For several years, cybersecurity has been a perennial D&O liability issue. Although there has never quite been the volume of cybersecurity-related D&O litigation that some anticipated, cybersecurity-related D&O claims do continue to arise. In the latest example, last week a plaintiff shareholder filed a securities suit against cloud data storage company Snowflake, alleging, among many other things, that the company failed to disclose shortcomings in its customer data security arrangements that allegedly allowed key customers to experience a data breach. There are a number of noteworthy aspects of this new complaint and its cybersecurity-related allegations, as discussed below. A copy of the plaintiff’s complaint can be found here.
Background
Snowflake is a cloud data storage company. It completed an IPO in September 2020. Beginning in 2022, several developments affected the company’s business operations and financial results. First, the company found it necessary to offer its largest customers pricing discounts. Second, the company experienced competition from alternative data storage technologies. Third, the company experienced changes in its customers’ usage of its products due to the company’s own software improvements.
In addition, in 2023, the electronic storage industry was hit with a series of data breaches. The securities complaint alleges that “roadblocks” in Snowflake’s “system architecture” limited the company’s ability to utilize “multi-factor authentication” (MFA) as a means to deter data breaches. The complaint alleges that the company and its executives “created a misimpression that customers were handling security, when in fact they had not been able to do so.”
The complaint further alleges that in late May and early June 2024, Snowflake’s “data security issues were revealed,” as “a major data breach hit many of Snowflake’s most prominent customers,” which negatively affected Snowflake’s share price. The securities complaint alleges that in the customers’ ensuing federal court litigation against Snowflake, Snowflake had attempted to argue that it lacked a duty to protect its customers against a data breach; the securities complaint alleges that these arguments were rejected.
The Lawsuit
On May 22, 2026, a plaintiff shareholder filed a securities class action complaint in the Northern District of California against Snowflake and certain of its executives. The complaint purports to be filed on behalf of investors who purchased the company’s securities between May 24, 2023, and June 10, 2024.
The complaint alleges that during the class period, the company was “hard-pressed to battle customer demands for discounts, new competitive technologies, and the effects on usage of its products resulting from its own software improvements.” The defendants, the complaint alleges, “failed to acknowledge the seriousness of these issues, and deceived investors by downplaying them.”
The complaint further alleges that Frank Slootman, the company’s CEO, had a “motive” to conceal this information, as, during the class period, Slootman established and traded shares in his personal holdings of company stock pursuant to a Rule 10b5-1 trading plan. The complaint alleges that Slootman traded $223 million worth of Snowflake stock in four trades in late 2023 and early 2024.
The complaint also alleges that on May 22, 2024, cybersecurity watchdog Mandiant notified Snowflake and law enforcement of an ongoing hacker campaign focusing on Snowflake customers. Several major customers confirmed they had been hacked. The company’s share price declined on this news. The complaint alleges that the price drops represented the “materialization of an undisclosed risk that flowed from Snowflake’s concealment of the degree of vulnerability and lack of precautions prevailing at Snowflake’s customers.”
The complaint alleges that “instead of frankly disclosing customers’ unpreparedness when it raised the issue of customer security, Snowflake misleadingly downplayed the matter by simply stating that the customer was (in its view) solely responsible for customer security.” Snowflake did not reveal that “major customers were unable to handle that responsibility, or that Snowflake’s systems actually impeded the adoption by customers of certain key security measures.” The company had reason to know of these shortcomings, and the defendants “thus concealed the nature and magnitude of this known risk and their security-related statements were misleading ‘half-truths.’”
The complaint alleges that the defendants violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. The complaint seeks to recover damages on behalf of the plaintiff class.
Discussion
This new lawsuit has only just been filed, and it remains to be seen how it will fare. However, it certainly can be said now that there are a number of unusual features to this complaint.
The first noteworthy thing about this complaint is its timing. The complaint purports to be filed on behalf of a class of investors who purchased the company’s securities between May 24, 2023 and June 10, 2024. The complaint was filed on May 22, 2026 – that is, just short of three years after the beginning of the class period. The filing of this suit does not exactly suggest a race to the courthouse. Even if the allegations in this suit are not time-barred, it certainly could be argued that the claims are a little stale.
Another noteworthy feature of this complaint is that it does not exactly reflect a precise rifle-shot approach to pleading. Instead, the complaint seems to reflect more of a scattershot approach. The complaint gripes about allegedly undisclosed customer discounts, changing technology, and changing customer usage patterns. There are even AI-related allegations; in paragraph 15, the complaint alleges that the company had ignored increased spending needed to accelerate Snowflake’s artificial intelligence initiatives. The defendants, the complaint alleges, “disregarded that the forecasted spend for this was previously understated.”
It is only after detailing all of these other alleged shortcomings that the complaint gets around to the alleged cybersecurity-related disclosure issues. And the cybersecurity-related disclosures are themselves distinctive in their own way. That is, the complaint does not allege that the company itself suffered a data breach; rather, the breach supposedly hit the company’s customers. And the breach is alleged to have occurred, at least in part, due to the customers’ own “lack of preparedness” and inability to “handle” the “responsibility” for customer security, as opposed to supposed shortcomings of Snowflake itself.
To be sure, the complaint also alleges that “Snowflake’s systems actually impeded the adoption by customers of certain key security measures,” but even according to the complaint, the actual security issues that allowed the breaches to happen seem to have been on the customers’ systems. So the alleged security law violation apparently is that Snowflake failed to disclose that its customers had security vulnerabilities, as well as that Snowflake’s system architecture impeded the resolution of the vulnerabilities.
All of that said, perhaps the most notable thing about this complaint for purposes of this blog post is that it does involve cybersecurity-related allegations. As I noted at the outset, there has been less cybersecurity-related D&O litigation than some observers (including me) had anticipated when cybersecurity emerged several years ago as a D&O issue.
There appear to several reasons why there has been less cybersecurity D&O litigation than some expected. For starters, the claims that were filed were not as successful as the plaintiffs’ lawyers might have hoped. Also, these days share prices rarely react to data breach news, making cybersecurity cases less attractive for the plaintiffs’ lawyer.
The filing of this lawsuit – no matter how belated – does show that cybersecurity-related lawsuits do continue to be filed, and cybersecurity remains as an important potential source of D&O liability. As far as I know, this lawsuit is the first cybersecurity-related securities class action lawsuit to be filed so far in 2026. (Readers aware of other cybersecurity-related securities suit filings this year should please let me know.) This lawsuit filing comes after the filing last December of two cybersecurity suits (discussed in detail here), which as far as I know were the only two cybersecurity-related securities suits filed in 2025.
The bottom line is that while cybersecurity remains a continuing source of potential D&O liability, it has proven to be less of a factor than was originally anticipated when the issue first arose several years ago. It does remain as one of several standard issues on the list of concerns for corporate boards and management to watch and monitor, and likely will remain as one of the standard items of concern in the world of D&O liability.
One final note: the new securities complaint refers to the pending litigation that Snowflake’s customers filed against the company relating to the data breaches. Readers interested in learning more about this litigation, now pending in the District of Montana, will want to refer here.