In an interesting development, the U.S. District Court Judge overseeing the cybersecurity-related securities class action lawsuit pending against title insurance company First American Financial Corp. has granted the defendants’ motion to dismiss. The dismissal in the case is interesting because the company had in June 2021 agreed with the SEC to enter a cease-and-desist order and to pay a modest civil penalty to settle charges related to the same cybersecurity incident. The dismissal is also interesting because it shows how plaintiffs’ lawyers have struggled to get traction with cybersecurity-related securities suits. A copy of the Court’s September 22, 2021 order granting the motion to dismiss in the First American securities suit can be found here.
First American is a title insurance company that also provides escrow and other closing services in connection with real estate transactions. The company maintained a document sharing application known as “Eagle Pro.” The application permitted the company to share documents in connection with title and escrow transactions.
On May 24, 2019, a cybersecurity journalist contacted First American to notify the company that its Eagle Pro application had a vulnerability exposing over 800 million title and escrow documents. (For further detail about the journalist’s report and about the vulnerability, refer here.) In response, First American issued a statement that the journalist included verbatim in his May 24, 2019 article about the vulnerability. On the next business day, May 28, 2019, the company submitted a filing on SEC Form 8-K which included the company’s May 24, 2019 statement. The company’s share price declined on this news.
Unknown to the company executives responsible for the press release and SEC filing, the Eagle Pro vulnerability had first been identified by First American information security personnel in January 2019. The vulnerability was described in a January 2019 report that was provided to security and IT managers at the time, but not to senior company management. Though the vulnerability had been identified internally in January 2019, it had not yet been remediated by the time of the May 2019 contact from the journalist.
In its October 22, 2020 filing with the SEC on Form 10-Q, the Company stated that it had received a Wells Notice from the SEC. On this news, the company’s share price declined further.
On October 25, 2020, a plaintiff shareholder filed a securities class action lawsuit in the Central District of California against the company, its CEO, and its CFO. The complaint was filed on behalf of investors who purchased the company’s shares between February 17, 2017 and October 22, 2020. The complaint quotes from a number of public statements by the company prior to the May 2019 cybersecurity disclosure, in which the company made a number of statements about its cybersecurity protocols, procedures and controls. The complaint alleges that these statements, as well as company’s statement following the disclosure of the cybersecurity incident were false and misleading. The defendants moved to dismiss.
In a separate but related development, on June 15, 2021, the SEC announced that it had settled charges that First American’s cybersecurity disclosure controls and procedures violated the agency’s public company reporting requirements. As discussed here, the charges related to the SEC’s allegations that the company procedures for reporting cybersecurity incidents and vulnerabilities up to senior management were inadequate. The company neither admitted or denied the SEC’s charges and agreed to pay a fine of approximately $487,000.
The September 22, 2021 Order
On September 22, 2021, Central District of California Judge Dale S. Fischer granted the defendants’ motion to dismiss without prejudice, granting the plaintiffs leave until October 25, 2021 to seek to file an amended complaint to try to address the Court’s concerns in its ruling on the motion to dismiss.
In granting the motion to dismiss, Judge Fischer first addressed the plaintiff’s allegation based on the company’s disclosures in SEC filings prior to the announcement of the cybersecurity incident; the allegations pertained to the company’s risk factor disclosures concerning its commitment to maintaining the security of customer information and about the company’s focus on maintaining procedures to ensure security. The plaintiff alleged that these statements were false and misleading because they did not disclose that the company failed to implement basic security standards and disregarded its own information security policies.
Judge Fischer agreed with the defendants that these risk factor disclosure statements were not actionable because the plaintiff “did not adequately plead that the Defendants had actual knowledge of the Breach at the time of the disclosures, or that the disclosures were specific enough to misrepresent the current state of affairs.” The company’s “generalized” statements about data security issues “do not establish that First American was aware of existing compromised data or support that the disclosure statements were specific enough to be contradicted” by the general knowledge of senior management.
Judge Fischer then turned to the plaintiff’s allegations concerning the company’s security program and its commitment to protecting data. She agreed with the defendants that these statements were “either true, too vague to be material or inactionable puffery.” Judge Fischer did note that certain of the plaintiff’s allegation about the company’s restriction of access to non-public information and the company’s provision of secure access to files in connection with escrow transactions were “closer questions”; however, Judge Fischer said that she found these statements “too vague to constitute material statements of fact.”
Finally, Judge Fischer addressed the plaintiff’s allegations concerning the cybersecurity incident itself. Judge Fischer found that the plaintiff had “not identified any facts to support the allegation that Defendants’ statements about the Breach were false or misleading.”
Although plaintiff’ lawyers have continued to file cybersecurity-related securities lawsuits, the question remains whether these cases make good lawsuits from the plaintiffs’ perspective. For example, and even though there have been new cybersecurity-related lawsuits filed this year against Solar Winds (as discussed here) and Ubiquiti (discussed here), so far during 2021, two of the pending high-profile cybersecurity-related D&O lawsuits have been dismissed: in February 2021, the FedEx/NotPetya securities class action lawsuit was dismissed (as discussed here), and in June 2021, the long-running Marriott data breach securities suit was dismissed, as was the related shareholder derivative suit (discussed here). In many instances, plaintiffs have struggled to get any sort of traction in these cases.
To be sure, there have also been high profile settlements in cybersecurity-related securities suits, as for example in the February 2020 settlement of the Equifax cybersecurity-related securities suit, in which the case was resolved for $149 million. But the rash of recent settlements in cybersecurity-relates suits, including the dismissal in the First American securities suit, do raise the question of whether these kinds of cases make good suits for the plaintiffs’ lawyers. (To be sure, the dismissal here was without prejudice, and plaintiffs will have the opportunity to try to cure the shortcomings that the Court found. But for now at least the case has been dismissed, consistent with the dismissal in other cybersecurity-related securities suits).
It is particularly interesting to me that in a case where the underlying facts were serious enough to attract a related SEC enforcement action, the defendants were still successful in getting the case dismissed. Of course, the SEC’s allegations that the company lacked adequate procedures for reporting cybersecurity incidents up to senior management really is not all that helpful for the plaintiff in the securities lawsuit, as the plaintiff needed to be able to show that senior management had actual knowledge, not that the company lacked adequate procedures to give them that knowledge. Also, it should be noted that the company neither admitted or denied the SEC’s allegations, so the fact that the SEC merely asserted some allegations is not really all that helpful to the securities suit plaintiff.
As I have noted on this blog before, the rise of securities lawsuit filings involving cybersecurity incidents is a trend that has long been predicted but that by and large has not materialized. One reason that there are not more cybersecurity-related securities suits is that in most cases the share prices of the companies experiencing the incidents do not react significantly to the news. It may be that the financial markets have gotten inured to the news of cybersecurity incidents. But another reason that there have not been the volume of cybersecurity-related securities suits that had been predicted is that the plaintiffs’ track record in the cases that have been filed is not all that great. The Equifax settlement may stand as an example of a case in which the plaintiff was successful, but it is an example that may be understood more as an anomaly than as a representation of plaintiffs’ prospects in these kinds of cases.