Readers of this blog know that in recent years, plaintiffs’ lawyers have filed a number of D&O lawsuits against companies that experience cybersecurity-related incidents. Overall, the plaintiffs’ track record on these cases is at best mixed, and a number of high-profile cases have been dismissed. In the latest example of the dismissal of a cybersecurity-related securities suit, the court in the Capital One Financial Corporation data breach-related securities class action lawsuit has granted the defendants’ motion to dismiss. The September 13, 2022 dismissal order in the case can be found here.
Capital One is a bank holding company. Capital One promoted itself as a technologically savvy bank and in 2011 embarked on a highly promoted “Digital Transformation.” One aspect of the Digital Transformation, according to the bank, was that it offered enhanced cybersecurity through an automatic encryption program. As part of the rollout of the Digital Transformation, the bank made numerous public state statements touting the company’s cybersecurity approach and procedures.
On March 12, 2019, a hacker illegally accessed one of Capital One’s servers. The data accessed implicated 106 million Capital One customers and included, among other things, self-reported income, social security numbers, and credit performance information. Capital One was alerted to the hack by a third-party that had been monitoring a private chatroom. Capital One announced the breach on July 29, 2019. According to the subsequently filed securities suit complaint, the company’s share price fell nearly 6% on the news.
As I noted at the time, in October 2019, a plaintiff shareholder filed a securities class action lawsuit in the Eastern District of Virginia against Capital One and certain of its directors and officers. Among other things, the complaint alleged that Capital One had numerous deficiencies in its cybersecurity measures. The complaint alleged varying degrees of mismanagement with respect to the deficiencies. The plaintiff alleged that the company had made numerous false and misleading statements about the company’s cybersecurity that induced investors to buy Capital One’s stock, and that as a result they were harmed when the company’s share price declined on the news of the hack. The plaintiff alleged that the defendants violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. The defendants filed motions to dismiss.
The September 13, 2022 Order
In a September 13, 2022 Order, Eastern District of Virginia Judge Anthony J. Trenga granted the defendants’ motion to dismiss.
In granting the defendants’ dismissal motion, Judge Trenga first considered whether the plaintiff has sufficiently alleged falsity with respect to each of the various allegedly misleading statements. First, with respect to the company’s statements about its compliance with legal obligations and industry practices, Judge Trenga said the statements were immaterial puffery and non-actionable statements of opinion. With respect to the plaintiff’s allegations about the company’s failure to disclose its cybersecurity risks, Judge Trenga said that the amended complaint failed to allege with particularity what was false or misleading about the statements.
With respect to the plaintiffs’ allegations concerning the company’s statements about the Digital Transformation, and the claims that the Digital Transformation would lead to better cybersecurity, Judge Trenga said that the plaintiffs failed to allege that supposed cybersecurity deficiencies on which the plaintiff relied had actually occurred or what the scope of the deficiencies was. Judge Trenga also said that these statements were non-actionable forward-looking statements, opinion, or puffery. Similarly, Judge Trenga also found that the defendants’ alleged statements that cybersecurity was one of the company’s priorities, Judge Trenga also found that the alleged statements were non-actionable puffery or forward-looking statements, and also found that the defendants’ statements that the company followed reasonable access frequency and data retention practices were too vague to be actionable.
However, with respect to the plaintiff’s allegations that the defendants’ statements that unencrypted customer data was automatically and effectively encrypted were misleading, Judge Trenga did find that the statements were sufficiently particularized and that the plaintiff had established facial falsity, and therefore concluded that the amended complaint sufficiently alleges that these statements were materially false or misleading.
While Judge Trenga found that the plaintiff had sufficiently alleged falsity with respect to at least some of the alleged misrepresentations, he also found that the plaintiff had not sufficiently alleged scienter. He said that the “conclusory and boilerplate statements” on which the plaintiff sought to rely in order to establish scienter were “insufficient to meet the legal standard.” In particularly, he specifically found that the plaintiff had failed to adequately plead scienter with respect to the company’s data encryption capabilities. While various of the plaintiff’s allegations were, Judge Trenga said, “sufficient to establish some degree of mismanagement,” the plaintiff “fails to establish a strong inference of intentionality or recklessness.”
As I noted in my recent roundup of directors’ and officers’ liability trends, plaintiff’s lawyers track record in cybersecurity-related D&O claims is at best mixed. There have been a number of dismissals granted in several high-profile cybersecurity-related suits, as I noted most recently with respect to the Delaware Chancery Court’s dismissal of the cybersecurity-related shareholder derivative lawsuit filed against the board of SolarWinds.
However, as I also noted in my year-end round up, it may be the plaintiffs’ lawyers are not as focused on the mixed record on motions to dismiss as they are in the possibility of making a big score in one of these cases. The $149 million settlement in the Equifax cybersecurity-related securities lawsuit certainly provides incentive enough for plaintiffs to pursue these kinds of claims. The likelihood is that notwithstanding the plaintiffs’ relatively poor record overall in these kinds of cases, cybersecurity-related securities suits and other D&O claims are likely to continue to be filed.
I will say that one that one interesting thing about this lawsuit is the fact that the plaintiffs’ lawyers went ahead and pursued the claim, even though the magnitude of the stock price drop, as a percentage of the company’s share price, was relatively modest. The less than 6% drop is below the usual stock price drop that attracts the plaintiff’s attention.
One notable thing about Judge Trenga’s opinion is that while he found that the plaintiff had failed to present sufficient allegations of scienter in order to establish a claim for breach of the securities laws, he did say that plaintiff’s claims may have been sufficient to establish claims of mismanagement. This does raise the question of whether the plaintiff might have been able to assert viable claims on a theory other than one based on securities law violations. There would of course be threshold defenses even against a mismanagement claim (such as, in the context of a derivative suit, the demand futility requirement), but it does raise the question whether a different legal approach than the one the plaintiff pursued might have been more successful.
Special thanks to a loyal reader for proving me with a copy of Judge Trenga’s order.