Here at The D&O Diary, we track new securities class action lawsuit filings to identify emerging litigation trends and to track filings that reflect existing trends. Every now and then, we spot new suits that reflect multiple different trends in a single complaint. A new securities lawsuit filed earlier this week against Chinese online retailer PDD Holdings (formerly known as Pinduoduo) is an example of one of these multi-trend suits. As discussed below, the lawsuit shows how privacy-related issues, cybersecurity issues, and geopolitical issues can translate into securities class action litigation. A copy of the August 13, 2024, complaint against PDD can be found here.

Background

PDD Holdings owns and operates ecommerce platforms. The company was known as Pinduoduo until February 2023, when it changed its name to PDD. PDD is a Grand Cayman company with its headquarters in Ireland. The company operates the Pinduoduo platform in China. In September 2022, the company launched Temu, based in Boston, as a service to ship goods directly to consumers from Chinese factories.  PDD’s American Depositary Shares trade on Nasdaq.

The recently filed securities complaint contains lengthy block quotations from the company’s various SEC filings addressing the company’s commitment to data protection and cybersecurity, and to the privacy of its customers’ data. The company filings stated the company’s commitment to compliance with laws regarding the collection and use of personal information. The company stated that it had adopted and implemented strict security policies and measures to protect customer data. The statements from the SEC filings also include extensive quotations identifying risks to the company from changing international trade policies of the U.S. and of other countries. Among other things these statements about international trade included the statement that the company strives to comply with applicable trade requirements.

The complaint alleges that due to two sets of adverse news reports about the company and its operations, the company’s share price has declined. The first set of reports, which began in March 2023, include news stories stating that the company’s apps exploited Android system vulnerabilities to install backdoors and gain unauthorized access to user data. The reports said that the Pinduoduo app can bypass users’ cell phone security to monitor activity in other apps, check notifications, read private message, and change settings. One report quoted a cybersecurity expert as saying that the company “has taken violations of privacy and data security to the next level.” The complaint also notes that in June 2024, the Arkansas Attorney General launched a lawsuit against Temu for violations of the Arkansas Deceptive Trade Practices Act in connection with the platform’s alleged use of malware and spyware.

The second set of news report, which began in June 2023, reflected stories that the company had failed to take sufficient steps to prevent the import to the U.S. of products from Xinjiang produced through forced labor in factories and mines. A report of a U.S. House of Representatives committee accused the company of providing “an unchecked channel that allows goods made with forced labor to flow into the United States.” The stories contained quotations from politicians and others saying that the company may be in violation of the Uyghur Forced Labor Protection Act (UFLPA).

The complaint alleges that as these news reports emerged, the company’s share price declined.

The Lawsuit

On August 13, 2024, a plaintiff shareholder filed a securities class action lawsuit in the Eastern District of New York against PDD and certain of its executives. The complaint purports to be filed on behalf of a class of investors who purchased the company’s ADSs between April 30, 2021, and June 25, 2024.

The complaint alleges that during the class period, the defendants failed to disclose that: “(1) PDD’s applications contained malware, which was designed to obtain user data without the user’s consent, including reading private text messages; (2) PDD has no meaningful system to prevent goods made by forced labor from being sold on its platform, and has openly sold banned products on its Temu platform; (3) the foregoing subjected the Company to heightened risk of legal and political scrutiny; and (4) as a result, Defendants’ statements about its business, operations, and prospects, were materially false and misleading and/or lacked a reasonable basis at all relevant times.”

The complaint alleges that the defendants violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. The complaint seeks to recover damages on behalf of the plaintiff class.

Discussion

It could be argued that this new lawsuit is about the extraordinary adverse publicity that has surrounded the company since early 2023, stoking outrage about two different sets of scandals. At one level, the securities suit is about the company’s statements concerning its compliance with privacy, security, and forced labor laws; at another level, however, it is about specific actions the company took or failed to take, including its alleged installation of malware on its customers’ devices and its alleged failure to take steps to ensure that products sold on its platform were not the product of forced labor.  

The allegations against the company in this complaint cut across a wide range of securities class action trends. First, the company involves allegations pertaining to privacy. As I have stated in numerous prior posts (for example, here), I have long thought that the potential for privacy-related claims may be among the most important emerging D&O liability exposures. Indeed, privacy issues have been at the heart of a host of recent corporate and securities lawsuits, including, by way of example, the Alphabet/Google+ lawsuit that settled earlier this year for $350 million (as discussed here). This new lawsuit highlights the ways in which privacy related issues can translate into litigation. Indeed, part of the emotional weight of this lawsuit comes from the outrageous sense of violation of its customers’ privacy.

Second, while this lawsuit undoubtedly arises in significant part from privacy related issues, at the same time it also arises in significant part out of cybersecurity issues. The allegations that the company deliberately installed malware intended to override security measures on their customers’ devices adds another layer of outrage. D&O claims arising out of cybersecurity issues typically involved alleged disclosures about cyber intrusions by hostile third-party actors; this case, by contrast, involves allegations that the defendant company itself was a hostile actor actively using malware to circumvent cybersecurity controls. Thus, while this lawsuit unquestionably is in significant part cybersecurity-related, it involves very different kinds of cybersecurity allegations than have the type of allegations that have made their way into D&O lawsuit.

Third, with respect to the complaint’s allegations that the company is failing to take sufficient steps to ensure that products sold on its platform were not made by forced labor, this new complaint represents an example of how geopolitical concerns can translate into D&O claims risks. As I have noted in prior posts (for example, here), in a complex world in which two hot wars are ongoing and superpower tensions are at their highest point in decades, geopolitical risks represent an important part of the environment in which all companies must operate. International trade issues can be particularly fraught, especially these days for companies doing business in or with China. I have previously noted (for example here) securities suits arising from enforcement of trade and export controls.

Finally, and again with respect to the allegations concerning the company’s alleged failure to take steps to ensure that the company was not selling on its platforms products made by forced labor, I note that this new lawsuit is also an ESG-related lawsuit – that is, the complaint’s allegations about the company’s alleged failure to comply with anti-forced labor laws make this case a “S” case, in that it deals with the kinds of social issues that are encompassed within the ESG framework.

In most contexts, when people refer to ESG, they usually are talking about climate change. But the “S” pillar encompasses a host of other concerns unrelated to climate change. In the U.S., references to the “S” pillar are usually related to DEI issues (diversity, equity, and inclusion). But the “S” pillar encompasses so much more beyond DEI, including, for example, child labor laws, conflict mineral laws, and human trafficking concerns. The “S” pillar also encompasses anti-forced labor laws, such as the Uyghur Forced Labor Protection Act, meaning that along with everything else, this new lawsuit is also an ESG-related lawsuit.

Many readers undoubtedly are familiar with Bloomberg columnist Matt Levine’s oft-quoted quip that “Everything, Everywhere is Securities Fraud.” With that famous quote as context, I have to say that to me this new suit feels like everything everywhere in one securities class action complaint.