Mitigating the risk of shareholder lawsuits after a data breach

So far this year, we’ve seen a perpetual cycle of cyber incidents and data breaches across the public and private sector, targeting anything and everything from government entities, universities and healthcare providers, to large retail and technology service providers.

Such data breaches not only lead to heavy losses financially and reputationally (and even a drop in share value for those companies that are publicly listed), but also could open the door for shareholder class action lawsuits.

Against this backdrop, where do companies start in preventing these data breaches and accompanying lawsuits?

Undeniably, the first suggestion would be to avoid being hacked and having your data compromised.

This may seem fairly obvious but, while no organisation is 100% secure, there are still clear risk management and cyber security blind spots for companies that do not have robust controls and effective governance in place.

Recent incidents show that organisations that have poor access control policies, ineffective vendor management strategies, and poor cyber hygiene policies are those that are more likely to be breached.

However, should the worst happen and your organisation is breached, it is important to remember that you could also be sued by investors if you disclose too little or not enough information to shareholders. In fact, disclosing too much information without context could have a dramatic effect on your share prices.

Nevertheless, a shareholder can sue if something is material and, as per the SEC rules, the material information was omitted and/or misleading. TSC v Northway 426 U.S. 438, 449 (1976) established the standard as:

“…a substantial likelihood that a reasonable shareholder would consider it important in deciding how to vote. […] contemplates a showing of a substantial likelihood that, under all the circumstances, the omitted fact would have assumed actual significance in the reasonable shareholder’s deliberations.”

To further this, the US National Institute of Standards and Technology (NIST) sheds more light on materiality in respect to cybersecurity:

“cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations. The materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause. This includes harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.”

This is complicated even further by the fact that it is really difficult out of context to provide an exact definition of materiality, making the risks higher. “All that is necessary is that the facts withheld be material in the sense that a reasonable investor might have considered them important in the making of his decision” as stated by the Supreme Court in Affiliated Ute Citizens of Utah v. United States, 406 U.S. 128 (1972). Therefore, those the company’s actions and communications in response to a cybersecurity incident can impact the risk of a lawsuit by shareholders.

In terms of mitigating the risk of US securities class action lawsuits after a data breach, there are six parts to handling the data breach:

1.      The causes of the data breach

2.      The actual data breach itself

3.      The response to the data breach

4.      Communicating the data breach to affected parties

5.      Communicating the data breach to relevant regulatory authorities, if applicable

6.      Accurately communicating the data breach to investors  

It is on this final point that this post will now focus, and how organisations, particularly those that are publicly traded, communicate breaches to investors, focussing specifically on two very recent lawsuits relating to data breaches.

Okta, inc.  

In January 2022, Okta fell victim to hackers claiming to have access to Okta’s internal company environment.

In response, the company made a statement in March 2022 following an investigation of the hacker’s claims, that the issue was contained and that there were no more ongoing malicious threats.

Hours later, they stated that following their “thorough analysis of the claims, we have concluded that a small percentage of customers — approximately 2.5% — have potentially been impacted and whose data may have been viewed or acted upon.” As a result, a class action lawsuit by shareholders was raised against the Company.

Furthermore, the lawsuit complaint states that Okta made false and misleading statements and/or failed to disclose the following to shareholders:

(i) Okta had inadequate cybersecurity controls;

(ii) as a result, Okta’s systems were vulnerable to data breaches;

(iii) Okta ultimately did experience a data breach caused by a hacking group, which potentially affected hundreds of Okta customers;

(iv) Okta initially did not disclose and subsequently downplayed the severity of the data breach;

(v) all the foregoing, once revealed, was likely to have a material negative impact on Okta’s business, financial condition, and reputation; and

(vi) as a result, the Company’s public statements were materially false and misleading at all relevant times.

While the lawsuit has been partially dismissed, the court gave Okta the opportunity to amend their complaint or “revisit” the lawsuit on all accounts.

That said, the allegations in the claim are something every publicly listed company should consider: do we have adequate cybersecurity controls and, if so, are we therefore vulnerable? Following this, what are the standard operating procedures (SOPs) and third parties we would need to work with if this ever occurred?

Beyond this, and following an actual data breach, companies should also carefully consider the final four claims (iii-vi) made by Okta’s shareholders when disclosing the breach.

Crucially, companies should seek competent counsel and cybersecurity experts to assist in crafting these communications to the public at large and, crucially, their shareholders. Likely, counsel will help you answer: is what we are stating downplaying the severity and are we not disclosing enough that could lead us to potentially be hit with a lawsuit? If we overstate the impact of the data breach, how much will that impact our reputation and loss of profits, customer relationships, and share value?

It should also be noted that as a result of the company’s statements in relation to the data breach, as per the facts in the complaint, Okta’s share value decreased by 11%. It is possible that this impact could have been reduced had a more robust data risk mitigation strategy been in place.

Block (formerly Square)

In a slightly different example, an employee of CashApp, a subsidiary of U.S. tech conglomerate Block, walked away with personal data containing full customer names and brokerage account numbers, brokerage portfolio value, holdings and/or stock trades on that day of millions of customers.

In the immediate aftermath of the incident, Block stated publicly that no highly sensitive data of CashApp customers (such as social security numbers, addresses, birth dates and usernames or passwords) were accessed in the breach.

A few months prior, Block acquired the Australian fin-tech and payments provider Afterpay. However, in information provided to Afterpay’s shareholders to entice them to buy into Block’s shares following the acquisition, Block failed to disclose the data breach to its prospective shareholders.

The news of the data breach, as news sources state, led share value to drop by 14%. The plaintiffs in the lawsuit claim that they were not informed of this data breach within the “Scheme Booklet” provided. As a result, shareholders have filed a class action lawsuit against the company, co-founder and Board member Mckelvey, and the CEO (aka “Block Head”) Jack Dorsey.

As a result, the shareholders class action lawsuit against Block includes:

i) the failure to maintain a system of internal control adequate to protect the personal data of Block’s customers, and

ii) whether the statements made by Block and Dorsey misrepresented or omitted to state material facts in connection with offering or soliciting the purchase of Block Securities by Plaintiff and other Class members

Preparing for a Data Breach

As these two recent examples demonstrate, putting out the fire or merely responding to the data breach simply isn’t enough.

Beyond having stringent cybersecurity controls and effective governance and risk management processes in place, companies should also strongly consider working in lockstep with a reputable cybersecurity incident response firm on retainer to assist in the event of a breach.

Secondly, it is crucial for companies to work alongside a reputable public relations manager and counsel to help navigate the tricky regulatory, customer, and investor communications so as to not be misleading or omitting of material facts. In both cases, this could be operated internally or externally, but would form part of a well considered incident response strategy and plan nonetheless.

The strength of a securities class action lawsuit relies upon materiality in which counsel will help to determine: would a reasonable investor choose to not invest or at least consider not investing if they were informed of these data breaches?

As mentioned before, materiality, which appears to be changing with the tide, will shape whether or not a shareholder has a good chance of winning a lawsuit.

At present, many of these class action shareholder lawsuits have been dismissed on procedural grounds but in time, plaintiffs law firms may become more astute at succeeding in these kinds of claims.

‍

‍_{CONDITIONS AND LIMITATIONS}

_{This information is not intended to constitute any form of opinion or specific guidance and recipients should not infer any opinion or specific guidance from its content, including but not limited to legal advice. Recipients should not rely exclusively on the information contained in the bulletin and should make decisions based on a full consideration of all available information. We make no warranties, express or implied, as to the accuracy, reliability or correctness of the information provided. We and our officers, employees or agents shall not be responsible for any loss whatsoever arising from the recipient’s reliance upon any information we provide and exclude liability for the statistical content to fullest extent permitted by law.}