Over the last several years, plaintiffs’ lawyers have filed a number of D&O lawsuits against companies that had been hit with a cybersecurity incident. These suits have largely been unsuccessful, with the exception of the lawsuits filed against Yahoo in the wake of that company’s data breach. While the plaintiffs’ track record in data breach-related D&O lawsuits so far has not been good, a recent development could suggest that that has changed. On February 13, 2020, the parties to the Equifax data breach-related lawsuit filed a stipulation of settlement stating that the case has been settled based on the defendants’ agreement to pay $149 million. The settlement is subject to court approval. This settlement has a number of interesting implications, as discussed below. A copy of the parties’ stipulation of settlement can be found here.
On September 7, 2017, Equifax announced a “cybersecurity incident” potentially impacting 143 million U.S. customers. The company’s press release stated that during the period from at least mid-May through July 2017 criminals had exploited a U.S. website vulnerability to gain access to customer information. The company discovered the breach on July 29, 2017.
The information accessed included names, Social Security numbers, birth dates, addresses, and in some instances driver’s license numbers. The credit card numbers of about 209,000 U.S. consumers were also breached. Upon discovering the breach, the company launched a forensic review to determine the scope of the breach. The company also notified law enforcement officials. (On February 10, 2020, four Chinese nationals working for the People’s Liberation Army were indicted in connection with the 2017 breach.)
On September 8, 2017, the first trading day after the release of the data breach news, Equifax’s stock price had dropped nearly fifteen percent. Over the next few days, further news and information about the breach became public. By September 15, 2017, Equifax’s share price had dropped a total of nearly 36 percent since the initial data breach disclosure.
The Plaintiffs’ Complaint
As discussed here, on September 8, 2017, plaintiffs’ lawyers filed a securities class action lawsuit against the company and certain of its directors and officers. The data breach-related securities lawsuits against Equifax ultimately were consolidated and in April 2018 the plaintiffs’ counsel filed a consolidated amended complaint (here).
In the amended complaint, the plaintiff alleged that the defendants made multiple misleading statements and omissions about the sensitive information in Equifax’s custody; about the vulnerability of the company’s systems to cyberattack; and about the company’s compliance with data protection laws. The complaint alleges that despite these assurances, the company “failed to take the most basic precautions” to protect its systems from hackers. The complaint alleges that these statements artificially inflated the company’s share price and caused a loss in the value of the company’s shares when “the truth was revealed.”
Among other allegations in the amended complaint, the plaintiff alleged that the company’s cybersecurity was “dangerously deficient” as a result of the company failure to implement appropriate protocols; failure to remediate known deficiencies; failure to encrypt sensitive data; failure to implement appropriate authentication measures; and failure to adequately monitor its networks and systems.
The Motion to Dismiss and Subsequent Proceedings
The defendants filed a motion to dismiss the plaintiffs’ amended complaint. As discussed here, on January 28, 2019, Northern District of Georgia Judge Thomas W. Thrash, Jr. entered an order granting in part and denying in part the defendants’ motion to dismiss.
Following Judge Thrash’s ruling on the motion to dismiss, the parts of the case that had not been dismissed went forward. In addition, the parties also commenced mediation efforts. In late 2019, as a result of the parties’ mediation efforts, the parties entered an agreement in principle to settle the lawsuit, subject to several conditions, including in particular the completion of a full stipulation of settlement. On February 13, 2020, the parties’ jointly filed a motion with the court seeking preliminary approval of the settlement. The parties’ stipulation of settlement accompanied the motion.
As I noted at the outset, while there have been a number of D&O lawsuits filed against companies that have experienced cyber-security incidents in recent years, these lawsuits largely have been unsuccessful. The one notable exception was the Yahoo data breach securities lawsuit, which as discussed here, settled for $80 million. The related Yahoo shareholder derivative lawsuits settled for $29 million, as discussed here. Yahoo’s successor-in-interest, Altaba, also settled a related SEC enforcement action for $35 million. But, with the notable exception of the Yahoo litigation, D&O lawsuits based on cybersecurity incidents had not been particularly successful for plaintiffs. That is, until now.
The $149 million settlement in the Equifax data breach obviously is a significant settlement that arguably represents a milestone of sorts for D&O litigation in the cybersecurity context. If nothing else, the Equifax settlement, along with the prior Yahoo data breach litigation settlements, make a statement that cybersecurity-related D&O lawsuits potentially represent a significant exposure. The clear implication is that follow-on D&O litigation is among the significant consequences that can follow for companies experiencing cybersecurity incidents.
The $149 million settlement is massive. However, it is interesting to note that the settlement, as big as it is, does not crack the list of the Top 100 U.S. Securities Class Action Lawsuit settlements. (To break into the list, a settlement would have to exceed at least $164 million.) However, it is, of course, the largest ever cybersecurity-related securities class action settlement. It clearly represents a bellwether in these kinds of cases, and potentially has significant implications for other serious pending cybersecurity-related securities lawsuits, including, for example, the data breach-relates securities suits pending against Marriott (here) and Capital One (here).
There are a number of details about the settlement that are not yet clear. One detail that undoubtedly would be of interest to readers of this blog is the amount of the total settlement that is being funded by D&O insurance. The settlement documents themselves are silent on this point. At least as now, the company itself has said little about the settlement. (I encourage any readers out there who may know the details about the D&O insurance contribution to the settlement to please let me know; I will of course protect the anonymity of anyone who can provide me with the information.)
The company’s total settlements so far arising out of the 2017 data breach are really kind of astonishing. Along with the recent $149 million securities suit settlement, the company also previously agreed to pay $380.5 million to settle the class action lawsuits filed on behalf of the consumers whose information was exposed as result of the breach. Separately, the company reached an agreement with the FTC to pay up to $425 million to help people affected by the breach. As detailed here, the company also agreed to pay $175 million to 48 states in the U.S and and $100 million in civil penalties to the Consumer Financial Protection Bureau (CFPB). These amounts do not include the cost the company paid to upgrade its systems or defend itself against all of these various proceedings. (Indeed, last week the company said that so far the various expenses associated with the 2017 data breach had, to date and net of insurance recoveries, cost the company $1.7 billion.) Clearly, the potential costs associated with a serious data breach can be massive.
One final question about the recent Equifax data breach-related securities suit settlements is what impact it might have on prospective future claimants. At a minimum, the Equifax settlement and the earlier Yahoo settlements show that the plaintiffs’ lawyers might actually be able to make money on these kinds of lawsuits. Clearly, a settlement of the magnitude of the Equifax settlement is enough to attract the attention of prospective future claimants and arguably encourage them to file similar claims. As I have noted frequently in the past, the likelihood is that we will see more of these cybersecurity incident-related securities suits and other D&O claims in the future.
Just the same, none of this should be interpreted to suggest that we are about to see a flood of these kinds of cases. There were only a very small number of data breach-related securities lawsuits filed in 2019. In many instances, companies experiencing data breaches may not necessarily be attractive securities suit targets because company share prices often do not drop significantly on news of a data breach. In the absence of a significant stock drop, the data breach company will not be an attractive securities suit target.
In addition, there are a number of factors that make the Equifax situation distinctive and arguably unique. The Equifax data breach was massive, and it involved the disclosure of particularly sensitive information. The impact on the company and its share price was also massive. There have been relatively few other data breaches that were quite as serious in scope, seriousness, and magnitude. Because of these distinctive features of the Equifax situation, there clearly is a limit to any conclusions that might be drawn from the settlement of the case.