As I have noted in numerous posts on this site (most recently here), the plaintiffs’ track record in data breach-related securities class action lawsuits is mixed at best. To be sure, there have been cases in which plaintiffs’ have prevailed, but overall the plaintiffs’ track record in data breach-related securities suits has been poor. In the latest setback for plaintiffs in these kinds of cases, the Ninth Circuit has affirmed the trial court’s dismissal of the data breach-related securities suit filed against Zendesk. A copy of the Ninth Circuit’s March 2, 2022 Opinion in the Zendesk case can be found here.
As discussed here, in October 2019, Zendesk was hit with the first of multiple securities class actions. The lawsuits related to the company’s disclosure that a third party had alerted the company that its customer support and chat products and customer accounts had been accessed. The company’s release, as updated, said that upon learning of the security concern, the company engaged a forensic team; initiated its security incident protocol; and contacted law enforcement officials.
The company said that it had “identified approximately 15,000 Zendesk Support and Chat accounts, including expired trial accounts and accounts that are no longer active, whose account information was accessed without authorization prior to November of 2016.” The company’s share price declined less than four percent on the news.
The complaints, which were subsequently consolidated, alleged, inter alia, that the company had made misrepresentations with respect to the data breach and with respect to the company’s security overall. The defendants moved to dismiss.
As discussed here, on November 9, 2020, Northern District of California Judge Charles Breyer granted the defendants’ motion to dismiss in the Zendesk lawsuit. A copy of Judge Breyer’s order can be found here.
In granting the motion to dismiss, Judge Breyer concluded that the plaintiff had failed to state a claim on which relief may be granted with respect to the data breach allegations. In reaching this conclusion, Judge Breyer said that “the failure to disclose the data breach may have been a material omission,” the plaintiff “has not alleged that Zendesk knew of the data breach (or was consciously reckless with respect to its occurrence) when it made any challenged statements or disclosures.” Judge Breyer noted that the plaintiff’s allegations are “consistent with Zendesk acknowledging the risk of such a breach and swiftly disclosing the breach once Zendesk became aware.”
The plaintiff appealed Judge Breyer’s ruling to the Ninth Circuit.
The Ninth Circuit Decision
In a March 2, 2022 opinion designated not for publication, a three-judge panel of the Ninth Circuit affirmed the district court’s dismissal of the plaintiff’s complaint.
The Ninth Circuit specially held that the plaintiff’s complaint “did not include facts supporting a reasonable inference” that the statements on which the plaintiff sought to rely “were false or misleading.” The appellate court specifically rejected the plaintiff’s argument that the statements about the company’s security program “created the impression that Zendesk implemented the data security best practices described … no later than 2016, when in fact the company did not implement those practices until later.” The appellate court said that neither of the statements on which the plaintiffs sought to rely “makes any reference to Zendesk’s data security practices in 2016.”
The court also rejected the plaintiffs’ attempts to rely on statements the plaintiff alleged to suggest that data breach prevention efforts had all been put in place in response to previous hacks, or that investors would be led to believe that the company had never suffered an undetected hack in the past. The court said the statements “would not give an ordinary investor reason to believe that Zendesk was asserting that the risk that an undetected breach had occurred was particularly high or low, or that it had changed over time.”
Finally, the appellate court concluded that the district court did not err in finding that the plaintiffs had failed to state “with particularity” facts supporting a “strong inference” of scienter. The plaintiffs, the appellate court said, had failed to allege facts sufficient to support the “core operations” theory on which the plaintiff sought to rely, specifically holding that the statements on which the plaintiffs sought to rely “were not so dramatically false that at least some corporate official must have known of their falsity upon publication.”
Plaintiffs’ lawyers have continued to file cybersecurity-related securities class action lawsuits, but the question remains whether these cases make good lawsuits from the plaintiffs’ perspective. Many of the cases, whether filed as securities suits or as shareholder derivative actions have been dismissed (as noted most recently here). In many instances, plaintiffs have struggled to get any sort of traction in these cases.
To be sure, there have also been high profile settlements in cybersecurity-related securities suits, as for example in the February 2020 settlement of the Equifax cybersecurity-related securities suit, in which the case was resolved for $149 million. But the rash of recent dismissal motion grants in cybersecurity-relates suits, including the dismissal in the Zendesk securities suit, do raise the question whether these kinds of cases make good suits for the plaintiffs’ lawyers.
From the very beginning of this case, I have questioned whether this case even made sense from the plaintiffs’ perspective. The very modest <4% share price decline that accompanied the supposed bad news disclosure in this case strongly suggested to me that this case was not really a very solid case from the plaintiffs’ perspective.
The relatively modest share price decline that accompanied the supposed bad news disclosure in this case exemplifies why there have, in fact, not been more cybersecurity-related securities suits filed. The fact is that investors are aware that in the current environment all companies face cybersecurity risks; investors seem inured to news of cybersecurity incidents. While cybersecurity unquestionably remains a key operating risk for companies, and while cybersecurity unquestionably can give rise to board liability, not every company that experiences a cybersecurity incident is going to face a D&O lawsuit as a result. For now at least, it seems that many cybersecurity-related D&O suits that are filed do not turn out to be all that great for the plaintiffs’ lawyers.
One final note about this decision is that the appellate court’s ruling here stands in contrast with the Ninth Circuit’s reversal last year of the dismissal in the Alphabet/Google+ data breach-related securities suit (discussed here). While the appellate court’s decision in the Zendesk suit does underscore the fact that these cases have not turned out great for plaintiffs’ lawyers, the Ninth Circuit’s reversal in the Alphabet suit does highlight the fact that the plaintiffs’ lawyers have made some headway in some of these cases. Because of the settlements I noted above and because of the developments like the Ninth Circuit’s reversal in the Alphabet case, the plaintiffs’ lawyer may yet continue to pursue the cybersecurity-related lawsuits, notwithstanding the relatively poor track record.