In the midst of its battles with Elon Musk over Musk’s attempt to walk away from his proposed takeover of the company, Twitter was rocked by the news that a whistleblower had sent Congress and federal agencies explosive reports of “major security problems” at the company. According to the news reports, the whistleblower’s disclosure not only detailed privacy and cybersecurity vulnerabilities at Twitter, but also included allegations that company management had misled its own corporate board and government regulators about the vulnerabilities. Among other things, these revelations triggered a Congressional inquiry. And now, a plaintiff shareholder has launched a securities class action lawsuit against the company and several of its executives, based on the whistleblower’s allegations. As discussed below, the complaint has several interesting features.
The Twitter whistleblower, Peiter “Mudge” Zatko, is a network security expert who worked who was hired by Twitter to review its security issues. (For more detailed background about Zatko, refer here.) Zatko left the company in January 2022 under circumstances that are now disputed, with Zatko claiming he was fired for agitating about the company’s security vulnerabilities and with the company claiming he was fired for performance-related issues.
On August 23, 2022, CNN broke the story that the months before, Zatko had sent a report to Congress and federal agencies in which Zatko described alleged security vulnerabilities at the company. The news report stated that Zatko had alleged that Twitter has “major security problems that pose a threat to its own users’ personal information, to company shareholders, to national security, and to democracy.” Zatko’s disclosure reportedly painted a picture of a company that does not sufficiently control or monitor its platform or its most sensitive information. Zatko also apparently claimed that senior company management “mislead its own board and government regulators about its security vulnerabilities, including some that allegedly open the door to foreign spying and manipulation, hacking and disinformation campaigns.”
On September 13, 2022, the same day as Zatko testified about Twitter’s alleged security issues at a Senate hearing, a plaintiff shareholder filed a securities class action lawsuit in the Central District of California against Twitter and certain of its officers. A copy of the complaint can be found here. The complaint purports to be filed on behalf of a class of investors who purchased the company’s securities between August 3, 2020 and August 23, 2022.
The complaint consists largely of extensive block quotations from Twitter’s various SEC filings during the class period, in which the company described its cybersecurity and privacy protocols, standards, and procedures. The complaint then recounts the various news reports about Zatko’s whistleblower allegations. The complaint alleges that Twitter’s share price fell 7% on the news of Zatko’s report.
The complaint alleges that during the class period, the defendants made false and/or misleading statements or failed to disclose that: “(1) Twitter knew about security concerns on their platform; (2) Twitter actively worked to hide the security concerns from the board, the investing public, and regulators; (3) contrary to representations in SEC filings, Twitter did not take steps to improve security; (4) Twitter’s active refusal to address security issues increased the risk of loss of public goodwill; and (5) as a result, Defendants’ statements about Twitter’s business, operations, and prospects were materially false and/or lacked a reasonable basis at all relevant times.”
The complaint alleges that the defendants violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. The complaint seeks to recover damages on behalf of the plaintiff class.
The plaintiff’s complaint has a certain “ripped from the headlines” feel to it. The plaintiffs’ lawyers clearly are trying to capitalize on the furor that followed in the wake of the whistleblower’s revelations. At the same time, the complaint embodies several different securities litigation trends.
First, the complaint clearly arises out of cybersecurity, a topic that has been at the heart of a number of securities class action lawsuits in recent years. However, while there have been cybersecurity-related securities suits in recent years, this latest suit is different, in that it does not relate directly to a data breach or other cybersecurity incident. Instead, the gist of the complaint is that the company actively mislead investors and others about the state of its cybersecurity controls and effectiveness. At a minimum, the complaint embodies yet another way that cybersecurity issues can lead to securities litigation.
Second, the complaint also relates to privacy issues. Privacy can of course be related to cybersecurity, as this case in fact demonstrates. Both the complaint and Zatko’s report refer to the 2011 settlement that Twitter agreed to with the Federal Trade Commission relating to the “security, privacy, and confidentiality of nonpublic consumer information.” At the same time, and as I have previously noted (for example, here), privacy concerns represent a separate but important different operating risk for companies, and this operating risk can translate into litigation risk, as this latest complaint also shows.
Third, the complaint also demonstrates a different phenomenon, which is the way that whistleblower reports can translate into securities class action litigation. In at least one other instance securities class action litigation has resulted following the revelations of a whistleblower report. As discussed here, in 2021 a plaintiff shareholder sued ExxonMobil and certain of its executives following news reports that the SEC has launched an investigation of the company based on whistleblower reports questioning the company’s asset valuations of its Permian basin oil fields.
One final recent trend that this new lawsuit represents is the apparent dynamic creating ever-increasing amounts of litigation involving Twitter. I can’t image what the company’s legal bills amount to, but it does seem be generating its own self-sustaining system of corporate and securities litigation. Like the gravitational pull exerted between celestial bodies, the various Twitter lawsuits are now affecting each other. For example, Elon Musk has now incorporated some of the whistleblower’s allegation in his countersuit against Twitter in the litigation involving his withdrawn bid to take over the company.
It probably should be noted that this lawsuit has been filed even though the whistleblower’s allegations are still under investigation. None of the whistleblower’s allegations have in fact been substantiated. The plaintiff in this case will face an interesting challenge establishing that he has adequately pled falsity. For that matter, in the context of all of the volatility that has surrounded Twitter and its stock in recent months, the stock price decline that followed the revelations of the whistleblower report seems relatively modest.