Thanks in Part to Del. Rulings, Data Breaches Are an Expanding Frontier in Securities Class Actions
Corporate and Securities Litigation columnists Mark D. Harris and Margaret A. Dale write: So-called “event-driven” securities class actions are on the rise, with data breaches representing one of the most significant categories of events driving this trend. How the courts will treat the proposed settlements that arise in these cases remains to be seen.
February 26, 2019 at 04:45 PM
8 minute read
The original version of this story was published on New York Law Journal
For years, following the announcement of a corporate merger or acquisition, courts could expect to see shareholder class action suits that, in the main, were resolved by “disclosure-only” settlements. Plaintiff shareholders would allege that the officers of the merging entities failed to adequately disclose the material terms of the transaction, and failed to carry out their fiduciary duties of care and loyalty when they entered into the deal. The parties typically chose to settle these cases early on rather than litigate them. The resulting settlements generally required that defendants pay plaintiffs' attorney fees and make additional disclosures, as opposed to changing the economic terms of the deal (hence the name, “disclosure-only” settlements).
As we have previously described, Delaware courts have come to disfavor disclosure-only settlements, expressing concerns that such settlements are significantly more beneficial to the plaintiffs' attorneys than to the plaintiff class, and allow defendants to be released from a broad array of potential future claims at little cost. See Margaret A. Dale & Mark D. Harris, The Effect of 'Trulia' on Takeover Litigation, N.Y.L.J. (Oct. 25, 2016). In In re Trulia Shareholder Litigation, 129 A.3d 887, 891-92 (Del. Ch. 2016), the Delaware Chancery Court noted that “far too often,” disclosure-only settlements serve only to “generate fees for certain lawyers who are regular players in the enterprise of routinely filing hastily drafted complaints on behalf of stockholders on the heels of the public announcement of a deal and settling quickly on terms that yield no monetary compensation to the stockholders they represent.” After Trulia, Delaware courts have largely stopped approving disclosure-only settlements.
Because of the trend away from these types of settlements, plaintiffs' attorneys seem to have embraced data-breach suits as the next frontier in shareholder class actions. Such cases are brought by investors against a company following a data breach, and generally feature a few types of allegations. Investors might allege that the company was aware that its security systems were faulty, so its public disclosures regarding those security systems were incorrect or misleading. Or investors might allege that the company's officers and directors breached their fiduciary duty to ensure that the company had adequate and functional systems. They also might claim that the announcement of the data breach caused the company's stock price to drop, and that the data breach (and resulting stock drop) occurred as a result of false or misleading disclosures or a breach of fiduciary duty.
|Data-Breach Shareholder Class Actions Initiated in 2018
Increasingly, the announcement of a major data breach is followed closely by the institution of a securities class action on behalf of the shareholders. In 2018 alone, several prominent companies faced such suits. One was filed against the Marriot hotel chain, following a massive data breach that affected approximately 500 million guests—one of the five largest data breaches in history. See McGrath v. Marriot Int'l, No. 18-06845 (E.D.N.Y. filed Dec. 1, 2018). In McGrath, shareholders alleged that the statements Marriot made in its SEC filings regarding the importance of information-technology security were materially false and misleading. Another such suit was filed against Alphabet Inc., Google's parent company, in connection with a breach that compromised the data of thousands of Google+ social network users. See Wicks v. Alphabet, No. 4:18-cv-06245 (N.D. Cal. filed Oct. 11, 2018). As in McGrath, the shareholders in Wicks alleged that Alphabet made false and misleading disclosures regarding its security measures. Shareholders also filed a separate derivative complaint against Alphabet executives, alleging that the executives knew of the breach for months prior to disclosing it. See Bao v. Page, No. 3:19-cv-00314 (N.D. Cal. filed Jan. 18, 2019).
A similar suit was filed against Chegg, an educational-services company, after an unauthorized entity accessed a company database hosting user data. See Shah v. Chegg, No. 18-05956 (N.D. Cal. filed Sept. 27, 2018). In addition to allegations regarding false or misleading disclosures, the shareholders claimed that Chegg's stock price dropped as a result of the breach. Yet another suit was filed against Huazhu Group, a Chinese hotel group. See Hayes v. Huazhu Group Ltd., No. 2:18-cv-08633 (N.D. Cal. filed Oct. 8, 2018). As in Chegg, the shareholders alleged that Huazhu made false or misleading statements regarding its security systems, then suffered a data breach, which in turn caused the value of Huazhu's stock to drop. The shareholders alleged that the company's false and misleading disclosures about its security systems caused the plaintiff class to buy shares at an artificially inflated price.
|Settlement: Data-Breach Plaintiffs' Most Common Path to Success
While the cases listed above all remain pending, these types of suits rarely result in successful judgments for plaintiffs; courts tend to dismiss most at the motion to dismiss stage. Those that are not dismissed at this stage often settle.
Perhaps the most prominent data-breach class action settlement occurred in In re Yahoo! Sec. Litig., No. 17-00373 (N.D. Cal. filed Jan. 24, 2017). In re Yahoo was brought in connection with the largest data breach in history to date, affecting as many as 3 billion Yahoo user accounts. Investors alleged that Yahoo had known the accounts had been compromised as early as 2014, but still continued to file corporate notices that did not disclose it. Investors also alleged that in its corporate filings, Yahoo had falsely or misleadingly represented that it had industry-leading cybersecurity practices, despite knowing that its practices were inadequate. Additionally, investors put forth a stock-drop claim, alleging that the company's stock price plummeted as a result of the public announcement of the breach.
The final settlement required Yahoo to pay $80 million, including $14.4 million in attorney fees. The settlement was proposed in March 2018 and approved in September. The approval came only four months after Yahoo agreed to pay $35 million to settle SEC claims in connection with a 2014 data breach affecting over 500 million user accounts. These terms were far from typical for a data-breach class action. The high settlement figure has been described as an outlier, attributable to the sheer magnitude of the data breach (which, in turn, may have caused a more significant stock drop than is seen following most data breaches).
Another settlement was recently reached in In re MobileIron Shareholder Litig., No. 2015-1-CV-284001 (Santa Clara Cty. Super. Ct. filed Aug. 5, 2015). MobileIron is an information-technology company that provides mobile security systems to corporate clients. In May 2014, a few weeks before MobileIron's IPO, a hacker gained access to the MobileIron server. The hacker conducted a “full wipe” of the mobile devices belonging to one of MobileIron's clients, Aviva. As a result, Aviva cancelled its contract with MobileIron and moved its employees onto a competing security system. MobileIron shareholders alleged that because MobileIron's offering documents failed to disclose the breach, the likely impact of announcing the breach, and Aviva's move, and because MobileIron represented that the platform it provided was secure, the documents were “materially inaccurate, misleading and/or incomplete.”
The shareholders further alleged that this caused MobileIron's IPO offering price to be artificially inflated. About a year after its IPO, MobileIron's stock prices fell from $9 to $2.39. MobileIron disputed the extent to which the stock drop was attributable to the data breach, and denied that any of the public statements alleged to be “misleading” were anything more than mere puffery.
The parties reached a settlement requiring MobileIron to pay $7.5 million with no admission of wrongdoing. The terms of the settlement required that 33 percent of the common fund (approximately $2.475 million) be used for attorney fees. Notably, in the order granting final approval of this settlement, Judge Kuhnle of Santa Clara County Superior Court stated that 33 percent is a “reasonable” allotment for attorney fees—significantly more than the 18 percent allotment obtained in Yahoo.
While the settlements reached in Yahoo and MobileIron each provided a sizable fund for affected shareholders, arrangements more closely resembling disclosure-only settlements have been attempted in the context of data-breach class actions, too. In In re Wendy's Co. Shareholder Deriv. Action, No. 16-01153 (S.D. Ohio filed December 2016), the parties proposed a settlement that did not require payment to shareholders, after the fast-food giant suffered a point-of-sale data breach. The settlement would have required Wendy's only to implement certain remedial and preventative cybersecurity measures, and to pay $950,000 in attorney fees. This past December, the court denied the plaintiffs' motion for approval of the settlement, finding it premature. The court's disapproval did not stem from the absence of a fund for shareholders, however, but from the fact that the plaintiffs had not yet designated which of two complaints was to be the operative one.
|Conclusion
So-called “event-driven” securities class actions are on the rise, with data breaches representing one of the most significant categories of events driving this trend. How the courts will treat the proposed settlements that arise in these cases remains to be seen.
Margaret A. Dale and Mark D. Harris are partners at Proskauer Rose. Anisha D. Shenai-Khatkhate, an associate at the firm, assisted in the preparation of this article.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllCompanies' Dirty Little Secret: Those Privacy Opt-Out Requests Usually Aren't Honored
Kramer Levin's Patent Trial Team Discusses Teaching Tech to Juries
Navigating the SEC's Marketing Rule: Compliance Challenges and Legal Insights
16 minute readTrending Stories
- 1'Largest Retail Data Breach in History'? Hot Topic and Affiliated Brands Sued for Alleged Failure to Prevent Data Breach Linked to Snowflake Software
- 2Former President of New York State Bar, and the New York Bar Foundation, Dies As He Entered 70th Year as Attorney
- 3Legal Advocates in Uproar Upon Release of Footage Showing CO's Beat Black Inmate Before His Death
- 4Longtime Baker & Hostetler Partner, Former White House Counsel David Rivkin Dies at 68
- 5Court System Seeks Public Comment on E-Filing for Annual Report
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250