The payment technology firm Block, Inc. (formerly known as Square) has been hit with a securities class action lawsuit related to the company’s announcement earlier this year that a former employee had improperly accessed and downloaded company customer data. The new lawsuit is the latest example of the ways in which data security incidents can translate into D&O claims. The complaint, filed on October 11, 2022, can be found here.
Block is a financial payment firm and financial services firm. Among the businesses Block maintains is bitcoin-enabled services operation run through its subsidiary, Cash App Investing.
On April 4, 2022, Block filed with the SEC a current report on Form 8-K in which the company disclosed that on December 10, 2021, a former employee had improperly downloaded reports of Cash App Investing. The information in the reports included full customer names and brokerage account numbers, as well as brokerage portfolio value, brokerage portfolio holdings, and trading activity. In its 8-K, the company emphasized that the reports did not include customer usernames or passwords, social security numbers, dates of birth or other sensitive personal information. The company stated that upon discovery of the data security breach it had contracted with an external forensics firm to investigate the breach, and that the investigation was continuing. According to the subsequently filed securities class action lawsuit, the company’s share price declined 6.4% on the news.
Earlier this year, a consumer class action lawsuit was filed against the company on behalf of the customers whose data was compromised, as discussed here.
On October 11, 2022, a plaintiff shareholder filed a securities class action lawsuit in the Southern District of New York against Block, its CEO, Jack Dorsey, and its CFO, Amrita Ahuja. The complaint purports to be filed on behalf of a class of investors who purchased Block securities between November 4, 2021 (the date on which the company filed its Form 10-Q in which the company made certain statements about its data security protocols) and April 4, 2022.
The complaint alleges that the defendants failed to disclose to investors: “(1) that the Company lacked adequate protocols restricting access to customer sensitive information; (2) that, as a result, a former employee was able to download certain reports of the Company’s subsidiary, Cash App Investing, containing full customer names and brokerage account numbers, as well as brokerage portfolio value, brokerage portfolio holdings and/or stock trading activity; (3) that, as a result the Company was reasonably likely to suffer significant damage, including reputational harm; (4) and that, as a result of the foregoing Defendant’s positive statements about the Company’s business, operations, and prospects were materially misleading and/or lacked a reasonable basis.”
The complaint alleges that the defendants violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. The complaint seeks to recover damages on behalf of the class.
As I noted in a September post discussing the dismissal of the data breach-related securities class action lawsuit that had been filed against Capital One, the plaintiffs’ lawyers’ data breach securities suits in general have not fared particularly well. Nevertheless, as I noted in May 2022 post discussing a cybersecurity-related securities suit that had just been filed against the technology company Octa, notwithstanding the relatively poor track record the plaintiffs have shown in data breach-related securities suits, the plaintiffs’ lawyer continue to file these kinds of lawsuits, as this case also shows.
At the same time, however, and notwithstanding the fact that these kinds of lawsuits do continue to be filed, the fact is that these kinds of lawsuits have never been filed in the volumes that many commentators (including this blog) had predicted. One aspect of this new lawsuit may help to explain why. The stock price drop that the plaintiff in this case claims was caused by the bad news disclosure was a relatively modest 6.4%, a share price decline that does not exactly suggest that the disclosure shocked the market (as the plaintiffs’ lawyers often like to allege in securities suits).
The fact is that the financial markets are kind of inured to these kinds of disclosures; it is not shocking news that a company suffered a data breach. Many of the resulting stock price drops are even slighter than the one this company sustained. With only modest stock price drops there is in many instances little to attract the attention of the securities plaintiffs’ lawyers. (Plaintiffs’ lawyers faced with only a modest stock price decline might decide to pursue a derivative suit rather than a securities suit, but as discussed here, cybersecurity-related derivative suits have not necessarily fared any better than the securities suits.)
All of that said, at least some of the data breach-related securities suits have managed to survive initial dismissal motions. For example, as discussed here, the motion to dismiss the data breach-related securities class action lawsuit that had been filed against SolarWinds survived the dismissal motion at least in part, as discussed here. And in any event, the $149 million settlement in the Equifax cybersecurity-related securities lawsuit certainly provides incentive enough for plaintiffs to pursue these kinds of claims.
I will say that when the time comes for the Court to consider the adequacy of the plaintiff’s allegations the Court will struggle to find allegations in the complaint sufficient for the Court to conclude that the plaintiff has adequately pled scienter.