More than a month ago, when I first wrote about the possibility that the coronavirus outbreak could lead to D&O claims, I noted that the pandemic was having a devastating impact on certain industries. At the same time, I noted that the viral outbreak could prove a boon for other industries; among the industries I cited as a possible winner was the video teleconferencing industry. Indeed, since the onset of the outbreak’s onset, many of us have for the first time used the services of Zoom Video Telecommunications and Zoom video teleconferences have been proliferating. But while Zoom usage has soared, privacy and security concerns have also arisen.
Now Zoom has been hit with a securities class action lawsuit based on allegations that the surge in usage following the coronavirus outbreak allegedly revealed allegedly undisclosed weaknesses in company’s security, and alleged privacy and security weaknesses contrary to the company’s alleged representations. As discussed below, in addition to representing an example of a coronavirus-related securities suit, the new lawsuit also represents an example of the ways in which privacy concerns can lead to D&O claims.
On April 7, 2020, a plaintiff shareholder filed a securities class action lawsuit in the Northern District of California against the company, Eric Yuan, the company’s CEO, and Kelly Steckelberg, the company’s CFO. The complaint, a copy of which can be found here, purports to be filed on behalf of a class of persons who purchased the company’s securities between April 18, 2019 (the date of Zoom’s IPO) and April 6, 2020. The complaint alleges that the defendants violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and seeks damages on behalf of the plaintiff class. [Note: a second complaint was filed against Zoom and the individual defendants on April 8, 2020.]
The complaint alleges that during the class period, the defendants made false and misleading statements regarding the company’s “business, operational and compliance policies.”
Specifically, the complaint alleges that the defendants misrepresented or failed to disclose that “(i) Zoom had inadequate data privacy and security measures; (ii) contrary to Zoom’s assertions, the Company’s video communications services was not end-to-end- encrypted; (iii) as a result of all the foregoing, users of Zoom’s communications services were at increased risk of having their personal information access by unauthorized parties, including Facebook; (iv) usage of the Company’s video communications services was foreseeably likely to decline when the forgoing facts came to light; and (v) as a result, the Company’s public statements were materially false and misleading at all relevant times.”
The Privacy and Coronavirus Outbreak Related Allegations
The complaint further alleges that “the truth about the deficiencies in Zoom’s software encryption began to come to light as early as July 2019.” However, the complaint further alleges that due in large part to “the Company’s obfuscation,”
it was not until the COVID-19 pandemic in March and April of 2020, with businesses and other organizations increasingly relying on Zoom’s video communication software to facilitate remote work activity as governments increasingly implemented shelter-in-place orders, that the truth was more fully laid bare in a series of corrective disclosures. As it became clear through a series of news reports and admissions by the Company that Zoom had significantly overstated the degree to which its video communication software was encrypted, and organizations consequently prohibited its employees from utilizing Zoom for work activities, the Company’s stock price plummeted, damaging investors.
In a section captioned “The Truth Fully Emerges,” the complaint elaborates on these pandemic-linked allegations. The complaint alleges that on March 26, 2019, “in the midst of COVID-19 pandemic and shelter-in-place order from multiple national and local goverments,” reports began to surface in the technical press detailing concerns about the company’s privacy policies, data collection practices, and alleged transfers of user data or accessibility of user data and analytics to Facebook.
On March 30, 2020, the New York Times reported (here) that New York Attorney General Letitia James was investigating Zoom’s data privacy and security practices. The article reported that the NYAG had send a letter inquiring about the company’s privacy policies and practices and inquiring into what “new security measures the company has put in pace to handle increased traffic in its network and to detect hackers in light of the recent COVID-19 pandemic.” The NYAG’s letter also expressed concerns about access to student data in connection with schools’ use of the company’s video services to conduct classes for students whose schools were subject to pandemic-related closures.
The complaint also refers to news reports that on March 30, 2020, the FBI issued a warning about “Zoom-bombing,” a phenomenon whereby hackers can take over video-conferencing on the Company’s app. The FBI’s warning specifically referred to video-conference hijacking “during the COVID-19 pandemic.”
At the same time, stories began circulating in the media technology press that, contrary to the company’s assertions, the company’s video and audio services were not “end-to-end encrypted.” On April 1, 2020, Yuan published a post on the company’s blog in which, among other things, he admitted that the Company “recognizes that we have fallen short of the community’s – and our own – privacy and security expectations.”
On April 3, 2020, The Street.com published a report claiming that during 2020, Yuan had sold $38 million of his personal holdings of the company’s securities. The report claimed that other executives had sold as well. [The specific sales by Yuan referenced in the article took place in January and February 2020.]
Over the course of the next few days, media reports appeared in a variety of publications raising additional concerns and announcing additional investigative efforts by other governmental authorities.
On April 4, 2020, the Wall Street Journal published an interview it had conducted with Yuan, in which, among other things, Yuan reportedly acknowledged that the company had struggled to deal with “breakneck growth.” He also acknowledged that the company’s end-to-end encryption capability would not be ready for “a few months.” In discussion the company’s efforts to deal with security concerns as the company ramped up to deal with huge volume increases, Yuan admitted that “I really messed up as CEO,” commenting further that “if we mess up again, its’ done.”
On April 6, 2020, New York City’s mayor announced that the city’s schools were banning the use of Zoom owing to security and privacy concerns.
The complaint alleges that between March 27, 2020 and April 2, 2020, the company’s share price declined by 19.62%, and between April 2, 2020 and April 6, 2020, the company’s share price declined another 4.10%
The new lawsuit against Zoom represents the third coronavirus-linked securities class action lawsuit so far, joining the lawsuits previously filed against Norwegian Cruise Lines (about which refer here) and Inovio (about which refer here).
I know that some readers might question whether this new lawsuit is in fact coronavirus-related lawsuit, and that really it is more about privacy and security issues (about which please see further discussion below). For me, this new lawsuit clearly is a coronavirus-related lawsuit. The gist of the lawsuit is that changed operating circumstances resulting from the coronavirus outbreak stressed the company’s systems and services and allegedly made apparent weaknesses in the company’s policies and processes and also highlighted alleged differences between the quality and nature of services provided as compared to the way the company had described the services to investors and others. In short, the stresses caused by the coronavirus outbreak created the company’s crisis, which led to the lawsuit. For me, this lawsuit definitely counts as a coronavirus outbreak-related lawsuit.
At the same time, this lawsuit also is a privacy-related lawsuit as well. Regular readers know that for some time now, I have been declaring my view that privacy-related issues represent a significant new source of potential D&O exposure. Among other things, this circumstances leading up to this lawsuit underscore the critical importance of privacy and security related concerns. The lawsuit itself shows how privacy and data security issues can lead to D&O claims.
The case also highlights the ways in which the privacy-related D&O exposure differs from cybersecurity-related D&O exposures. There was not data breach involved in these circumstances (or at least a data breach is not the crux of the concerns). Rather, the concerns surrounding Zoom relate to the ways in which Zoom protected user privacy and user data. To be sure, a big part of the concerns here have to do with security issues, and in particular the vulnerability of the Zoom services to Zoom-bombing hackers. But the essence of the concern involved is related to privacy.
Long time readers also undoubtedly quickly recognized that this lawsuit also represents an example of the recent event-driven litigation phenomenon. The description of various recent cases as “event-driven” is by way of contrast to more traditional securities class action litigation based on accounting or financial misrepresentations. This case does not involve accounting or financial misrepresentations. The lawsuit has to do with alleged weaknesses or deficiencies in the company’s service offering, which came to light as a result of a series of incidents that revealed privacy and security concerns.
The recent rise of event-driven litigation is in fact one of the considerations I have been taking into account in my prognostication that we are likely to see more coronavirus-related lawsuits (and indeed that we are likely to see further privacy-related lawsuits as well) – – over the last several years, the plaintiffs’ lawyers (or at least some of them) have made it unmistakably clear that they view these kinds of cases as attractive lawsuits, or at a minimum lawsuits of a kind that they are willing to file and pursue.
While the link between this case and the coronavirus may represent something of an unexpected twist (in that the defendant company is one that, at least initially prospered from the pandemic), it does demonstrate a reason why I believe we will be seeing more coronavirus-related lawsuits. The fact is that the dramatically changed circumstances under which all businesses are operating are subjecting every business to enormous stress. This kind of stress will undoubtedly expose alleged shortcomings in many company’s business operations, shortcomings of a kind that plaintiffs’ lawyers undoubtedly will try to seize up to suggest that the company’s disclosures and conduct leading up to the disruption were misleading or otherwise blameworthy.
All of this is likely to play out over the course of many months, during which we are likely to see many more D&O lawsuits.
One final note about this new lawsuit. Some readers (and indeed the Court itself) may consider it highly relevant in considering the plaintiff’s allegations that when Zoom went public on April 19, 2019, its shares were priced at $36/share. According to the complaint, on April 6, 2020, the last day of the class period, the company’s share price, even after the price declines cited in the complaint, was trading at $122.94 a share. As recently as February 3, 2020, the stock was trading at around $88/share (in what was at that time an all-time high). The share price did not exceed $122.94 for the first time ever until March 16, 2020. If you look at the company’s share price graph, the company’s share price skyrocketed after the onset of the coronavirus outbreak during March 2020.
Thus, while the class period described in the complaint purports to go back to the time of the company’s April 2019 IPO, the members of the putative class who bought their shares prior to March 16 or so are going to have a very hard time establishing damages. Shareholders who purchased their shares prior to March 16 are still ahead, many of them dramatically so.
Other Ways Coronavirus Outbreak-Related Allegations May Shape Forthcoming Litigation: Those out there who are trying to understand the ways in which coronavirus outbreak-related allegations may infiltrate future lawsuits and affect future litigation may want to take a look at the April 6, 2020 lawsuit filed in the Eastern District of New York in connection with the planned acquisition of Center State Bank Corporation by South State Corporation.
The lawsuit, which is in many ways a standard merger objection lawsuit, alleges that the defendants allegedly violated Section 14(a) and 20(a) of the Securities Exchange Act of 1934, and is filed as an individual action, rather than as a class action.
In his complaint, the plaintiff alleges that the Registration Statement filed with the SEC in connection with the transaction contains material misrepresentations, particularly with respect to the “sales process leading up to the Proposed Transaction.” Specifically, the plaintiff alleges that the Registration Statement “fails to disclose with sufficient specificity the discussion between CenterState and South State leading up to their agreement on the [ratio for the exchange of CenterState stock for South Street stock].”
In making these allegations, the plaintiff alleges among other things that in December 2019, as disclosed in the Registration Statement, that while the deal was being negotiated, “a novel strain of coronavirus, COVID-19, was reported in Wuhan, China.” The complaint notes that the Registration Statement acknowledges that “the coronavirus may adversely impact South State and CenterState businesses,” particularly if the companies are “unable to recover from a business disruption on a time basis.” The complaint observes that the Registration Statement notes that “the coronavirus outbreak could also delay, increase the costs of, or otherwise adversely affect, the integration of the two businesses of the two companies.”
The complaint seeks further disclosures regarding the negotiation of the exchange ratio, including in particular the allegation there should be further disclosures “given that the Proposed Transactions was negotiated during the COVID-19 outbreak,” and given that the Registration Statement acknowledges that the outbreak could “adversely affect … the integration of the businesses of the two companies following the completion of the merger.”
Whether or to what extent these allegations will proved to be meritorious remains to be seen. However, and in any event, the allegations do show how the pervasive effect of the coronavirus outbreak on business operations across the economy will make its way into forthcoming corporate lawsuits, even if the effects of the outbreak are not themselves the basis of some lawsuits. As the effects of the outbreak continue to ripple outward, coronavirus-related allegations are likely to become increasingly common and increasingly important in the lawsuits filed in the months ahead.