As securities class actions are being filed at a slower pace over the past year, a few notable developments continued into the second quarter of 2021. In particular, the U.S Supreme Court clarified an important issue governing motions for class certification; the SPAC market plummets but the risk of securities-related litigation continues; and cybersecurity incidents in the U.S. continue to be a focus of securities related enforcement and litigation.
SCOTUS Creates Flexibility to Deny Class Certification in Securities Fraud Suits
Last month, the U.S. Supreme Court clarified an important issue governing motions for class certification in securities fraud litigation: whether the generic nature of a misrepresentation is relevant to price impact.1 The key takeaways included:
- The Supreme Court clarified its prior securities class-action decisions in Basic v. Levinson2, Halliburton Co. v. Erica P. John Fund, Inc.3 , and Amgen Inc v. Connecticut Retirement Plans and Trust Funds4 to hold that, when deciding whether a defendant has adequately rebutted the fraud-on-the-market presumption of class-wide reliance, trial courts must consider whether the generic nature of the alleged misstatements shows that they did not impact the price of the defendant’s stock.
- This ruling is particularly important for cases involving the “inflation-maintenance” theory, where the Court recognized that a sufficient “mismatch” between a generic misstatement and a specific disclosure will usually strengthen a defendant’s efforts to rebut the fraud-on-the-market presumption.
- Although the Supreme Court agreed with the Second Circuit that a defendant bears the burden of persuasion to disprove price impact at the class certification stage, the Supreme Court’s description of that burden will likely be much more favorable to defendants in practice.
Indeed, the Court’s key holding that lower courts must consider all potentially relevant evidence on a motion for class certification, regardless of whether particular facts typically relate to the merits, is likely to be an important tool for defendants in securities class actions. In particular, defendants in litigation concerning generic disclosures about business ethics or environmental, social and governance issues on an “inflation-maintenance” theory should carefully consider whether there may have been a “mismatch” between the alleged misrepresentation and the alleged “corrective disclosure,” as the Justices unanimously agreed that, holding all else equal, defendants are more likely to succeed in their efforts to rebut the Basic presumption.
SPAC Market Plummets but the Risk of Securities-Related Litigation Continues
Recent guidance from the U.S. Securities and Exchange Commission (“SEC”) on Special Purpose Acquisition Companies (“SPACs”) has had a chilling effect on the SPAC market.5 SPAC participants are concerned about “risks from fees, conflicts, sponsor compensation, . . . celebrity sponsorship and the potential for retail participation drawn by baseless hype, and the sheer amount of capital pouring into SPACs.”6 After a record breaking number of SPAC transactions in the first quarter of 2021, the number of SPACs has decreased dramatically this quarter. However, given the vast number of SPACs formed in 2020 and early 2021, there are hundreds of SPACs actively looking for potential targets and many more who have restated their financials in response to statements by the SEC. Thus, the risk of securities litigation relating to SPACs is far from over.
On April 12, 2021, the Acting Director of the SEC’s Division of Corporate Finance issued a statement addressing the accounting treatments of warrants issued in conjunction with SPACs (the “April 12 Statement”).7 The April 12 Statement encouraged SPACs with warrants that may settle upon a SPAC shareholder tender offer to consider accounting for the warrants as liabilities at fair value rather than as equity instruments. This provision is standard in SPAC warrants, and SPACs have not typically treated warrants as liabilities for financial statement purposes. In addition, SPAC registrants who have accounted for warrants as a component of stockholders’ equity rather than liabilities are encouraged to consider if the issuer should (i) restate historical financial statements, and (ii) file a non-reliance 8-K for its historical financial statements.
In response to the April 12 Statement, hundreds of SPACs reclassified their warrants and restated their financials to ensure SEC compliance.8 One such company was Richard Branson’s SPAC-acquired spaceflight company, Virgin Galactic (“VG”).9 Shareholders brought a securities class action lawsuit against VG after VG announced it was restating its financials to comply with the April 12 Statement.10 Plaintiffs alleged VG made materially false and misleading statements in failing to disclose that its SPAC warrants were required to be treated as liabilities rather than equities at the time of VG’s de-SPAC transaction.11 Such SPAC-related lawsuits are currently pending and more may be forthcoming.
The Virgin Galactic lawsuit is one of the approximately fifteen SPAC-related action filed in the first six months of 2021.12 Comparatively, less than ten SPAC-related cases arose in both 2019 and 2020.13 In response to the SPAC filings, some D&O insurance carriers have increased premiums for SPAC D&O-affiliates.14 To protect against securities litigation and SEC enforcement actions, SPAC boards should seek fairness opinions and use extreme caution when relying on financial earnings projections, among other methods.15 In addition, SPAC boards should thoroughly review financial statements before publication and properly ensure sufficient disclaimers and cautionary statements accompany such statements.16
Continuing Significance of Shareholder Lawsuits Arising from Cybersecurity Incidents
In the last several years, there has been an increased focus on cybersecurity disclosures by public companies. This year, shareholders have filed at least two data breach-related securities lawsuits; courts have handed down several decisions; and the SEC has conducted at least one significant investigation. Company officers and directors should take heed of these recent filings and decisions in preparing for potential cybersecurity related issues.17
First, the SEC staff is conducting an investigation regarding a cyberattack involving the compromise of software made by the SolarWinds Corp., which was widely publicized in December 2020. As part of the investigation, the staff issued letters in June to companies that it believes were impacted by the breach, requesting that certain entities provide information to the SEC staff on a voluntary basis. Subject to certain limitations and conditions, the SEC’s Division of Enforcement will not recommend that the Commission pursue enforcement actions against recipients that meet the requirements set out in the Letter that recipients received with the voluntary request for information.18
In addition, in the second quarter of 2021, courts issued opinions in two significant data breach-related securities suits, continuing to underscore the continued significance of cybersecurity issues. To start, in In re Alphabet, Inc. Securities Litigation, the Ninth Circuit reversed in part the dismissal of the Google+ user data securities lawsuit.19 In 2019, Rhode Island brought a securities fraud action against Alphabet, Google, and certain Google executives, alleging that Google failed to disclose certain security issues with the Google+ social network.20 The Court found that the complaint adequately alleged that statements in Google’s April and July 2018 Form 10-Qs were materially misleading.21 In particular, the Court noted that despite learning of cybersecurity issues in early April 2018, Google failed to disclose the issues in its 10-Qs. Instead, Google stated that there were “no material changes” to its risk factors. Eventually, in October 2018, the Wall Street Journal published a story about Google’s purported security issues.22
In addition to adequately alleging false and misleading statements, the Court also determined that the complaint adequately alleged facts raising a strong inference that Google knew about the specific cybersecurity issues and intentionally did not disclose them in its 10-Q statements, thus meeting the scienter pleading requirement.23 In the end, the Court reversed the district court’s dismissal of the federal securities claims, finding that plaintiff adequately alleged falsity, materiality, and scienter for the 10-Q statements.24 Thus, the case will proceed to discovery.
Also in the second quarter, Judge Paul W. Grimm of the District of Maryland dismissed federal securities and derivative data breach actions filed against Marriott International in the merger context.25 The lawsuits arose from Marriott’s 2016 acquisition of Starwood Hotels and Resorts Worldwide and a subsequently identified breach of Starwood’s guest reservations database (the “database”).26 During the merger, Marriott continually updated investors on the merger’s progress in its SEC filings and other public statements, and those statements formed the basis of plaintiff’s federal securities claims. On September 8, 2018, Marriott first learned of a possible database breach, but a forensic investigation determined that the breach began as early as July 2014, two years before Marriott acquired Starwood.27 On November 30, 2018, Marriott issued a press release announcing that hackers breached the database and compromised over 500 million people’s personal information.28
In both the securities and derivative actions, the Court looked favorably upon Marriott for swiftly updating its risk factor disclosures regarding cybersecurity incidents after it learned of the breach. Indeed, the Court pointed to the extensive cautionary language about the risks surrounding the merger, noting that “these cautionary statements are detailed and highly specific to Marriott and the Starwood transaction.”29 Conversely, the Court admonished the plaintiff for taking a “cookie-cutter approach” that “miss[ed] the mark”.30 The Court dismissed plaintiff’s securities claims with prejudice, determining that plaintiff failed to allege (i) a material misrepresentation or omission; (ii) a strong inference of scienter; and (iii) loss causation.31 The Court also dismissed plaintiff’s derivative actions for demand futility and lack of standing because plaintiff did not adequately plead contemporaneous Marriott stock ownership.32
The cases brought against Google and Marriott along with the recent SEC investigation continue to serve as a reminder that companies must make security a key priority. The cases continue to demonstrate that plaintiffs will continue to comb public filings and point to statements relating to its security. Thus, companies should not only adopt well-designed disclosure practices, but also review their current disclosures to ensure accuracy. Indeed, companies should ensure statements related to protecting customer data actually state the measures taken, and companies should only use data for the purpose it was collected. In addition, the Court in In re Marriott praised Marriott for quickly disclosing its cybersecurity incident, while the Ninth Circuit criticized Google for concealing its security and privacy issues. Directors should not only be proactive and attend to substantial breach risks, but should prepare response plans in advance of any issue arising. And companies should continue to develop and publish an insider trading policy to minimize the risk of sales after a data breach and before disclosure. Such steps will help to minimize securities liability.
With special thanks to summer associate Sarahan Moser.
1) Goldman Sachs Grp., Inc. v. Ark. Teacher Ret. Sys., No. 20-222, 2021 WL 2519035 (U.S. June 21, 2021).
2) 485 U.S. 224 (1988).
3) 573 U.S. 258 (2014).
4) 568 U.S. 455 (2013).
5) See Yun Li, SPAC Transactions Come to a Halt Amid SEC Crackdown, cooling retail investor interest, CNBC (Apr. 22, 2021), https://www.cnbc.com/2021/04/21/spac-transactions-come-to-a-halt-amid-sec-crackdown-cooling-retail-investor-interest.html.
6) John Coates, Public Statement from Acting Director, Division of Corporation Finance, SPACs, IPOs and Liability Risk Under the Securities Laws (Apr. 8, 2021), https://www.sec.gov/news/public-statement/spacs-ipos-liability-risk-under-securities-laws.
7) John Coates & Paul Munter, Public Statement from the SEC Division of Corporation Finance, Staff Statement on Accounting and Reporting Considerations for Warrants Issued by Special Purpose Acquisition Companies ("SPACs") (April 12, 2021), https://www.sec.gov/news/public-statement/accounting-reporting-warrants-issued-spacs.
8) The SEC’s Edgar database, https://www.sec.gov/cgi-bin/browse-edgar?action=getcurrent, contains the latest filings received and processed at the SEC, including filings for restatements and revisions to the accounting warrants in response to the SEC’s April 12th Statement. See also Elaine Harwood, et al., Will SPAC Restatement Wave Trigger Shareholder Litigation, LAW360 (June 22, 2021), https://www.law360.com/securities/articles/1395957/will-spac-restatement-wave-trigger-shareholder-litigation- (noting that from April 21 to June 22, almost 500 SPACs restated their accounting for warrants).
9) Complaint, Lavin v. Virgin Galactic Holdings, Inc., No. 1:21-cv-03070 (E.D.N.Y. May 28, 2021) ECF No. 1.
10) Id. Plaintiffs alleged violations of the Securities Exchange Act of 1934 and pursued remedies under Sections 10(b) and 20(a) and SEC Rule 10b-5 promulgated thereunder.
12) SECURITIES CLASS ACTION CLEARINGHOUSE, https://securities.stanford.edu/charts.html (see 2021 SPAC filings).
13) Id. (see 2019 and 2020 SPAC filings). One of the earlier-filed SPAC lawsuits, see Camelot Event Driven Fund v. Alta Mesa Res. Inc., No. 4:19-cv-957, 2021 WL 1416025 (S.D. Tex. April 14, 2021), recently survived a motion to dismiss in the Southern District of Texas. In determining whether plaintiffs sufficiently pled a claim for relief, the Court focused on Defendant Alta Mesa’s post-merger disclosures along with its US$3.1 billion write-down disclosed a year after its SPAC merger, stating that “the circumstances surrounding the company’s financial reporting . . . are alone enough to entitle Plaintiffs to discovery.” The Court also found that the defendants who signed Alta Mesa’s 2018 10-K “acted with the requisite severe recklessness under Section 10(b)” of the Securities and Exchange Act of 1934. See Camelot Event Driven Fund, No. 4:19-cv-957, 2021 WL 1416025, at *11, *12.
14) See Antonita Madonna, Demand for D&O Insurance Explodes with SPAC-related Activity and Future Litigation Concerts, REUTERS (Apr. 27, 2021), https://www.reuters.com/article/bc-finreg-liability-insurance-explodes-s/demand-for-do-insurance-explodes-with-spac-related-activity-and-future-litigation-concerns-idUSKBN2CE1RQ.
15) For further discussion of litigation prevention best practices, see Perrie M. Weiner, For SPACs, an Ounce of Liability Prevention is Worth a Pound of Cure, BOARDTALK: THE OFFICIAL BLOG OF NACD (June 23, 2021), https://blog.nacdonline.org/posts/spacs-liability-prevention.
16) See Leo Cho, SPAC Related Filings on the Rise, SECURITIES CLASS ACTION CLEARINGHOUSE (June 7, 2021), https://securities.stanford.edu/news-reports/20210607-SPAC-Related-Filings-on-the-Rise.pdf.
17) In one case, Reidinger v. Zendesk, Inc., a California federal district court granted defendant Zendesk’s motion to dismiss with leave to amend, finding that (i) plaintiff did not plead a material misstatement or omission because plaintiff neither identified any misleading statement relating to Zendesk’s data security nor explained how Zendesk could have disclosed additional information that would have made its statements not misleading; and (ii) Zendesk did not act with scienter. Reidinger v. Zendesk, Inc., No. 19-cv-06968-CRB, 2021 WL 796261, at *13, *16, *19 (N.D. Cal. Mar. 2, 2021). In In re FedEx Corp. Sec. Litig., the Southern District of New York granted defendants FedEx and its officers motions to dismiss with prejudice, finding that FedEx made statements identified as forward-looking and accompanied by the requisite meaningful cautionary language, and plaintiffs’ confidential witness did not implicate any of the individual defendants nor allege any facts to demonstrate that they had knowledge that would contradict, let along undercut, the company’s public statements, among other things. In re FedEx Corp. Sec. Litig., 2021 WL 396423, No. 1:19-cv-05990, (S.D.N.Y. Feb. 4, 2021).
18) In the Matter of Certain Cybersecurity-Related Events (HO-14225) FAQs, SEC (last modified June 25, 2021), https://www.sec.gov/enforce/certain-cybersecurity-related-events-faqs.
19) In re Alphabet, Inc. Sec. Litig., 1 F.4th 687 (9th Cir. 2021).
20) Id. Plaintiff brought claims under Sections 10(b) and 20(a) of the Securities and Exchange Act of 1934 and SEC Rule 10b-5 promulgated thereunder.
21) Id. The Court found that the April and July 2018 Form 10-Qs were materially misleading because Google promulgated them after detecting cybersecurity issues and allegedly making efforts to conceal the issues.
22) See Douglas MacMillan & Robert McMillan, Google Exposed User Data, Feared Repercussions of Disclosing to the Public, WALL ST. J. (Oct. 8, 2018), https://www.wsj.com/articles/google-exposed-user-data-feared-repercussions-of-disclosing-to-public-1539017194.
23) In re Alphabet Inc. Sec. Litig., 1 F.4th 687. The Court focused on an internal privacy memorandum that warned directors of possible regulatory scrutiny and public distrust that could follow disclosure. Officers allegedly saw this memo in early April 2018.
24) Id. Furthermore, because the complaint did not plausibly allege that other statements, like “Google has a ‘very robust and strong privacy program,’'" were misleading material misrepresentations or omissions, the Court affirmed the district court’s dismissal as to ten additional statements. Id. at 708.
25) In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig, No. 19-MD-2879, 2021 WL 2407518 (D. Md. June 11 2021).
26) Id. The complaint alleged Marriott made several false or misleading statements or omissions in violation of Sections 10(b) of the Securities Exchange Act of 1934, Section 20(a), and SEC Rule 10b-5 promulgated thereunder.
27) Id. Marriott conducted due diligence on Starwood before the 2016 merger closed, including on its IT systems.
28) Marriott Announces Starwood Guest Reservation Database Security Incident, MARRIOTT INTERNATIONAL NEWS CENTER (Nov. 30, 2018), https://news.marriott.com/2018/11/marriott-announces-starwood-guest-reservation-database-security-incident/.
29) In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig. supra note 25 at 18.
30) Id. at 5.
31) Id. The Court noted that Marriott made no characterization with respect to the quality of its cybersecurity; its statements revealed merely that it considered cybersecurity important. As for the scienter requirement, the Court found that although inferences could be made that Starwood had cybersecurity deficiencies and Marriott was aware of various deficiencies, there was no allegation that the individual defendants were aware of any specific deficiency. Lastly, plaintiff did not prove loss causation because the Court did not find a sufficiently direct relationship between plaintiff’s economic loss and Marriott’s allegedly fraudulent conduct. Id.
32) Id. The Court could have granted plaintiff leave to amend the complaint, but it dismissed the federal securities claims with prejudice and noted that leave to amend would be futile since Plaintiff failed to (i) meet demand requirements and (ii) state a claim.