In recent posts (here and here), I have noted the securities class action lawsuits that have been filed against U.S.-listed Chinese companies following a crackdown by the Chinese cybersecurity regulator. Now yet another U.S.-listed Chinese company has been hit with a securities suit following the cybersecurity regulator’s actions. On July 13, 2021, a plaintiff shareholder filed a securities class action lawsuit against 360 DigiTech, a Chinese company with securities listed on NASDAQ, following news that the company’s app had been removed from major app stores following Chinese investigations of a number of companies’ data security practices. The July 13, 2021 complaint can be found here.

 

Background

360 DigiTech operates a digital consumer finance platform in China under the360 Jietiao brand. The company’s core product is the 360 IOU app.  On July 8, 2021, according to the securities lawsuit complaint, “reports circulated on social media to the effect that the Company’s core product, the 360 IOU app, had been removed from major app stores.” These reports “came on the heels of” the removal other companies’ apps “as Chinese regulators investigated their customer data protection practices.” According to the complaint, the price of 360 DigiTech’s shares fell over 21%  on the news.

 

The complaint alleges further that on July 9, 2021, Seeking Alpha “reported that 360 DigiTech confirmed the removal of the 360 IOU app from the Android app store and quoted a Company spokesperson, who disclosed that the Company “had submitted a new rectification plan and stepped up the whole process.”

 

The Lawsuit

On July 13, 2021, a plaintiff shareholder filed a securities class action lawsuit in the Southern District of New York against 360 DigiTech and certain of its directors and officers. The complaint purports to be filed on behalf of investors who purchased 360 DigiTech securities between April 30, 2020 and July 7, 2021.

 

The complaint alleges that during the class period the defendants made false or misleading statements or failed to disclose that: “(i) the Company had been collecting personal information in violation of relevant PRCC laws and regulations; (ii) accordingly, 360 DigiTech was exposed to an increased risk of regulatory scrutiny and/or enforcement action; and (iii) as a result, the Company’s public statements were materially false and misleading at all relevant times.”

 

The complaint alleges that the defendants violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. The complaint seeks to recover damages on behalf of the class.

 

Discussion

By my count, this is the fourth securities class action lawsuit to be filed in recent days against U.S.-listed Chinese companies following a regulatory crackdown on the companies by the Chinese cybersecurity regulator. The regulator’s actions supposedly result from concerns surrounding the targeted companies’ cybersecurity practices and data privacy controls. However, the regulator’s actions have a specific focus, as it is concentrated on companies with shares listed on U.S. exchanges. Unlike the three other Chinese companies previously hit with one of these securities lawsuits, 360 DigiTech did not recently complete a U.S. IPO. The complaint is otherwise largely similar to the prior actions.

 

While the Chinese regulators’ actions at a minimum reflect multiple different policy objectives, the actions at least nominally relate to concerns surrounding cybersecurity, and to that extent the sequence of events shows how cybersecurity regulatory action can lead to D&O claims. It is noteworthy in that regard that these companies did not experience cybersecurity incidents as such; the cybersecurity exposure that led to the lawsuit instead is the company’s answerability to the Chinese national cybersecurity regulator.

 

As I have noted in connection with the prior related lawsuits, this latest lawsuit does illustrate that investing in U.S.-listed Chinese companies comes with a political risk, and there is a sense that the importance of that political risk may be the most important lesson here. Nevertheless, the cases do show how cybersecurity related issues can lead to securities class action litigation, as one more way that cybersecurity increasingly represents a D&O risk.