Regular readers of this site know that one of the continuing D&O litigation trends over the last several years has been the incidence of securities class action lawsuits and other litigation arising out of cybersecurity incidents at the defendant company. While in many instances these suits have not fared particularly well, plaintiffs’ lawyers have nevertheless continued to file the suits. In the latest suit filing of this type, on May 20, 2022, a plaintiff shareholder filed a securities suit against the cybersecurity firm Octa, Inc., relating to the decline in the company’s share price following revelations of a data breach at the firm. Although in many ways this latest suit is similar to previously filed cybersecurity-related securities suits, there are certain distinct aspect of the suit that make it noteworthy, as discussed below. A copy of the May 20, 2022 complaint in the new lawsuit can be found here.
Background
Octo offers a variety of cybersecurity products and services. On March 21, 2022, hackers posted screenshots on their Telegram channel showing what they claimed was Octa’s “internal company environment.”
On March 22, 2022, the company’s CEO posted a statement on his Twitter account disclosing that in late January 2022, the company had detected “an attempt to compromise the account of a third-party customer support engineer,” adding that “the matter was investigated and contained.” He added that “we believe the screenshots shared online are connected to this January event” and that “based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”
In an afterhours statement posted on March 22, 2022 on the company’s website, the company’s Chief Security Officer disclosed further that “after a thorough analysis of the [hacker’s] claims, we have concluded that a small percentage of customers — approximately 2.5% — have potentially been impacted and whose data may have been viewed or acted upon.”
According to the subsequently filed securities complaint, following the updated after-hours statement, several news outlets reported that hundreds of the company’s clients were potentially affected by the data breach. The company was also downgraded by Raymond James from “strong buy” to “market perform,” noting that “the handling of its latest security incident adds to our mounting concerns.” The complaint alleges that the company’s share price declined almost 11% on the “aftermarket update and Raymond James downgrade.”
The Complaint
On May 20, 2022, a plaintiff shareholder filed a securities class action lawsuit in the Northern District of California against Octa and certain of its directors and officers (including the company’s Chief Security Officer). The complaint purports to be filed on behalf of investors who purchased the company’s securities between March 5, 2021 and March 22, 2022.
The complaint alleges that during the class period, the defendants made materially false and misleading statements and/or failed to disclose that: “(i) Okta had inadequate cybersecurity controls; (ii) as a result, Okta’s systems were vulnerable to data breaches; (iii) Okta ultimately did experience a data breach caused by a hacking group, which potentially affected hundreds of Okta customers; (iv) Okta initially did not disclose and subsequently downplayed the severity of the data breach; (v) all of the foregoing, once revealed, was likely to have a materially negative impact on Okta’s business, financial condition, and reputation; and (vi) as a result, the Company’s public statements were false and misleading at all relevant times.”
The complaint alleges that the defendants violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. The complaint seeks to recover damages on behalf of the plaintiff class.
Discussion
There have of course been securities suits and other D&O claims filed against companies that have experienced cybersecurity incident for several years now. One of the more interesting recent developments with respect to this trend is the increasing number of cyber incident-related securities suits filed against cybersecurity companies.
Among the higher profile cybersecurity-related securities suits filed in recent months is the January 2021 lawsuit filed against the IT management company , Solar Winds, relating to the cybersecurity breach at the company, as discussed here. The company was also hit with a separate but related shareholder derivative suit, based on the same incidents. As discussed here, the SolarWinds securities suit recently largely survived a motion to dismiss. The recently filed lawsuit against Okta represents another example of the filing of cybersecurity-related securities suits against companies involved in the cybersecurity industry.
Even outside of the cybersecurity incident context, cybersecurity firms have been attracting the attention of plaintiffs’ lawyers. As discussed here, earlier this month, the cybersecurity firm Arquit Quantum was hit with a securities suit, after questions were raised about the company’s encryption technology.
Another interesting feature of this lawsuit is the extent to which it depends on the statement by the company’s CEO on Twitter, in which the CEO allegedly soft-pedaled the seriousness of the incident. This is just the latest example where statements on social media have wound up being alleged to represent misrepresentation in subsequently filed securities class action lawsuits.
Another recent example of social media statements in securities litigation is the lawsuit filed against Affirm Holdings in late February 2022. As discussed here, the lawsuit filed against Affirm Holdings relies on an allegedly upbeat social media post that preceded the company’s filing of its quarterly earnings release. Then there is of course the quintessential securities suits filed in reliance on statements made on social media – that is, the lawsuit filed against Tesla based on Elon Musk’s infamous “take private” tweet, discussed here. As I said in connection with the Affirm Holdings lawsuit, the one thing these cases do is reinforce the need for companies to institute protective measures in connection with the company’s social media practices and statements.
This is also yet another lawsuit that underscores how the way the company handles bad news disclosures can significantly impact subsequent securities litigation. Allegations that the defendant company soft-pedaled bad news disclosure is a frequent allegation in securities lawsuits.
I emphasize these points about social media practices and bad news disclosure in part because I am frequently asked how companies can address their securities litigation risk. These two items are two examples of the ways in which companies can take steps to try to avoid securities litigation or put themselves in a better position to defend the suit if one is filed.
One final note: despite plaintiffs’ poor track record in cybersecurity related D&O suits, plaintiffs’ lawyers still remain interested in pursuing these kinds of suits. This is an important point for corporate boards and company management. Among all the reasons to implement cybersecurity related measures, there is the risk of cybersecurity-related D&O litigation. All the more reason for company management to take up the kinds of practices discussed in the preceding paragraph.