One of the reasons there have not been as many cybersecurity-related securities lawsuits as some commentators (including me) expected is that the plaintiffs’ track record in the cases that have been filed has been decidedly mixed. To be sure, there have been some very noteworthy successes for the plaintiffs, including the Equifax cybersecurity-related securities suit, which settled for $149 million. But though there have been some noteworthy successes, many of the other cybersecurity related securities suits have ended in dismissal.
Among the more significant recent cybersecurity-related securities suit dismissals was the ruling in the securities lawsuit relating to the massive Marriott data breach. Now, on appeal, the Fourth Circuit has affirmed the district court’s dismissal in the Marriott case, the latest in a series of high-profile setbacks plaintiffs have experienced in cybersecurity-related securities suits. A copy of the Fourth Circuit’s April 21, 2022 opinion can be found here.
In 2016, Marriott merged with Starwood Hotels and Resorts Worldwide. Two years later, Marriott learned that malware had impacted approximately 500 million guest records in the Starwood guest database, resulting in the second largest data breach in history. Subsequent investigations of the incident revealed that there had been unauthorized access to the Starwood network since 2014.
In December 2018, a plaintiff lawyer filed the first of several securities class action lawsuits against Marriott and certain of its executives. The lawsuits were ultimately consolidated in the District of Maryland. (In addition to the securities suits, other plaintiffs filed separate shareholder derivative lawsuits against Marriott executives based on the same underlying factual circumstances.) The plaintiffs in the securities suits alleged that the defendants had misled investors about the company’s cybersecurity protections. The defendants moved to dismiss the plaintiffs’ amended consolidated complaint.
As discussed here, on June 11, 2021, District of Maryland Paul W. Grimm granted the defendants’ motion to dismiss, based on his conclusion that the plaintiffs had failed to adequately allege a false or misleading statement, a strong inference of scienter, and loss causation. Judge Grimm granted the motion with prejudice. (In a separate opinion, Judge Grimm also granted the motion to dismiss the cybersecurity-related federal court derivative lawsuit against the Marriott board, that was also pending before Judge Grimm. A Delaware court also separately dismissed the Delaware state law breach of fiduciary duty claim separately pending against the Marriott board.) The plaintiffs appealed Judge Grimm’s dismissal of the securities lawsuit.
The Fourth Circuit’s Opinion
In an April 21, 2022 opinion written by Judge Toby Heytens for a unanimous three-judge panel, the Fourth Circuit affirmed the district court’s dismissal of the plaintiff’s lawsuit. The court said it was affirming the dismissal “because the investors have not adequately alleged that any of Marriott’s statements were false or misleading when made.”
In reaching its conclusion, the appellate court considered three sets of statements that the plaintiff had alleged were misleading: statements about the importance of protecting customer data; privacy statements on Marriott’s website; and cybersecurity-related risk disclosures.
With respect to the statements about protecting customer data, the plaintiff cited numerous statements made by or for the company in which the company stated the importance of protecting customer information, which the plaintiffs alleged “created the misleading impression that Marriott was securing and protecting the customer date it acquired from Starwood.” The problem with the complaint on this point is, the appellate court said, that the facts the plaintiff alleged “do not contradict Marriott’s public disclosures.” Indeed, the plaintiffs’ entire theory of the case turns on these statements being true – that is, that data integrity is “critically important” to Marriott and its investors. The appellate court said that “reiterating this basic truth is neither misleading nor creates the false impression that the investors suggest.”
More importantly, and unlike the facts alleged in the Equifax case, Marriott made no public statements about the qualify of its cybersecurity – Marriott made no characterizations. And even more to the point, Marriott made numerous warnings about the risks that the company’s systems may be vulnerable.
With respect to the company’s statements about privacy, the appellate court similarly found that none of the plaintiffs’ allegations “demonstrates that the challenged privacy statements were false or misleading.” Indeed, the complaint concedes that Marriott devoted resources toward protecting customer privacy, and “the remaining privacy statements were accompanied by such sweeping caveats that no reasonable investor could have been misled by them.”
Finally, with respect to Marriott’s supposedly misleading cybersecurity risk disclosures, the plaintiffs argued that the company had warned of risks that in fact were at the same time already being realized by the company. Again, however, the appellate court found that “the investor has failed to identify any statement that was false or misleading when made.”
As I noted at the outset, many cybersecurity-related securities lawsuits have ended in dismissal. The appellate court’s affirmance of the district court’s dismissal in this case bespeaks a high degree of judicial unwillingness to entertain questions about earlier statements based on subsequent events.
One particularly important feature of the decision is the extent to which the appellate court relied on Marriott’s extensive precautionary disclosure in concluding that investors had not been misled. The appellate court’s opinion provides strong reinforcement for the use of precautionary disclosures as a way to try to minimize the securities litigation risk arising out of cybersecurity disclosures.
Though I have emphasized the extent to which many cybersecurity-related securities claims have resulted in dismissals, it should at the same time be noted that the track record is not uniform. As I noted at the outset, the Equifax case settled for $149 million. And as I noted in a recent post (here), the motion to dismiss in the Solar Winds cybersecurity-related securities lawsuit was recently largely denied. Given these differing results, it is probably most accurate to say that the track record for the plaintiffs in these cases has been mixed.
There is one critical aspect of the appellate court’s opinion that is worth considering in light of the SEC’s proposed new cybersecurity related disclosure guidelines. The court said in its concluding paragraph that “Marriott certainly could have provided more information to the public about its experience with and vulnerability to cyberattacks, but the federal securities laws did not require it to do so.” It is worth considering whether the heightened cybersecurity disclosure requirements in the SEC’s proposed new guidelines might have created a different set of disclosure requirements – a set of requirements that, were they in place, might have raised more questions about whether Marriott’s disclosures were adequate.
These are questions that are worth thinking about as the new disclosure guidelines are considered. It is worth contemplating whether the new guidelines, if enacted, would not only create increased disclosure expectations, but also afford plaintiffs further grounds on which to argue that disclosures were insufficient.