One of our cyber predictions for 2018 was that class action securities cases are going to become a major issue for companies involved in cyber events.
Large-scale data breaches often give rise to a variety of legal problems for the affected company, ranging from consumer class action litigation to congressional inquiries and state attorney general investigations. As we have discussed previously elsewhere, an additional emerging risk for breached companies is federal securities class action litigation. On Wednesday, we saw a variation on these cases in a new securities litigation filed against Intel Corporation following disclosure earlier this month not of a breach, but of a feature that makes the processor chips it manufactures potentially vulnerable to hacking.
The complaint alleges that Intel made false and misleading statements about the strength of the security of its chips and that (1) the revelation of these previously unreported security flaws—referred to as “Meltdown” and “Spectre”—and (2) the updates necessary to address them (which may affect the speed of Intel’s chips) caused Intel’s share prices to fall. The complaint also alleges that Intel’s CEO, Brian M. Krzanich, learned about the flaws months before the information became public and that he sold millions of dollars’ worth of shares after learning of the design flaw, but before the information was disclosed. The company has stated that Mr. Krzanich sold $39 million worth of stock (netting approximately $25 million in profits) pursuant to a “pre-arranged stock sale plan with an automated sale schedule.” Plaintiffs allege, however, that the large transaction, as compared to prior trades, is suspicious.
The Intel securities complaint is yet another indication that plaintiffs’ law firms are turning to securities litigation as an avenue to pursue claims in the cybersecurity context, where disclosure of security weaknesses or actual breaches lead to a decline in a company’s stock price. Wednesday’s securities complaint against Intel follows five other cases filed in response to public disclosure of the Meltdown and Spectre security flaws. Those other lawsuits were filed in California, Indiana, New York, and Oregon, and claim that Intel violated state consumer protection laws, including deceptive trade practice statutes, warranty laws, and tort laws.
We will continue to monitor class action securities cyber cases in general, and the Intel case in particular, and will provide updates here on any notable developments.