It’s become almost routine. A public company suffers a data breach at the hands of hackers, its stock price slides and the securities fraud class action lawsuits pile on.
As we recently reported, it’s a new trend in securities fraud class actions. Shareholders claim that public companies have improperly inflated their stock value either by failing to timely disclose data security incidents or latent vulnerabilities that rendered the company’s systems susceptible to a cyberattack.
These securities fraud class actions only add to the costs public companies incur after a data breach. So, what sort of exposure should companies expect from these class actions?
In the first notable resolution of a data breach-related securities fraud case, a federal court has preliminarily approved Yahoo!’s $80 million settlement based on multiple hacking incidents. As we reported, Yahoo! suffered two cyber-attacks in 2013 and 2014, which compromised the personal information of billions of users. Yahoo!, however, did not publicly disclose the breaches until late 2016, which opened up the company to a slew of critics, including Congress.
The first securities fraud class action by a shareholder against Yahoo! was filed in January 2017. The case was later consolidated with another similar action. The shareholders alleged in their complaint (which was amended after consolidation) that Yahoo!’s public filings touted the company’s robust systems and procedures in place to guard against and respond to data security incidents, including a promise that the company would publicly disclose any breach soon after it was discovered. In fact, the shareholders alleged, Yahoo!’s executives knew that the company “was employing grossly outdated and substandard information security methods and technologies, which had resulted in two of the largest data security breaches in history.” Yahoo! also failed to timely disclose two additional breaches in 2015 and 2016, the plaintiffs claimed. Once the previously undisclosed breaches were revealed, Yahoo!’s stock plummeted more than 30%, according to the plaintiffs. The plaintiffs, therefore, argued that they incurred substantial losses when they purchased Yahoo! stock at prices that were artificially inflated by the lack of disclosure.
A year after the case was first filed, in January 2018, the parties agreed to settle for $80 million. In their court papers seeking approval of the settlement, the plaintiffs said that the $80 million figure represented between 10.5% to 34% of the total possible damages that could be recovered had the action proceeded to trial, depending on which analytical model to calculate damages would be used. The damage models were on based the hit to the company’s stock price after the breach disclosure. It was also premised on the court accepting the plaintiffs’ allegations as to the timing of Yahoo!’s knowledge of the breaches, which was a disputed issue.
The court preliminarily approved the settlement in May 2018. Now, other shareholders who are included in the class (as defined by the settlement agreement) have an opportunity to lodge any objections. The court will decide whether to accept the agreement — and therefore bind all shareholder class members — in September.
Because data security-related securities fraud class actions are a new development, courts have not yet had an opportunity to provide guidance on a number of key issues including, as we have discussed, what types of disclosures in public filings of data security risk are enough to insulate a company from plausible misrepresentation claims. Depending on how these issues are handled in the future, the ultimate value of these cases to the plaintiff’s bar may rise or fall. A number of similar cases remain pending, and we’ll be watching them closely.
