allegations that the defendants acted with alleged knowledge that the alleged misrepresentations were false when made.
The complaint alleges that, with the company’s share price allegedly inflated by the alleged misrepresentations, the individual defendants “cashed in, collectively selling about 409,000 of their personally held Zendesk shares for more than $32.7 million in proceeds.”
In support of these supposed insider trading allegations, the complaint alleges with respect to each of the individual defendants the number of shares that each defendants sold and the total amount of proceeds that each individual realized from the sale. The complaint does not say what percentage of each individual’s total Zendesk shareholdings these sales represent. The complaint also does not specify when the alleged sales took place with respect either to the July 31, 2019 earning release or the October 2, 2019 security incident report.
The complaint’s cybersecurity-related allegations also include a brief, obscure, and confusing suggestion (made in reliance of a IT media-related blog) that the food-delivery company DoorDash was a pre-November 2016 customer of Zendesk, and that DoorDash’s announced breach of customer data of 4 million of its customers is somehow connected to Zendesk’s data breach.
Discussion
The Zendesk lawsuit is the latest in a series of securities suits filed this year against companies that had been with hit with cybersecurity incidents. This series of lawsuits includes the lawsuit recently filed against Capital One in the wake of the company’s high-profile data breach. The series of lawsuits this year also includes the securities suit filed in June against FedEx following news that the company’s European operation was struggling to recover from a cyber virus incident.
While there have been a number of cybersecurity incident-related securities lawsuits filed this year, and there have been similar lawsuits filed in prior years, the number of these lawsuits filed has never quite amounted to the volume of cases that some commentators predicted we would see. One likely reason why there just have not been that many cybersecurity-related securities suits is that often news of a data breach or other cybersecurity incident typically does not trigger a significant drop in the affected company’s share price.
Indeed, you could argue that this case represents a good illustration of the point; in this case, Zendesk’s disclosure of the cybersecurity incident resulted in a decline of less than 4% in the company’s share price. This hardly amounts to the kind of precipitous share price decline on which plaintiffs typically rely in asserting alleged securities law violations. (Given the relatively small share price decline and the apparently modest size of the data breach, you do have to kind of wonder why the plaintiff bothered to file a securities suit in this case. Maybe he is just attempting to use the cybersecurity-related allegations a way to try to boostrap their earnings disappointment lawsuit.)
While this new lawsuit is similar in some ways to the earlier cybersecurity-related securities lawsuit, it is different in at least two ways. First, in this latest lawsuit against Zendesk, the cybersecurity-related allegations represent only a portion of the alleged misrepresentations on which the plaintiff seeks to rely; alongside the cybersecurity-related allegations, the complaint also presents that classic earnings miss/stock drop allegations.
Second, this latest lawsuit differs from many of the earlier cybersecurity-related securities lawsuits in that it attempts to make specific scienter allegations; here, by contrast to the other cases of this type, the plaintiff has attempted to raise insider trading allegations.
The insider trading allegations might well make this complaint likelier than some of the others to survive the initial pleading hurdles; however, if the plaintiff wants to rely on the insider trading allegations in order to try to establish scienter, in his amended complaint he is going to have to specify what percentage of each individual’s holding the individual’s sales represented, and he is going to have to provide a more detailed timetable of when the sales took place relative to the alleged misrepresentations.
With respect to the alleged cybersecurity-related misrepresentations, it seems to me that the plaintiff is going to have to do more to establish that the various data security statements in the company’s 10-K were knowingly misleading. Essentially all the plaintiff has done is allege, with the benefit of hindsight information following the disclosure of the breach, that the company’s earlier statements, made before the breach was known, were knowingly false when made.
These kinds of fraud by hindsight allegations may or may not be sufficient to meet the initial pleading hurdles, but I have never found these kinds of allegations particularly persuasive. There may or may not be valid mismanagement allegations in there somewhere (the defendants “should have known” or “should have better managed” etc.) but the suggestion of fraudulent misrepresentation based only on the later breach disclosure is, to me, unpersuasive.
Massachusetts Files Climate Change-Related Suit Against Exxon: With trial underway in New York’s climate change disclosure-related lawsuit against Exxon, Massachusetts Attorney General Maura Healey has started her own suit against the global energy giant. On October 24, 2019, Healey’s office filed the state’s own lawsuit against Exxon. A copy of the complaint can be found here. The Massachusetts lawsuit, like the New York law suit, alleges that Exxon made material misrepresentations to investors about the company’s climate change-related risks. However, as discussed in an October 25, 2019 Law 360 article about the new lawsuit, the new Massachusetts lawsuit goes further; according to the article, the complaint also alleges that “the company deceived consumers about how its fossil fuel products contribute to climate change and misled consumers about being an environmentally responsible company.” The article also says the new suit is the first climate change-related lawsuit based on state consumer protection laws.