As I have noted in prior posts on this site (most recently here), plaintiffs’ lawyers’ claims in cybersecurity-related D&O lawsuits recently have fared poorly. A number of these suits recently have failed to clear the initial pleading hurdles. However, in a ruling last week, the federal judge presiding over the SolarWinds cybersecurity-related securities suits substantially denied the defendants’ motions to dismiss in an opinion that has a number of interesting features, as discussed below. Western District of Texas Judge Robert Pitman’s March 30, 2022 opinion in the case can be found here.
SolarWinds provides network security products and services. SolarWinds’ customers include the Pentagon, the State Department, the Office of the President, the FBI, the Secret Service, and the National Security Administration. In late December 2020, the company discovered that an intruder, believed to be working for the Russian Foreign Intelligence Services, had injected a malicious code into SolarWinds “Orion” software. When downloaded onto a customer’s server, the infected software could be used to compromise the customer’s server. Following the company’s public report of this incident, the company’s share price declined by more than a third.
Shortly after that, Reuters published an additional article reporting that in 2019 a security researcher had alerted the company that anyone could access SolarWinds’ update server using the password “solarwinds123,” and that days after SolarWinds realized its software had been compromised the malicious updates were still available for download.
As discussed here, in January 2021, a plaintiff shareholder filed a securities class action lawsuit against the company and certain of its executives. A subsequent amended complaint named as defendants the company itself; its CEO at the time, Kevin Thompson; Barton Kalsu, its CFO; Tim Brown, its Vice President for Security Architecture; and Silver Lake and Thoma Bravo (private equity firms that together owned about 40% of SolarWinds).
The complaint alleged that the company had “falsely and misleadingly” told investors that it had a robust cybersecurity system and adhered to specific cybersecurity practices set for in a “Security Statement” on its website. The Security Statement stated that the company had a security team, had an information security policy, and provided security training to its employees. The amended complaint also alleged that defendant Brown regularly wrote articles and appeared in interviews touting SolarWinds’ focus on “heavy-duty hygiene” and directed customers and investors to the Security Statement.
The amended complaint alleges that despite defendants’ statement about the company’s cybersecurity measures, the measures were “woefully deficient and not as represented.” In support of this allegation, the amended complaint cited the “solarwinds 123” password incident. The amended complaint also referenced a presentation by a SolarWinds by Ian Thorton-Trump to top company executives before the beginning of the class period, in which Thornton-Trump allegedly addressed the company’s deficient cybersecurity practices. After the company supposedly failed to address the deficiencies, Thornton-Trump allegedly left the company in protest. The amended complaint also refers to statements of ten former employees of the company who stated that the company did not employ the security practices that the company claimed, and that the company did not have a security team, a social information policy, a password policy, and had no security training.
The complaint also alleges that one week before the cybersecurity incident was disclosed, Thompson, the company’s CEO sold over $20 million of his personal holdings in company stock and the two private equity firms sold $261 million in shares.
The defendants filed motions to dismiss, arguing that the amended complaint failed to sufficiently allege falsity, scienter, and causation.
The March 30, 2022 Order
On March 30, 2022, Western District of Texas Robert Pitman granted in part and denied in part the defendants’ motions to dismiss. Judge Pitman denied the motion as to the company and as to defendant Brown; granted the motion of Thompson to dismiss the Section 10(b) claim against him, but denied the motion as to the control person allegations against him under Section 20(a); and denied the motion as to the control person liability allegations against the two private equity firms.
In concluding that the plaintiff had adequately alleged scienter as to the company and defendant Brown, Judge Pitman noted that the plaintiffs had sufficiently pled that Brown “acted with, at least, severe recklessness when he touted the security measures implemented at Solar Winds.” In reviewing the various items on which the plaintiff relied in order to show that the company misrepresented its cybersecurity practices, Judge Pitman concluded that these allegations “that the cybersecurity measures at SolarWinds were not as strong as Brown repeatedly presented” during the class period “support the Court’s conclusion that Plaintiffs have plausibly asserted the element of scienter.”
Judge Pitman also found that certain statements on which the plaintiff relies were “misleading.” Judge Pitman specifically referenced various statements of Brown’s in which he referenced the company’s focus on “heavy-duty hygiene” and that the company was working on “making sure that there is good basic hygiene.” Judge Pitman said that Brown’s repeated reference to cybersecurity hygiene, when coupled with surrounding statements regarding the company’s cybersecurity practices, can be “considered misleading.” Judge Pitman noted that various other alleged facts, such as the solarwinds123 password incident, the Thornton-Trump presentation, and the statements of the former employees showed that “the cybersecurity measures at the company were not as they were portrayed.” Judge Pitman also concluded that the plaintiff had adequately alleged loss causation as the Brown and the Company as well.
Judge Pitman granted the motion of Thompson, the CEO, to dismiss the Section 10(b) allegations against him; the dismissal of the Section 10(b) claims was without prejudice, as Judge Pitman expressly allowed the plaintiff leave to seek to replead the Section 10(b) allegations. In granting the motion as to the Section 10(b) claims against Thompson, Judge Pitman concluded that the complaint did not allege that Thompson was the “maker” of any of the alleged misleading statements. Judge Pitman also concluded that the plaintiff had not adequately alleged scienter against Thompson; Judge Pitman concluded among other things that Thompson’s large stock sale shortly before the news of the cybersecurity incident was made shortly ahead of Thompson’s announced departure from the company and were executed according to a Rule 10b5-1 trading plan that was put in place in August 2020, before SolarWinds received notice of the breach.
However, Judge Pitman denied Thompson’s motion to dismiss the Section 20(a) control person claims against Thompson. Judge Pitman also denied the motions of the two private equity firms to dismiss the Section 20(a) control person liability claims against them, concluding the plaintiff’s allegations that the private equity firms “acted jointly to exercise control over SolarWinds are sufficient to survive a motion to dismiss.”
SolarWinds issued the following statement: “We disagree strongly with the claims made by the plaintiff and look forward to having the opportunity to present the true facts as this process continues beyond its current very early stage.”
Judge Pitman’s substantial denial of the motions to dismiss is noteworthy in and of itself but also in context of the outcome of similar motions in several high-profile cybersecurity-related D&O lawsuits in recent months. The plaintiffs’ track record in recent months on motions to dismiss in cybersecurity related D&O suits has been poor.
In 2021 alone, several of the pending high-profile cybersecurity-related D&O lawsuits were dismissed: in February 2021, the FedEx/NotPetya securities class action lawsuit was dismissed (as discussed here); in June 2021, the long-running federal court Marriott data breach securities suit was dismissed, as was the related federal court shareholder derivative suit (discussed here), and in October 2021, the related-but- separate state court Marriott derivative suit was dismissed as well (as discussed here); and in September 2021, the cybersecurity-related securities class action lawsuit against title insurer First American was also dismissed (discussed here).
Against this recent track record, the substantial dismissal motion denial in the SolarWinds case stands out, particularly given how high-profile the cybersecurity incident involved in the case was. At a minimum, the court’s ruling shows that at least circumstances plaintiffs can assert cybersecurity-related D&O claims sufficient to survive a motion to dismiss. To be sure, it is not as if plaintiffs’ lawyers necessarily needed further encouragement to file these kinds of cybersecurity related suits. The $149 million settlement in the Equifax cybersecurity-related securities lawsuit certainly provides incentive enough for plaintiffs to pursue these kinds of claims. Just the same, the dismissal motion denial in this case may provide further encouragement.
There are some interesting aspects of this decision. First, I found it striking how much Judge Pitman made out of defendant Brown’s various statements about the company’s cybersecurity “hygiene.” I find it a little bit odd that Judge Pitman thought these “hygiene” remarks could support securities fraud allegations. I think the use of the word “hygiene” is sufficiently unspecific and nebulous that it doesn’t seem to be to carry the kind of weight that Judge Pitman gave it. I mean, seriously, what does it even mean to say the company focuses on cybersecurity “hygiene”?
I also think it is interesting that Judge Pitman concluded that Thompson’s sale of $20 million in his personal holdings in company stock just days before the bad news was disclosed did not support an inference of scienter. What is particularly noteworthy about it is that Judge Pitman specifically concluded that the fact that the sale was made pursuant to a prior Rule 10b5-1 plan rebuts the inference of scienter. This aspect of the decision supports something I have long said, which is that though Rule 10b5-1 plans are sometimes criticized, the plans nevertheless if used properly can provide a measure of protection against liability under the securities laws.
One other interesting thing about Judge Pitman’s rulings is that he denied the motions of the two private equity firms to dismiss the Section 20(a) control person liability allegations against them. Private equity firms everywhere will want to take notice of this development, especially since the plaintiff’s allegations that the two firms – minority owners, at that — acted jointly to exercise control over the company were really kind of thin. I suspect this aspect of Judge Pitman could set off some alarm bells in the front office of private equity firms around the country.