Although some cybersecurity incident-related securities lawsuits have proven to be successful for plaintiffs (refer, for example, here), many of these lawsuits have not gotten very far. The latest data breach-related securities lawsuit to hit the skids is suit filed last year against Zendesk. As discussed below, on November 9, 2020, Northern District of California Judge Charles Breyer granted the defendants’ motion to dismiss in the Zendesk lawsuit. A copy of Judge Breyer’s order can be found here.
Zendesk is a software and services company that provides a variety of tools that allow the company’s clients to manage their customer interactions.
On July 30, 2019, the company issued a press release and held a conference call to discuss its second quarter 2019 results. The company announced increased net losses and revenue growth at levels below the most immediately preceding quarters. The company said that its sales growth in Europe, Middle East and Africa (EMEA), as well as in its Asia Pacific region (APAC), fell below the company’s expectations. The company’s share price declined on the news.
Then, in an October 2, 2019 blog post (here, updated as of November 22, 2019) Zendesk announced that a third party had alerted the company that its customer support and chat products and customer accounts had been accessed. The blog post, as updated, said that upon learning of the security concern, the company engaged a forensic team; initiated its security incident protocol; and contacted law enforcement officials.
The company said that by September 24, 2019, it had “identified approximately 15,000 Zendesk Support and Chat accounts, including expired trial accounts and accounts that are no longer active, whose account information was accessed without authorization prior to November of 2016.” The company’s share price declined less than four percent on the news.
Plaintiff shareholders subsequently filed two securities class action lawsuits against Zendesk and certain of its directors and officers. The two lawsuits were later consolidated. The lead plaintiff filed an amended consolidated complaint (here). The complaint alleged that the defendants had made material misrepresentations or omissions with respect to Zendesk’s EMEA and APAC performance and with respect to the 2016 data breach. The defendants filed a motion to dismiss.
The November 9, 2020 Order
In a November 9, 2020 order, Northern District of California Judge Charles Breyer granted the defendants’ motion to dismiss, with leave for the plaintiff to amend.
In granting the defendants’ motion with respect to the plaintiff’s allegations concerning the company’s performance in the EMEA and APAC regions, the court held that the plaintiff “has not identified any false statement made by Zendesk or any material fact Zendesk misleadingly omitted.” The plaintiff’s allegations, Judge Breyer said, give rise not to the “strong inference that Zendesk intended to deceive or manipulate its investors,” but rather “give rise to the inference that Zendesk erred strategically in EMEA and APAC.”
Judge Breyer also concluded that the plaintiff had failed to state a claim on which relief may be granted with respect to the data breach allegations. In reaching this conclusion, Judge Breyer said that “the failure to disclose the data breach may have been a material omission,” the plaintiff “has not alleged that Zendesk knew of the data breach (or was consciously reckless with respect to its occurrence) when it made any challenged statements or disclosures.” Judge Breyer noted that the plaintiff’s allegations are “consistent with Zendesk acknowledging the risk of such a breach and swiftly disclosing the breach once Zendesk became aware.”
Specifically, Judge Breyer said that the plaintiff’s allegations “indicate that Zendesk was simply unaware of the breach until September 2019” and “nothing else in the Amended Complaint suggests that Zendesk knew of the breach earlier than September 24, 2019 or was consciously reckless in failing to detect or disclose the breach before then.” The plaintiff’s allegations “do not suggest that Zendesk intended to ‘deceive’ or ‘defraud’ regarding the breach.”
Over the course of the last few years, many commentators have suggested that we would see a proliferation of cybersecurity-related securities class action lawsuits. There have in fact been a few of these lawsuits filed every year (see, e.g., most recently here), but there has never been anything like the predicted volume. Some of the lawsuits that were filed have been successful from the plaintiffs’ perspective (see, for example, the Equifax data breach-related lawsuit, which, as discussed here, settled for $149 million dollars), but other cybersecurity-related securities suits have not gotten very far. This lawsuit is a good example of why.
It was always going to be hard for this plaintiff to try to turn a previously undetected data breach into a claim that the defendants had misled investors. It is possible that a hypothetical claimant might (or might not) be able to cobble together some type of mismanagement claim based on these facts, but as Judge Breyer concluded the facts simply don’t add up to an argument that the defendants misled investors with the requisite scienter.
To be sure, the plaintiff has been given leave to amend, and it is always possible that the plaintiff might be able to come up with something that might meet the pleading standards. Stay tuned.
That said, I honestly am not sure why this plaintiff is bothering with the data breach-related claims. The stock drop supposedly associated with Zendesk’s data breach disclosure was modest to the point of irrelevance. The supposed securities fraud allegations relating to the data breach are, as I noted at the time this complaint was first filed, “unpersuasive.” The data breach allegations are at most a makeweight to the separate earnings miss/stock drop claims – which in themselves are not particularly strong.
While the filing of cybersecurity-related securities suits in volume may be the litigation trend that has often been predicted but that has never really materialized, I have no doubt that plaintiffs’ lawyers will continue to file at least some cybersecurity-related suits.
Some of the suits will, like the lawsuit filed in May against LabCorp (here), be in the form of shareholder derivative lawsuits or other types of mismanagement claims.
And, notwithstanding everything I said above, some of the claims will be filed as securities class action lawsuits. I say this for two reasons: one, because of the general movement of securities suits over recent years toward event-driven claims (and cybersecurity incident-related securities suits are event-driven claims); and two, because of the possibility for the plaintiffs’ lawyers of scoring an Equifax-type recovery.
But though the cybersecurity incident-related lawsuits may be filed, that does not mean they will all be meritorious – as this lawsuit shows.