When the news circulated in February that the Equifax data breach securities lawsuit had settled for $149 million, I wondered whether the sizeable settlement might further encourage plaintiffs’ lawyers to file more securities suits against companies that had experienced cybersecurity incidents. As it has turned out, there have been no new cybersecurity incident-related securities suits filed since then – until now. Earlier this week, a plaintiff shareholder filed a securities suit against title insurance and insurance services company First American Financial Corp., which experienced a significant cybersecurity incident in May 2019. As discussed below, the filing of this complaint is noteworthy in several respects. A copy of the complaint in the recently filed First American securities lawsuit can be found here.
First American is a title insurance and insurance services firm whose shares are listed on the NYSE. On May 24, 2019, KrebsOnSecurity.com, a cybersecurity blog, reported a massive data exposure by First American in which approximately 885 million customer files “were available without authentication to anyone with a web browser.” According to the blog, the documents available related to mortgage deals going back to 2003 and included bank account numbers, statements, mortgage and tax records, Social Security numbers, wire transaction receipts and drivers’ license images. The recently filed complaint alleges that First American’s share price fell 6% on this news.
In the Legal Proceedings section of the company’s October 22, 2020 SEC filing on Form 10-Q, the company announced the existence of two governmental investigations, one by the SEC and one by the New York Department of Insurance, relating to “the information security incident that occurred during the second quarter of 2019.”
The 10-Q reported that the SEC’s enforcement staff “is questioning the adequacy of disclosures the Company made at the time of the incident and the adequacy of its disclosure controls.” The 10-Q reports further that in September 2020, the company had received a Wells Notice informing the company that the enforcement staff had made a preliminary determination to recommend filing an enforcement action by the SEC against the company. According to the recently filed securities lawsuit complaint, the company’s share price declined 9% on this news.
On October 25, 2020, a plaintiff shareholder filed a securities class action lawsuit in the Central District of California against the company, its CEO, and its CFO. The complaint was filed on behalf of a class of investors who purchased the company’s publicly traded securities between February 17, 2017 and October 22, 2020. The complaint alleges that the defendants violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. The complaint seeks to recover damages on behalf of the plaintiff class.
The complaint quotes from a number of public statements by the company prior to the May 2019 cybersecurity disclosure, in which the company made various statements about its data security practices and controls. The complaint alleges that the statements were “material false and misleading” because they “misrepresented and failed to disclose … adverse facts pertaining to the Company’s business, operational and financial results, which were known to Defendants or recklessly disregarded by them.”
Specifically, the complaint alleges that the defendants made false or misleading statements and failed to disclose that “(1) the Company failed to implement basic security standards to protect is customers’ sensitive personal information and data; (2) the Company faced a heightened risk of cybersecurity failure due to its automation and efficiency initiatives; and (3) as a result, Defendants’ public statements were materially false and misleading at all relevant times.”
In 2019, several cybersecurity incident-related securities class action lawsuits were filed, including securities suits against Fed Ex (about which refer here), Capital One (here), and ZenDesk (here). However, while there were a number of cybersecurity-related securities suit filings in 2019, up to this point so far in 2020, there hadn’t been any cybersecurity incident-related securities suits filed, as far as I am aware. (However, please see the note below about the LabCorp lawsuit filed in May.)
As I noted at the outset of this blog post, I had thought that the $149 million Equifax data breach-related securities suit settlement announced in February 2020 might presage the filing of increased numbers of cybersecurity incident-related securities suits, as (I thought) the plaintiffs’ lawyers would be encouraged by the size of the Equifax settlement. However, the opposite of what I expected seems to have happened; as far as I am aware, there were no cybersecurity incident-related securities suits filed since the time of the Equifax settlement, right up until the filing earlier this week of the First American cybersecurity incident-related securities lawsuit.
The filing of significant numbers of cybersecurity related securities suits is a litigation trend that has often been predicted in recent years but that by and large has not materialized. I think the absence of more cybersecurity-related securities litigation has to do with how the stock market reacts to companies’ announcements of data breaches and other cyber security incidents – that is, companies’ share prices typically do not plunge on the news. Indeed, that was the case with respect to the revelation of the data exposure at First American; although its share priced declined on the news, the decline was relatively slight. The decline of the company’s share price was actually greater in response to the news of the governmental investigations and the company’s receipt of a Wells Notice. However, even the decline on the news of the investigations was something less that the “massive plunge” on which plaintiffs’ lawyers typically seek to rely in pursuing liability claims under the securities laws.
Although there have to date been relatively few cybersecurity incident-related securities suits filed, I continue to think that cybersecurity, along with the related but slightly different issue of privacy, will continue to be a potential source of corporate risk exposure. Even though there this kind of litigation may not yet have materialized in volume, corporate and securities litigation continues to be among the consequences that may (and sometimes does) arise for companies experiencing significant cybersecurity incidents.
The nature of the specific cybersecurity incident that allegedly happened at First American is interesting. At least according to the allegations in the complaint (which in turn are drawn from a cybersecurity blog), it does not appear that the company’s data resources were breached. Rather, based on the as yet unproven allegations, it sounds like the company data was exposed through error or lax procedures. The nature of the data exposure here underscores the fact that the kinds of cybersecurity incidents a company can experience, and that might give rise to litigation – including D&O litigation – includes much more than just data breach-related claims.
It is worth noting that the kinds of D&O claims that a company experiencing a cybersecurity-related event includes more than just securities claims; the kinds of claims that might arise also include shareholder derivative litigation. While I noted above that, prior to the recent filings of the First American securities suit, there had been no cybersecurity incident-related securities lawsuits filed so far this year, there was one cybersecurity incident-related shareholder derivative lawsuit filed earlier this year. As discussed here, in May, LabCorp’s board was hit with a cybersecurity-related derivative lawsuit, based on allegations relating to a data breach that allegedly occurred involving one of LabCorp’s third party vendors. Just a reminder that the D&O claims risk associated with cybersecurity incidents is not limited just to the risk of securities litigation.
One final note about the new First American securities lawsuit, and that is that the new lawsuit represents yet another example of how securities litigation generally has shifted away from suits over financial disclosures and increasingly involves events in the defendant company’s operations. While there have been relatively few cybersecurity-related securities suits filed, the ones that have been filed are in fact representative of a larger and more important securities litigation trend, which is the shift toward event-driven litigation.