Appropriate cybersecurity disclosures can reduce risk of class action securities cases following a data breach.  We have written recently on the rise of these class action securities cases, including the Intel case and the Yahoo! $80 million settlement.  We have also been closely watching the Equifax case.  The recently filed motion to dismiss the consolidated complaint and plaintiffs’ opposition offer some insight into the future of these kinds of class actions.

On September 7, 2017, Equifax announced that it had suffered a major data breach that affected over 145 million U.S. consumers, after which its share price dropped $30.25, or 25%, over the following six days of trading.  The breach resulted in significant public scrutiny.  Indeed, by the time plaintiffs filed the operative consolidated class action complaint on April 28, 2018, they had a trove of materials to draw upon in crafting their allegations, including Congressional testimony by former senior Equifax executives and numerous investigative media reports that purported to provide insider accounts of the problems with Equifax’s cyber security procedures and the extent to which the company and specific senior executives were aware of them.  Plaintiffs alleged that Equifax and the individual defendants made material misrepresentations regarding the steps that the company was taking to protect consumer and customer data and falsely touted cyber security as a top company priority, when, in fact, Equifax’s cyber security was seriously deficient, that Equifax ignored numerous warnings—including previous successful cyberattacks—regarding these deficiencies and failed to follow basic cyber security protocols and practices.

Equifax filed its motion to dismiss on June 7, 2018, arguing that plaintiffs failed to adequately plead (1) any false or misleading material statements, (2) scienter as to any defendant; and (3) loss causation.  Equifax first argues that the alleged misstatements about its cyber security practices cannot give rise to liability because they were general statements of corporate optimism about Equifax’s commitment to cyber security, forward-looking statements protected by the PSLRA safe harbor provisions, or statements of opinion that do not fall within Omnicare exceptions.  In essence, Equifax argues that plaintiffs have alleged, at most, inactionable corporate mismanagement.  Regarding scienter, Equifax argues that former senior executives’ ex post facto testimony about the company’s cyber security deficiencies do not establish what the former executives or the company knew at the time of the alleged misstatements and that unsourced accounts in press reports about what the company or the individual defendants purportedly did know should be given no weight.  Finally, Equifax contends that none of the alleged disclosures were actually corrective of any of the alleged misstatements (i.e., Equifax did not say anything after the breach that could be considered misleading about the breach), and plaintiffs therefore failed to plead loss causation.

Plaintiffs’ opposition was filed on July 23, 2018.  Plaintiffs seek to defeat Equifax’s corporate mismanagement argument by arguing that they are not suing Equifax for having failed to implement adequate cybersecurity measures, but for having misled investors about whether such measures were in place.  They argue that the alleged misstatements about the company’s cyber security go well beyond mere puffery and misrepresented present facts about the company.  Regarding scienter, plaintiffs focus on the cyber security reports and analyses that, according to press reports, were available to the company prior to the data breach.  On loss causation, plaintiffs contend that they have pleaded sufficiently to satisfy a Rule 8 standard because they allege that the truth “leaked out” as a result of the alleged disclosures and a price decline resulted.

For companies looking to limit securities litigation risks associated with future cyber breaches, the Equifax complaint and motion to dismiss are instructive.  Prior to the breach, Equifax and the individual defendants made certain public statements about what Equifax was doing to prioritize or maintain cybersecurity that plaintiffs assert were more than mere expressions of corporate optimism.  This dynamic emphasizes the care companies should take in making public disclosures about the kinds of steps being taken to maintain cybersecurity in an environment where the risks are unpredictable and constantly evolving.

In addition, plaintiffs’ scienter allegations demonstrate the importance of having a well-considered plan for investigating, disclosing, and remediating a cyber breach.  Equifax made serial disclosures about the breach and its magnitude, beginning more than five weeks after the breach was discovered.  The amended complaint refers to these disclosures in detail in an attempt to allege that Equifax mishandled the remediation efforts, and that these alleged failures taint the company’s cybersecurity compliance in general.  This emphasizes the importance for a company confronting a cyber breach of having a well-developed, pre-existing cybersecurity compliance and incident-response plan, and the importance of ensuring that any disclosures about its remediation efforts reflect compliance with that plan and progress through the plan’s prescribed steps.

Whether or not the Equifax complaint survives, more of these kinds of cases are likely to follow.  Particularly if the Equifax class action moves past the motion to dismiss, investors may anticipate that the announcement of a data breach will lead to costly class action securities lawsuits, increasing the likelihood that a company’s stock will subsequently drop on such news, and thus, creating a negative feedback loop that amplifies the risk that a securities fraud suit will, in fact, be filed.

It remains to be seen what post-Equifax cyber class action securities complaints will look like.  As companies become increasingly careful in their cybersecurity disclosures, it may be that future cases proceed on different theories.

Indeed, our expectation is that cyber class action cases will focus more on the post-breach-discovery period.  Plaintiffs’ opposition in Equifax will present the court with the opportunity to weigh in on the duties of a company to correct or update its previous statements about its cybersecurity in the wake of discovering a significant successful cyberattack, including how quickly it must do so.  Plaintiffs cite the SEC’s February 26, 2018 release regarding cybersecurity risks and incidents (Release Nos. 33-10459; 34-82746) for the proposition that an ongoing investigation of a cybersecurity event is not, by itself, a basis for avoiding disclosure of a material cybersecurity incident.  It will be interesting to see whether the court addresses this argument.  Questions regarding a company’s duty to update disclosures after a significant cyber event have only begun to be tested in the courts.

We are following these interesting developments and will provide updates on anything significant.  In addition, the Davis Polk Cyber Portal is now available to assist our clients in their efforts to prevent, detect, and respond to cyber events, including quickly assessing breach notification obligations.

The authors gratefully acknowledge the assistance of summer associate Molly Stein in preparing this entry.