This article was originally published in the April 2018 issue of New Jersey Lawyer, a publication of the New Jersey State Bar Association, and is reprinted here with permission.
Despite focused media coverage and a steady increase in the number of data breaches involving public companies, there has not been a corresponding increase in shareholder securities fraud and shareholder derivative claims related to such breaches. A closer look at court decisions addressing such claims reveals a number of significant obstacles associated with pursuing a securities fraud or derivative claim arising from a data breach. These obstacles include: lack of standing, lack of causation, inability to prove scienter, failure to satisfy the demand/futility requirement, and an inability to overcome the business judgment rule. As a result, the predicted uptick in securities fraud and derivative litigation has not occurred.
This article discusses some of the more recent securities fraud and derivative actions arising from data breaches, and highlights why parties have faced difficulties in pursuing those claims.
Securities Fraud Claims Arising from Data Breaches
One of the most frequently asserted claims for securities fraud arises under Section 10(b) of the Securities Exchange Act of 19341 and Securities and Exchange Commission Rule 10b-5.2> In order to advance a claim for securities fraud under Section 10(b) and Rule 10b-5, a plaintiff must establish a defendant: “(1) made misstatements or omissions of material fact; (2) with scienter; (3) in connection with the purchase or sale of securities; (4) upon which plaintiffs relied; and (5) that plaintiffs’ reliance was the proximate cause of their injury.”3 In the context of a data breach, a claim could arise when a party makes material public statements about its internal privacy and security policies and network security capabilities and those statements are ultimately determined to be knowingly false and result in damages to an investor. Damages generally would arise from an investor’s reliance on those statements to purchase the company’s stock and a significant stock drop in close proximity to a data breach.
The difficulty with pursuing a securities fraud claim arising from a data breach is illustrated by the United States District Court for the District of New Jersey’s decision in In re Heartland Payment Systems, Inc. Securities Litigation.4 In Heartland, shareholders brought a putative securities fraud class action against Heartland and its chief executive officer and chief financial officer following Heartland’s public announcement that it was the victim of a data breach. After the announcement, Heartland’s stock dropped by approximately 80 percent.
The data breach in question involved a criminal SQL injection attack that occurred in Dec. 2007, but was not discovered and publicly announced by Heartland until Jan. 2009. In the interim, Heartland made public statements about its computer network security capabilities and the attention that management was devoting to security. Plaintiffs who purchased Heartland stock in 2008 alleged the defendants violated Sections 10(b) and 20(a) of the act5 by misrepresenting the state of Heartland’s computer network security in statements made during earnings conference calls in 2008 and in Heartland’s 2007 Form 10-K report.6 Among other things, the plaintiffs alleged the defendants concealed the data breach and made affirmative statements that Heartland had adequate security systems in place and treated the issue of computer network security very seriously.7 The plaintiffs claimed the statements about Heartland’s network security were fraudulent because the defendants knew Heartland had poor computer security and failed to remedy the problem.8
In response to the complaint, the Heartland defendants filed a motion to dismiss, arguing the plaintiffs did not allege material misrepresentations or omissions concerning the state of Heartland’s computer network security, and failed to allege scienter to sustain any such claims. The court agreed, and dismissed the claims with prejudice. The court found the statements the plaintiffs identified as fraudulent did not paint a misleading picture of Heartland’s network security. The court noted that there was nothing inconsistent between the defendants’ statements about network security and the fact that Heartland had suffered an SQL injection attack.9 Accordingly, the court held the defendants’ statements concerning Heartland’s security systems were not misleading.10 The court also found that because the defendants lacked knowledge of security problems or the SQL injection attack at the time the statements were made, they “could not have acted with the requisite culpability when they claimed that Heartland was taking the issue of data security seriously.”11 The court found this absence of scienter provided an independent basis for dismissal.12 Notably, and underscoring the difficulty with securities fraud cases, the court noted that the existence of a security breach alone did not demonstrate that Heartland failed to “place significant emphasis on maintaining a high level of security.”13
The inability to establish a material misrepresentation or omission, coupled with scienter, highlights some of the obstacles associated with pursuing a securities fraud claim related to a data breach. While the facts in Heartland may have appeared strong on the surface(i.e., public statements about security, a cyberattack and a significant stock drop), when scrutinized they could not establish the necessary elements to advance the claims past the motion to dismiss stage.
In 2011, after Heartland was decided, the Securities and Exchange Commission (SEC) issued guidance emphasizing the importance of disclosing cybersecurity.14 The SEC guidance makes clear that public companies must disclose their history of cyberattacks and information to “provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant.” In 2014, in the wake of data breaches suffered by major retailers and financial institutions, the commission made the risks of cyberattacks to public companies a priority as part of their routine exams of SEC-regulated entities. For example, the SEC sponsored a cybersecurity roundtable discussion to underscore the importance of protecting market systems and customer data from cyber threats.15 This regulatory attention helped focus public companies’ attention on cybersecurity and disclosures, and helped enhance their efforts to address cyber threats and mitigate exposure to claims.
Since the decision in Heartland and the subsequent regulatory focus on cybersecurity, there have not been a significant number of published decisions analyzing securities fraud claims premised on an underlying data breach. Nevertheless, Yahoo! and Equifax, Inc. are currently involved in securities fraud class action lawsuits that followed each company’s announced data breach. For example in Jan. 2017, shareholders filed a securities class action lawsuit in the Northern District of California against Yahoo! and certain of its directors and officers relating to the company’s data breaches that were first reported in 2016.16 The breaches in question first occurred in 2013 and 2014 and involved hackers obtaining data from more than 1.5 billion accounts. In their complaint, the plaintiffs alleged the defendants made false or misleading statements or failed to disclose that: “(i) Yahoo failed to encrypt its users’ personal information and/or failed to encrypt its users’ personal data with an up-to-date and secure encryption scheme; (ii) consequently, sensitive personal account information from more than 1 billion users was vulnerable to theft; (iii) a data breach resulting in the theft of personal user data would foreseeably cause a significant drop in user engagement with Yahoo’s websites and services; and (iv) as a result, Yahoo’s public statements were materially false and misleading at all relevant times.”17 The complaint further alleged that following Yahoo!’s data breach disclosure in Sept. 2016, the company’s stock price declined 3.06 percent, and following the Dec. 2016 disclosure the company’s share price declined 6.11 percent.18 The plaintiffs alleged that Yahoo!’s officers and directors acted with scienter “in that they knew that the public documents issued or disseminated in the name of Yahoo were materially false and misleading; knew that such statements or documents would be issued or disseminated to the investing public; and knowingly or substantially participated or acquiesced in the issuance or dissemination of such statements or documents as primary violations of the securities laws,” in order to attempt to satisfy the scienter requirement for the Section 10(b) and Rule 10b-5 claim.
Yahoo! responded to the complaint by filing a motion to dismiss under Federal Rule of Civil Procedure 12(b)(6), based on the plaintiffs’ failure to plead a misrepresentation or scienter. The district court recently permitted the plaintiffs to file a second amended complaint, and delayed any hearing on a motion to dismiss until May 2018. Although the Yahoo! securities litigation seems curious given the fact that the alleged stock drop in question was between three and six percent, the plaintiffs also alleged the data breaches impacted Verizon’s planned acquisition of Yahoo!, which may further impact the value of the alleged damages.
In Sept. 2017, Equifax announced it discovered a cybersecurity breach on July 29, 2017, that potentially impacted the personal identifying information of more than 143 million consumers.19 On the same day Equifax announced the breach, Bloomberg reported Equifax’s SEC filings revealed the company’s executives had sold shares or exercised options to dispose of stock a few days after the cybersecurity breach was discovered. Equifax claimed none of these executives were aware of the data breach at the time they sold their shares or exercised their actions. Nevertheless, within a few days of the announcement, a shareholder securities class action was filed in the Northern District of Georgia against Equifax’s officers and directors.20
The complaint alleges the defendants issued materially false or misleading statements or failed to disclose that “(1) the Company failed to maintain adequate measures to protect its data system; (2) the Company failed to maintain adequate monitoring systems to detect security breaches; (3) the Company failed to maintain proper security systems, controls and monitoring systems in place; and (4) as a result of the foregoing the Company’s financial statements were materially false and misleading at all relevant times.” The complaint also alleges that following disclosure of the breach, Equifax’s shares immediately fell by nearly 17 percent, and their value has dropped further since. Equifax has not yet filed its response, and the litigation remains pending.
Only time will tell if shareholders of public companies will find success in asserting securities fraud class actions following the public announcement of a data breach. The pleading deficiencies highlighted in the Heartland decision, together with relatively insignificant drops in stock prices that have arisen in the face of a data breach, have kept the number of securities fraud class action filings in check. However, that may change if shareholders were to achieve some success in the securities class actions that are pending and as cyber threats and corresponding losses from a cyberattack continue to increase.
Shareholder Derivative Suits Arising from Data Breaches
Shareholder derivative suits premised on a company’s exposure to an underlying cyberattack also have not been as prevalent as many had predicted. The obstacles associated with pleading the demand/futility requirement and in establishing the high standard to impose liability on directors for lack of oversight of a company’s data and security function have proven too cumbersome for plaintiffs. The demand/futility requirement is set forth in Federal Rule of Civil Procedure 23.1 and Rule 4:32-5 of the New Jersey Rules of Court. Generally speaking, as a prerequisite to permitting a shareholder to assert claims derivatively on behalf of a corporation, the rules, among other things, require the shareholder to allege “with particularity” that a demand was made on the board or comparable authority to take a desired action, or in the absence of a demand allegations explaining why the demand was excused for futility.21
The standard governing breach of duty of loyalty claims involving inadequate director oversight was articulated in the Delaware Court of Chancery’s decision in In re Caremark Int’l.22 In Caremark, the court “recognized that: ‘where a claim of directorial liability for corporate loss is predicated upon ignorance of liability creating activities within the corporation...only a sustained or systematic failure of the board to exercise oversight—such as an utter failure to attempt to assure a reasonable information and reporting system exists—will establish the lack of good faith that is a necessary condition to liability.’”23
With these two standards in mind, two cases involving data breaches highlight the obstacles shareholder derivative suits face.
In Palkon v. Holmes, et al., the court analyzed a shareholder derivative action following Wyndham Worldwide Corporation’s public announcement that it was the victim of three data breaches that took place over the course of a three-year period between April 2008 and Jan. 2010.24 The plaintiff shareholder asserted claims for, among other things, breaches of the fiduciary duties of care and loyalty, corporate waste, and unjust enrichment against certain Wyndham officials who allegedly were responsible for failing to implement a system of internal controls to protect customer personal and financial information, causing or allowing the company to conceal the data breaches from investors, and failing to conduct a reasonable investigation of the breaches.25 The crux of the complaint was that Wyndham routinely collected customer personal and financial information, but failed to “implement adequate internal controls designed to detect and prevent repetitive data breaches,” which resulted in the theft of sensitive customer personal and financial data and exposure to a Federal Trade Commission (FTC) enforcement action.26
In response to the complaint, the defendants moved to dismiss based primarily on the fact that the complaint failed to allege a demand on the board to proceed with a derivative suit. The defendants argued the plaintiff failed to plead any particularized facts: 1) sufficient to overcome the business judgment rule; 2) to show the board’s decision to refuse his demand was based on an unreasonable investigation; or 3) that the board acted in bad faith in denying the demand.27 The plaintiff opposed the motion on the basis that the board’s decision not to bring suit was not protected by the business judgment rule because the: 1) investigation into the demand was performed by conflicted outside counsel due to the same counsel’s representation of Wyndham in the FTC action; 2) board wrongfully refused the demand by relying on the advice of Wyndham’s general counsel because he faced personal liability as a result of the cyberattacks; and 3) board’s decision was predetermined.28
The court ultimately issued an opinion granting the defendants’ motion and dismissing the plaintiff’s claims with prejudice.29 The court found the board’s refusal to pursue the plaintiff’s demand was a “good-faith exercise of business judgment, made after a reasonable investigation.”30 The court further concluded the plaintiff failed to demonstrate any conflict with outside counsel or Wyndham’s general counsel. Regarding outside counsel, the court found the firm did not have multiple, conflicting duties, as it was always obligated to act in Wyndham’s best interest.31 The court also found there were no allegations that the demand exposed Wyndham’s general counsel to any liability because the demand failed to name him as a responsible party.32 Additionally, the court noted that the subject matter of the demand was not an area with which the general counsel would likely be associated, as he served as a legal advisor not as a technology or security official overseeing network security.33
Turning to the investigation, the court noted that prior to receipt of the plaintiffs’ demand letter, the board of directors had already discussed the cyberattacks at 14 separate meetings, Wyndham’s audit committee discussed the issues during at least 16 meetings, and the board’s understanding previously had been developed as a result of the FTC action and was also guided by its receipt and subsequent investigation of an earlier “virtually identical” demand letter.34 Thus, the court found that “[t]hese earlier investigations, standing alone, would indicate that the Board had enough information when it assessed Plaintiff’s claim.”35 Nonetheless, the board took the additional step of specifically discussing the plaintiff’s demand and unanimously voting not to pursue it. As a result, the court held that Wyndham’s board “had a firm grasp of Plaintiff’s demand when it determined that pursuing it was not in the corporation’s best interest.”36 Although not the basis for dismissal, the court also noted the merits of the plaintiffs’ breach of fiduciary duty claims would be governed by the Caremark standard, and the board was free to consider the potential weaknesses of the claims when assessing whether to pursue the lawsuit.37
The Wyndham decision reveals the difficulty with meeting the demand/futility requirement. When an independent committee is constituted to investigate a demand and make an informed recommendation, such decisions are generally protected by the business judgment rule, as was the case in Wyndham. Further, in determining the merit of any potential claims, Wyndham recognizes that a board of directors can consider the merit of such claims, and when the claims involve a lack of oversight, the board of directors can assess those claims under the high standard for breach of loyalty claims articulated in Caremark. Finally, Wyndham recognizes that director liability for a data breach can be minimized when a board of directors holds meetings to address data breaches or attacks, engages forensic technology consultants to assess risks, engages outside counsel to advise the company on related legal issues, and takes necessary remedial measures to address the breach and minimize exposure.
In re Home Depot S’holder Derivative Litig. is a more recent case addressing a shareholder derivative suit arising from a data breach.38 In Home Depot, the company publicly confirmed it was the victim of a breach of its payment card processing systems that enabled hackers to steal data of 56 million customers between April and Sept. 2014. The hack of the payment data systems occurred through use of a third-party vendor’s credentials, and was similar in manner to prior well-publicized data breaches involving Target and Neiman Marcus. Approximately one year after the breach occurred, Home Depot reported its net costs associated with the breach were $152 million.39 Thereafter, shareholders filed derivative complaints against a number of current and former Home Depot officers and directors. The plaintiffs alleged the defendants breached their duty of loyalty to Home Depot by failing to institute sufficient internal controls to address the risks of a breach and by disbanding a board committee tasked with oversight of data security.40 The defendants responded to a consolidated complaint by filing a motion to dismiss under Rules 12(b)(6) and 23.1(b)(3) of the Federal Rules of Civil Procedure. In analyzing the breach of duty of loyalty claim, the court applied the standard articulated in Caremark, noting the plaintiffs must demonstrate the directors either “‘knew they were not discharging their fiduciary obligations or that the directors demonstrated a conscious disregard for their responsibilities such as by failing to act in the face of a known duty to act.’”41 The court noted further that when added to the general demand/futility requirement, the plaintiffs essentially need to demonstrate with particularized facts that a majority of Home Depot’s board of directors faced substantial liability because it consciously failed to act in the face of a known duty to act.42
Turning to the plaintiffs’ allegations, the court found the alleged disbanding of a board committee with oversight of data security was insufficient to plead a duty of loyalty claim.43 The court reasoned that the complaint detailed numerous instances where Home Depot’s audit committee received regular reports and briefings on Home Depot’s data security.44 The court found these facts alone demonstrate the board of directors fulfilled its duty of loyalty to ensure a reasonable system of oversight over data security existed.45 The court also found the plaintiffs’ allegations concerning the failure to institute internal controls to be insufficient.46 In this regard, the court noted that Home Depot had a plan in place to immediately remedy data security deficiencies.47 The court found that even if the existing plan had not been implemented as speedily as the plaintiffs claimed, such circumstances still would not equate to a breach of duty of loyalty.48 The court reasoned that under Delaware law, directors violate their duty of loyalty only “if they knowingly and completely failed to undertake their responsibilities.”49
The plaintiffs responded to the dismissal of the complaint by filing an appeal with the 11th Circuit Court of Appeals. In April 2017, while the appeal was pending, the plaintiffs and Home Depot entered into a settlement whereby Home Depot agreed to adopt certain cybersecurity-related corporate governance reforms and pay up to $1,125,000 in attorneys’ fees and expenses to plaintiffs’ counsel.
The decisions in Wyndham and Home Depot reveal a high bar for pursuing derivative claims arising from failure to oversee cybersecurity. These decisions support the conclusion that there must be a sustained or systematic failure of a board of directors to exercise oversight in order to establish a lack of good faith that would give rise to director liability. This standard is a very high hurdle to overcome because it essentially requires a board to be asleep at the wheel. This was not the case in either Wyndham or Home Depot, and both cases serve to support proactive defendants who face derivative suits arising from a data breach.
Even though securities fraud and shareholder derivative claims have not been as prevalent as expected in the wake of the increase in the number of data breaches that occur each year, corporate directors and officers should nevertheless continue to be vigilant in the important roles they play in overseeing their organization’s data privacy and security functions. Significant corporate assets exist in the form of data and technology, and threats to these assets through a data breach will continue to increase. As more and more data breaches occur, the actions of individual directors and officers will be scrutinized. This undeniable ‘new normal’ underscores the importance of ensuring the implementation of a robust security system, the adoption of (and adherence to) policies and procedures that comply with international, federal, state and local laws; the retention of knowledgeable professionals—both legal and technical; and the importance of board-level deliberations and remedial efforts on cybersecurity.
1 15 U.S.C. § 78j(b).
2 17 C.F.R. § 240.10b-5.
3 Weiner v. Quaker Oats Co., 129 F.3d 310, 315 (3d Cir. 1997).
4 2009 U.S. Dist. LEXIS 114866 (D.N.J. Dec. 7, 2009).
5 15 U.S.C. § 78a et seq.
6 Id. at *5.
9 Id. at *14.
10 Id. at *20.
11 Id. at *22.
13 Id. at *14.
14 See https://www.sec.gov/divisions/corpfin/guidance/cfguidancetopic2.htm (last visited Jan. 3, 2018).
15 See https://www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert—Appendix—-4.15.14.pdf (last visited Jan. 3, 2018).
16 In Re Yahoo! Inc. Securities Litigation, No. 5:17-cv-00373 (N.D. Ca. Jan. 24, 2017).
17 In Re Yahoo! Inc. Securities Litigation, Complaint, ¶ 5.
18 Id., at ¶¶ 7, 10.
19 See https://investor.equifax.com/newsand-events/news/2017/09-07-2017-213000628 (last visited Jan. 3, 2018), https://www.bloomberg.com/news/articles/2017-09-07/threeequifax-executives-sold-stock-beforerevealing-cyber-hack (last visited Jan. 3, 2018).
20 Kuhns v. Equifax Inc., et al., No. 1:17-cv-03463 (N.D. Ga. Sept. 11, 2017). Kuhns has since been consolidated with several other related suits, including Brock v. Equifax, Inc., No. 1:17-cv-04510 (N.D. Ga.) and Groover v. Equifax, Inc., No. 1:17-cv-04511 (N.D. Ga.) which were transferred from the Southern District of New York. These consolidated cases are now captioned as In Re Equifax Inc. Securities Litigation, No. 1:17-cv-03463 (N.D. Ga. 2017).
21 In re Prudential Ins. Co. Litig., 282 N.J. Super. 256, 275 (Ch. Div. 1995).
22 698 A.2d 959, 971 (Del. Ch. 1996).
23 Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006) (quoting In re Caremark, supra at 971); See also Palkon v. Holmes, et al., 2014 U.S. Dist. LEXIS 148799, *15, n.1. (D.N.J. 2014) (discussing Caremark standard in the context of director liability for a data breach).
24 2014 U.S. Dist. LEXIS 148799 (D.N.J. Oct. 20, 2014).
25 Id. at *5.
26 Id. at *2, 5.
27 Id. at *6.
29 Id. at *8.
31 Id. at *10.
32 Id. at *11-12.
34 Id. at *13.
35 Id. at *14.
36 Id. at *16.
37 Id., *15, n.1.
38 223 F. Supp. 3d 1317 (N.D. Ga. 2016).
39 Id. at 1321.
41 Id. at 1325 (citations omitted).
43 Id. at 1325-26.
44 Id. at 1326.
46 Id. at 1326-27.
49 Id. at 1326.
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.