Is Data Breach Liability Inching Toward The Board Room?

In part 1 of a two-part article, a pair of securities and shareholder litigation lawyers look at what a high-profile data breach means board liability.This is part one of 2-part article.

In 2017, high-profile data breaches continued to create major legal issues for some of the country’s largest corporations. Shareholders of affected companies have continued to look for opportunities to impute liability to officers and directors for what increasingly seem like inevitable cybersecurity events.

In a related article published in last year’s Securities & Shareholder Litigation 2017:  A Look Ahead, we observed that derivative claims alleging that directors and officers violated the duty of care in failing to prevent these security breaches generally gained little traction in the courts. To succeed on a derivative “failure to monitor” claim, derivative plaintiffs have to prove that the defendant directors engaged in a sustained or systematic failure to exercise their oversight duties. This exacting standard has repeatedly led courts to explain that a failure of oversight claim (or a Caremark claim) in fact is the toughest claim for a shareholder plaintiff to prove.

As a result, last year we predicted that more shareholders would begin to abandon derivative actions in this area in favor of federal securities claims alleging that directors knew of cybersecurity vulnerability and failed to disclose these issues to the public in a timely manner. This prediction has come to bear, and companies such as Yahoo!, PayPal and Equifax have faced federal securities class actions against the companies and their directors and officers alleging that the company’s disclosures surrounding the data breach were inefficient, thereby violating federal securities laws.

In the wake of these lawsuits, 2018 has already been a notable year for cybersecurity-focused corporate securities claims and the potential for related D&O liability. In March, Yahoo! announced a settlement in its previously mentioned federal securities action, marking the first substantial settlement involving data breach-related federal securities claims. In addition, the unique facts surrounding the Equifax breach have observers wondering if it will be the first case alleging D&O liability for a data breach to survive a motion to dismiss. And, potential legislative action, coupled with recent regulatory guidance on cybersecurity disclosures issued by the SEC, raises questions about the impact of legislative and regulatory action on disclosure-related securities claims in the wake of a reported data breach.

Yahoo! Settles Federal Securities Action Related to Data Breaches

On March 2, 2018, Yahoo! announced a settlement in the federal securities action filed in connection with massive data breaches that took place at the company in 2013 and 2014. The Yahoo! federal securities litigation was one of the first securities fraud lawsuits (as opposed to shareholder derivative actions) filed as a result of a data breach, and the $80 million settlement marks the first substantial shareholder recovery in a data breach-related lawsuit.

The Yahoo! securities litigation sought to impose direct liability on the company’s directors and officers, in large part based on the company’s failure to disclose the breaches until late 2016. Shortly thereafter, Yahoo! reported that the SEC had opened an investigation into whether the company should have disclosed the data breaches sooner. In January 2017, Yahoo! shareholders filed a federal securities action challenging the adequacy of the company’s public disclosures regarding its exposure to cybersecurity risk and the potential impact of the data breaches on the company’s business practices. The defendants – the company and several directors and officers – moved to dismiss the complaint, but the hearing date for the defendants’ motion was repeatedly rescheduled due to ongoing settlement talks between the parties. On Oct.3, 2017 Yahoo! announced that the 2013 data breach had affected an additional two billion Yahoo! user accounts. As a result of these new factual developments, on Nov. 22, 2017, U.S. District Judge Lucy Koh of the U.S. District Court for the Northern District of California denied the defendants’ motion as moot, and granted the plaintiffs leave to file a Second Amended Complaint.

The Yahoo! data breaches involved unique factual circumstances that lent themselves to a direct securities claim. For starters, the Yahoo! breaches account for the largest data breaches to date, affecting billions of consumers. Second, as noted above, the Yahoo! breaches occurred years before the company publicly disclosed the incidents. And finally, the Yahoo! breaches had an obvious financial impact on the company. In the wake of Yahoo!’s disclosure of the breaches, Verizon – which was in the process of acquiring Yahoo! – reduced the acquisition price by $350 million.

These facts suggest that Yahoo! may have faced unique pressure to settle that may not be felt by companies that experience breaches but, for example, do not experience a stock drop, or where a breach does not impact such a large volume of consumers. Nevertheless, the Yahoo! settlement is significant and may very well encourage shareholders (and plaintiffs’ attorneys) to pursue direct securities claims against directors and officers of companies that experience data breaches moving forward. Notably, the fee award sought by the Yahoo! shareholders’ attorneys may also impact or incentivize future direct liability claims – the shareholders’ attorneys are reportedly seeking $20 million in fees from the court as part of the settlement.