As readers of this blog well know, since the initial U.S. coronavirus outbreak in March 2020, plaintiffs’ lawyers have filed dozens of COVID-19-related securities class action lawsuits. Even though the coronavirus-related litigation phenomenon, like the coronavirus outbreak itself, is about to enter its third year, relatively few of the coronavirus-related securities suits have yet reached the motion to dismiss stage. However, last week the federal judge presiding over the coronavirus-related lawsuit filed against Zoom Video Telecommunications entered an order granting in part and denying in part the defendants’ motion to dismiss. The Court’s February 16, 2022 order, a copy of which can be found here, also presents an interesting perspective on the ways in which privacy and security issues can lead to potential securities law liability exposures.

 

Background

As discussed here, in early April 2020, a plaintiff shareholder filed a securities class action lawsuit in the Northern District of California against Zoom; Eric Yuan, the company’s CEO; and Kelly Steckelberg, the company’s CFO. The gist of the plaintiff’s lawsuit is that the surge in the use of the company’s services that followed the coronavirus outbreak allegedly revealed allegedly undisclosed weaknesses in the company’s security.

 

In his amended consolidated complaint, the plaintiff alleged that the defendants had made 15 false and misleading statements. In the first of these 15 alleged misrepresentations, a statement that appeared in the offering documents filed in connection with the company’s April 2019 IPO, the company allegedly stated that “We offer robust security capabilities, including end-to-end encryption, secure login, administrative controls and role-based access controls.”

 

The defendants filed a motion to dismiss the plaintiff’s complaint.

 

The February 16, 2022 Order

In his February 16, 2022 Order, Northern District of California James Donato granted the motion in part and denied the motion in part. With respect to 14 of the 15 statements, Judge Donato concluded that the plaintiff had not sufficiently alleged scienter with respect to any of those statements. He dismissed the plaintiffs’ claims with respect to those statements, with leave for the plaintiff to seek to replead.

 

However, with respect to the first of the 15 statements – that is, the statement in the company’s offering documents about its platform’s “robust security capabilities” and “end-to-end encryption” – Judge Donato denied the motion to dismiss.

 

In denying the motion, Judge Donato put a great deal of weight on statements that Yuan, the company’s CEO, allegedly made on the company’s blog about security issues the company’s users had been experiencing. Among other things, Yuan allegedly said that “we recognize that we have fallen short of the community’s – and our own – privacy and security expectations.” Yuan also allegedly made a statement apologizing “for the confusion we may have caused by incorrectly suggesting that Zoom meetings were capable using end-to-end encryption,” adding that “we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”

 

Judge Donato found that the plaintiff had adequately alleged falsity and scienter with respect to the company’s statement in its registration statement about “end-to-end encryption.” The plaintiff, Judge Donato said, “has adequately alleged that defendants’ Statement No. 1 gave an impression of a state of affairs that differs in a material way from the one that actually existed.” Judge Donato also said that in making the statement about end-to-end encryption, the plaintiff had adequately alleged that the defendants had “acted either intentionally or with deliberate recklessness.”

 

Discussion

When this lawsuit was first filed, I immediately tagged its as being coronavirus-related, while at the same time acknowledging that it was also a privacy-and-security related securities suit as well. I did acknowledge at the time that it was a fair question whether the lawsuit was really more about the company’s privacy and security issues than it was about the coronavirus. What I said at the time, and what I still believe, is that gist of the lawsuit is that changed operating circumstances resulting from the coronavirus outbreak stressed the company’s systems and services and made apparent weaknesses in the company’s operating circumstances and also highlighted alleged differences between the services provided and the way the company had characterized its services to investors.

 

In short, the stresses caused by the coronavirus outbreak created the company’s crisis, which led to the lawsuit. As I said at the time, and as I continue to believe, this lawsuit definitely counts as a coronavirus-outbreak related lawsuit.

 

Because I believe that this case is a coronavirus-related lawsuit, Judge Donato’s ruling in the case is relevant to the scorekeeping on how the coronavirus cases are faring as they reach the motion to dismiss stage.

 

As I noted at the outset of this post, even though the coronavirus-related litigation phenomenon is entering its third year, relatively few of the coronavirus-related securities suits have reached rulings at the dismissal motion stage. Of the now nine coronavirus-related securities cases in which dismissal motion rulings have been entered, the motion to dismiss has been granted in six. In two cases against vaccine manufacturers Inovio and Vaxart, the dismissal motions were denied at least in part (as discussed here and here, respectively).  And now of course the dismissal motion was denied in part in this securities suit filed against Zoom.

 

While I do believe this case does qualify as a coronavirus-related securities suit, it also is unquestionably also a privacy and security-related securities lawsuit as well. Regular readers know that for some time now, I have been declaring my view that privacy-related issues represent a significant new source of potential D&O exposure. Among other things, the facts and circumstances alleged in this case underscore the critical importance of privacy and security-related concerns and demonstrate how questions about privacy and security issues can lead to D&O claims.