As I noted in my year-end round up of D&O related issues (here), plaintiffs’ lawyers have continued to file securities class action lawsuits following cybersecurity incidents, even though the plaintiffs’ track record in these kinds of lawsuits generally has been poor. Among the cybersecurity-related securities lawsuits filed last year was the suit against cloud-based software company Okta relating in part to the cybersecurity incident at the company earlier in the year. Consistent with the general trend, on March 31, 2023, the court presiding over the Okta securities lawsuit granted the defendants’ motion to dismiss the cybersecurity-related allegations, although the court denied the dismissal motion with respect to certain of the plaintiffs’ other unrelated allegations. The court granted the plaintiff leave to amend the dismissed allegations. The court’s March 31, 2023, order can be found here.
Okta offers a variety of cloud-based software products and services. On March 21, 2022, hackers posted screenshots on their Telegram channel showing what they claimed was Okta’s “internal company environment.”
On March 22, 2022, the company’s CEO posted a statement on his Twitter account disclosing that in late January 2022, the company had detected “an attempt to compromise the account of a third-party customer support engineer,” adding that “the matter was investigated and contained.” He added that “we believe the screenshots shared online are connected to this January event” and that “based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”
In an afterhours statement posted on March 22, 2022, on the company’s website, the company’s Chief Security Officer disclosed further that “after a thorough analysis of the [hacker’s] claims, we have concluded that a small percentage of customers — approximately 2.5% — have potentially been impacted and whose data may have been viewed or acted upon.”
According to the subsequently filed securities complaint, following the updated after-hours statement, several news outlets reported that hundreds of the company’s clients were potentially affected by the data breach. The company was also downgraded by Raymond James from “strong buy” to “market perform,” noting that “the handling of its latest security incident adds to our mounting concerns.” The complaint alleges that the company’s share price declined almost 11% on the “aftermarket update and Raymond James downgrade.”
As discussed in detail here, on May 20, 2022, a plaintiff shareholder filed a securities class action lawsuit in the Northern District of California against Octa and certain of its directors and officers. The complaint alleges that during the class period, the defendants made materially false and misleading statements and/or failed to disclose that: “(i) Okta had inadequate cybersecurity controls; (ii) as a result, Okta’s systems were vulnerable to data breaches; (iii) Okta ultimately did experience a data breach caused by a hacking group, which potentially affected hundreds of Okta customers; (iv) Okta initially did not disclose and subsequently downplayed the severity of the data breach; (v) all of the foregoing, once revealed, was likely to have a materially negative impact on Okta’s business, financial condition, and reputation; and (vi) as a result, the Company’s public statements were false and misleading at all relevant times.”
The complaint as amended also contained unrelated allegations concerning alleged problems Okta encountered in connection with its acquisition of AuthO, Inc.
The defendants moved to dismiss the complaint.
The March 31, 2023, Order
In a March 31, 2023, order, Judge Susan Illston granted the motion in part and denied the motion in part with respect to alleged omissions concerning the company’s integration of the AuthO acquisition. In a much shorter portion of her order, Judge Illston granted the defendants’ motion with respect to the plaintiffs’ allegations concerning the cybersecurity incident. Judge Illston granted the plaintiff leave to amend the complaint with respect to all allegations on which she had granted the motion to dismiss.
In ruling on the defendants’ motion with respect to the cybersecurity-related allegations, Judge Illston separately analyzed each of the separate sets of alleged misrepresentations or omissions on which the plaintiff sought to rely. In each instance, she found that the alleged misrepresentations or omissions were insufficient to state a claim.
First, she held that the plaintiffs’ allegations based on the defendants’ alleged statements concerning the company’s “commitment” to data security represent non-actionable statements of corporate aspiration or puffery.
Second, with respect to plaintiffs’ allegations based on alleged omissions to disclose that the company was not properly securing its administrative tools and alleged failure to require sub-processors to comply with the company’s security requirements, Judge Illston held that the confidential witness statements on which the plaintiff sought to rely in support of these allegations were insufficient to support the allegations that the company was not properly securing its administrative tools or that it failed to required sub-processors to comply. She also said that it was not clear to what the statements on which the plaintiff sought to rely were actually referring to. She held that the allegations as pled were insufficient to support the allegation that the company statements on which the plaintiff sought to rely were false and misleading.
Third, with respect to the company’s March 2022 risk disclosure in which the company said that a cybersecurity incident at the company could harm the company’s reputation or disrupt its operations, and which the plaintiff claimed was misleading because the hypothetical harm to which the disclosure alluded had already occurred, Judge Illston held that the allegations were insufficient to state a claim because the plaintiff presented no allegations that the defendants were aware of the January 2022 incident at the time of the March 2022 risk disclosure. Judge Illston also said that the allegations of scienter with respect to this statement were “lacking.”
Finally, with respect to the plaintiff’s allegations made in reliance on the company’s alleged failure to fully disclose the impact of the incident on customer sales and contracts, Judge Illston held that the plaintiff’s allegations were insufficient to establish that the statements were false when made because they were insufficiently detailed about how much business allegedly was lost and when.
While Judge Illston fully granted the defendants’ motion with respect to the plaintiffs’ cybersecurity-related allegations, it should be duly noted that Judge Illston did also grant the plaintiff leave to file an amended complaint in order to seek to remedy the shortcomings she found in the complaint. It remains to be seen if the plaintiffs will succeed in presenting amended allegations sufficient to survive a renewed dismissal motion.
That said, Judge Illston’s rulings in this case is consistent with the overall track record plaintiffs generally have experienced in cybersecurity related securities class action lawsuits. Dismissal motions have been granted in a number of high-profile cybersecurity-related securities suits, such as, for example, the lawsuit filed in Capital One data breach related securities class action lawsuit; the court granted the motion to dismiss in that case last September (as discussed here). In addition, last year, appellate courts affirmed the dismissal motion grants in the ZenDesk and Marriott cybersecurity securities class action lawsuits (as discussed here and here, respectively).
Despite these and other dismissals in cybersecurity-related securities suits, plaintiffs’ lawyers have continued to file cyber-related securities suits; for example, and as discussed here, at the end of March 2023, a shareholder plaintiff filed a cybersecurity-related securities class action lawsuit against Dish Networks.
One possible reason for the continued interest in these cases is that the courts’ apparently propensity to grant dismissal motions in these kinds of cases is not uniform. For example, and as noted here, in April 2022, the cybersecurity-related securities suit that had been filed against SolarWinds survived the dismissal motion; the case subsequently settled for $26 million. Indeed, the $149 million settlement in 2020 in the Equifax data breach-related securities suit by itself arguably provides the plaintiffs’ lawyers with enough incentive to continue to try to pursue these cases.
The plaintiffs’ lawyers’ interest in these kinds of cases in general is continuing, and indeed there is sufficient interest in this case in particular that even after Judge Illston’s ruling that on April 14, 2023 a different set of plaintiffs’ lawyers filed a separate shareholder derivative lawsuit in the Northern District of California, presenting proxy misrepresentation claims and breach of fiduciary duty claims against Okta’s board, based on the same allegations as involved in the securities class action lawsuit, including in particular the cybersecurity incident-related allegations. A copy of the shareholder derivative lawsuit can be found here.