Is Data Breach Liability Inching Toward The Board Room?

© AdobeStock
In 2017, high-profile data breaches continued to create major legal issues for some of the country’s largest corporations. In part one of a two-part article, a pair of securities and shareholder litigation lawyers look at what this may mean for officers and directors in terms of liability.

Equifax Securities Litigation: The Right Facts to Survive a Motion to Dismiss?

On Sept. 7, 2017, Equifax announced that hackers had accessed its systems from mid-May through July 2017 and obtained the personal information – including the names, driver’s license numbers, and Social Security numbers – of a now-estimated more than 145 million American consumers. The following day, Equifax’s stock fell roughly 14%. A week later, the stock was trading at about 35% below the pre-announcement price. Equifax has admitted that it knew of the security vulnerability that hackers exploited to illegally access consumer information as early as March 2017. The company apparently learned of the hack itself on July 29, 2017, and engaged an independent cybersecurity firm on Aug. 2, 2017, to conduct a review of the intrusion. In addition, three Equifax executives – including its CFO – sold almost $2 million worth of shares in the company in early August, only days after the company learned of the breach but before the breach was publicly announced.

Since the announcement, nearly 400 lawsuits have been filed against Equifax related to the breach, including two federal securities class actions, more than 330 consumer suits and at least two actions filed by state Attorneys General. In December 2017, the federal consumer cases were consolidated in the Northern District of Georgia, home to Equifax’s headquarters in Atlanta. The consolidated action and the federal securities actions have been assigned to U.S. District Chief Judge Thomas Thrash, Jr., who last year dismissed the consolidated derivative action against Home Depot’s directors and officers following its data breach that impacted 56 million consumers.

Like the Yahoo! breaches, the Equifax data breach involved unique factual circumstances that have led observers to speculate as to whether claims against Equifax’s directors and officers will be the first D&O data breach claims to move past the motion to dismiss stage.

First, Equifax’s stock price fell precipitously following its announcement of the breach. In prior breaches that led to actions against directors and officers, such as the Home Depot data breach, the company’s stock price was not noticeably affected. As a result, shareholder-plaintiffs were all but forced to bring their claims as a derivative (versus federal securities) action.

Second, Equifax has publicly stated that it knew of the security vulnerability that led to the hack in March, but did not disclose the threat to investors. Furthermore, the company waited 41 days after discovering the data breach to disclose the hack publicly. The company’s then-CEO testified before Congress that he was made aware of the hack two days after it was discovered. His testimony lays out a timeline of when other key directors and officers were made aware of the breach prior to the announcement. In defense of its decision to wait over a month to disclose the breach, Equifax has argued (as have other companies – and even the SEC – in the past) that it wanted to conduct an investigation into the incident and its impact so as to avoid making a public misstatement regarding the nature and scope of the breach. However, waiting too long to disclose a breach can also potentially subject a company to liability. Shareholder-plaintiffs alleging that Equifax’s public disclosure violated the federal securities laws have been quick to highlight public statements Equifax made in the intervening time period between July 29, 2017 and Sept. 7, 2017, regarding the strength of the company’s security measures.

Finally, plaintiffs may once again try to overcome the so-far impenetrable hurdle of pleading a derivative Caremark claim against officers and directors for failure to take sufficient cybersecurity precautions. Equifax has stated publicly that it was made aware of the vulnerability that led to the breach in March 2017, but was unable to address the issue in time to prevent the breach. Furthermore, high-ranking company executives – including the CFO – sold large volumes of the company’s stock in a matter of days after Equifax learned of the breach. Equifax has conducted its own internal investigation into these trades, and the company reported that the executives did not trade on material nonpublic information when they sold their shares in early August. Nevertheless, the company’s former CIO was recently indicted on insider trading charges relating to his alleged sale of close to $1 million in Equifax securities in advance of the company’s disclosure of the breach. Even if Equifax’s internal investigation is accurate – meaning the CFO and other executives did not trade on knowledge of the breach in the days after the company became aware of the ongoing incident – derivative plaintiffs may use it as a springboard for a Caremark claim, arguing that management’s lack of knowledge regarding the massive security breach days after it had been discovered by the company and reported to the CEO is sufficient to allege that the company’s directors and officers abdicated their oversight responsibilities, and/or that any internal controls adopted by the company were inadequate.

Part 2 of this article  will be published next Monday.

Read more: Reshuffling The Board To Keep Up With Technology

  • Get the Corporate Board Member Newsletter

    Sign up today to get weekly access to exclusive analysis, insights and expert commentary from leading board practitioners.



    20th Annual Boardroom Summit

    New York, NY



    Board Committee Peer Exchange

    Chicago, IL