A cybersecurity incident earlier this year at the technology company Ubiquiti has given rise to a securities class action lawsuit against the company and two of its executives. The lawsuit is the latest example of the D&O risk exposure relating to cybersecurity. As discussed below, the lawsuit’s allegation illustrates that the way that a company handles bad news can be an important litigation risk factor. A copy of the May 19, 2021 securities lawsuit complaint against Ubiquiti can be found here.
Ubiquiti develops and markets equipment and technology platforms for high-capacity Internet access. On January 11, 2021, the company sent a notice to customers advising that the company had “recently become aware of unauthorized access to certain of our information technology systems hosed by a third- party cloud provider.” The notice stated that the company was not aware of anything to indicate that there had been unauthorized activity in any user’s account and further that that company was not aware of unauthorized access to any databases that host user data. The notice encouraged users to change their password.
On March 30, 2021, the Internet publication Krebs on Security published an article about the Ubiquiti breach stating, among other things, that Ubiquiti had “massively downplayed a ‘catastrophic’ incident to minimize the hit to its stock price, and that the third-party cloud provider claim was a fabrication.” The article cited a security professional at Ubiquiti (named in the article as “Adam”) who said that he had responded to the two-month breach at the company beginning in December 2020, after he raised concerns on the company’s whistleblower hotline and with European data protection authorities.
According to “Adam,” Ubiquiti had been aware since December 2020 that the attackers had “administrative access to all Ubiquiti [Amazon Web Services] accounts, including… all user database credentials and secrets required to forge single sign-on (SSO) cookies.” The article further quoted “Adam” as saying that the intruder’s access to the AWS accounts would have allowed the intruder to remotely authenticate to countless Ubiquiti cloud-based devices around the world.
According to the subsequently filed securities class action lawsuit complaint, Ubiquiti’s share price declined 14.5% on the news.
On May 19, 2021, a plaintiff shareholder filed a securities class action complaint in the Southern District of New York against Ubiquiti, its CEO, and its CFO. The complaint purports to be filed on behalf of a class of investors who purchased Ubiquiti securities between January 11, 2021 (the date of the Ubiquiti breach notice) and March 30, 2021 (the date of the Krebs on Security article).
The complaint during the class period the defendants made false or misleading statements or omitted to disclose “that the Company had downplayed the data breach in January 2021; (2) that attackers had obtained administrative access to Ubiquiti’s servers and obtained access to, among other things, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies; (3) that as a result, intruders already had credentials needed to remotely access Ubiquiti’s customers’ systems; and (4) that, as a result of the foregoing, Defendants’ positive statements about the Company’s business, operations, and prospects were materially misleading and/or lacked a reasonable basis.”
The complaint alleges that the defendants violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. The complaint seeks to recover damages on behalf of the class.
There have of course been prior corporate and securities lawsuits against companies that experienced cybersecurity incidents. There have even been some very significant settlements in these kinds of cybersecurity-related lawsuits, such as, for example, the $149 million settlement in the Equifax data breach-related securities lawsuit. Just the same, it is far from the case that every company that experiences a cybersecurity incident gets hit with a securities suit. The fact is that news of cybersecurity incidents has become so routine that the share prices of the companies that get hit frequently do not move, leaving little incentive for plaintiffs’ lawyers to pursue a claim against the company involved.
There is a particular aspect of the underlying circumstances in this claim that explains why Ubiquiti’s cybersecurity incident led to a lawsuit. In discussing the circumstances, I note that the lawsuit has only just been filed, the company has not yet had the opportunity to respond, and the only thing I have to go on here in discussing the allegations is the plaintiff’s complaint. The plaintiff’s allegations could prove to be totally bogus. However, for discussion purposes, I am going to assume that the plaintiff’s allegations are true, without meaning to suggest in any way that I actually think the allegations are true or that the plaintiff’s claims are valid.
Based solely on the allegations in the plaintiff’s complaint, it appears that the reason Ubiquiti got sued is not because it experienced a data breach, but rather because of the way it handled its communications about the data breach.
I am often asked to suggest steps companies can take to try to avoid the possibility of securities litigation or to put themselves in a better position to defend themselves if they are sued. One of the items I frequently cite in response to these kinds of requests has to do with the way companies handle bad news. The point I make is that the important thing about bad news is to get it out there quickly, correctly, and completely. So often, as appears to be the case here, the lawsuit comes not from the bad news itself, but rather from the company’s efforts to downplay the bad news.
In these circumstances, it was not the company’s original disclosure about the data breach that caused the company’s share price decline, but (at least according to the unproven allegations in the complaint) it was the subsequent revelation that the company had downplayed the extent of the breach that caused its share price to drop and provoked the lawsuit.
This is in fact a not uncommon sequence of events, in which it is the company’s efforts to soft-pedal bad news that ultimately leads to a lawsuit. The flipside of this observation is that the way companies handle bad news is an important part of companies’ securities litigation risk management program.
It is also worth noting that this new lawsuit is yet another example of another recent securities litigation phenomenon, which is the rise of event driven litigation. In the past, securities lawsuits mostly were about company’s financial disclosures or omissions. By contrast, the plaintiff’s complaint says almost nothing about Ubiquiti’s financial performance.
Instead, what drew this lawsuit was an adverse event in the company’s operations. These rise of these kinds of event-driven lawsuits, and the fact that any company will experience adverse developments from time to time, are the kinds of things that have caused some commentators to observe that “everything everywhere is securities fraud.” Whether everything is securities fraud is an interesting and provocative point for further discussion elsewhere, it is clear that the range of things that can cause a company to get hit with a securities suit has expanded significantly in recent years.
From a certain perspective, it is easy to see why this kind of litigation might be appealing to at least certain kinds of plaintiffs’ lawyers. The fact is that these kinds of lawsuits are really easy to file. All you need is a newspaper article, analyst report, or short-seller attack column and you have everything you need to file a lawsuit. It does raise an interesting question about whether mere reliance on news article is sufficient to fulfill a lawyer’s ethical obligation to independently confirm allegations in court filings, but that too may be an interesting and provocative point for further discussion elsewhere.