As we have previously discussed, public companies face a variety of legal issues following large-scale data breaches, which increasingly include federal securities class action litigations. In the past few weeks, two new such actions were filed. One lawsuit was filed against Chegg, Inc., an education technology company that provides a direct-to-student online learning platform, following its disclosure of the fact that an unauthorized user had gained access to certain customer information. Another lawsuit was filed against Huazhu Hotels Group Ltd., a company that operates hotels in China, following media reports that a substantial amount of customer information was for sale on the dark web.
The complaint against Chegg, filed in the Northern District of California, asserts claims under Sections 10(b) and 20(a) of the Exchange Act and Rule 10b-5, and was filed on September 27, 2018, shortly after the company disclosed that it had learned just a few days earlier that certain customer data had been accessed by an “unauthorized party.” The complaint alleges that immediately following the disclosure of the cyber breach, the company’s share price fell approximately 12%. The complaint further alleges that the stock drop was caused by the revelation (1) of the company’s false and misleading statements about the adequacy of the security measures that it had put into place to protect customer’s data, (2) that the company lacked the internal controls and procedures that were necessary to detect unauthorized access to its systems and data, (3) that the company would incur additional expenses and litigation risks in light of the foregoing, and (4) that as a result, defendants’ statements about the company’s business, operations, and prospects were materially false, misleading, and/or lacked a reasonable basis.
The complaint against Huazhu was filed in the Central District of California and also asserts claims under Sections 10(b) and 20(a) of the Exchange Act and Rule 10b-5. Specifically, the complaint alleges that in the days following media reports that “nearly 500 million pieces of consumer-related information” belonging to Huazhu’s clients were available on the dark web, the price of Huazhu’s ADRs, which are listed on NASDAQ, declined by more than 4%, and continued to fall as the “news was absorbed by the market.” Like the Chegg complaint, the Huazhu complaint alleges that defendants made misleading statements about the adequacy of the company’s security measures to protect customer information, the level of litigation risk and expenses the company faced in light of its inadequate security measures, the risk that the Company might lose goodwill as a result of its inadequate security measures, and that for all of these reasons, the company’s statements about its business, operations, and prospects were false, misleading, and/or lacked a reasonable basis.
As with other similar complaints filed in this area, the Chegg and Huazhu complaints reflect attempts by plaintiffs’ firms to capitalize on cyber breaches by asserting that the disclosure of the breach led to a decline in an affected company’s stock price because the company’s statements about its cybersecurity were revealed to be untrue. The Huazhu complaint is particularly noteworthy because it reflects the reality that foreign companies may face U.S. securities class actions following a cyber breach if they are listed on U.S. exchanges.
We will continue monitoring developments in these cases and other class action securities cases relating to cyber issues, and will provide updates here on any notable developments.