Extracted from Law360
Over the last decade, cybersecurity has developed into an increasingly critical business and legal concern for companies and individuals across the globe.
Cybersecurity issues, including the risk of a data breach, ransomware attack or other cyber incident, became even more central to business operations beginning in the spring of 2020, when the initial COVID-19 lockdowns in the U.S. created a nearly overnight transition to fully remote work for many companies.
Cybersecurity has in many ways only become more critical for companies this year as regulators in the U.S. and abroad increasingly turn their focus to cyber issues.[1]
This is particularly true for publicly traded companies, which are subject to disclosure obligations under federal law and the accompanying regulatory and shareholder scrutiny, and which have faced mounting securities litigation following significant data breaches.
A review of recent cyber-related securities class actions reveals that plaintiffs have pursued three notable categories of suits this year: those aimed at remote service providers that saw unprecedented growth during the pandemic; those targeting entities that are subject to cyber- or privacy-related regulatory oversight in China; and those alleging insufficient disclosure following a breach.
The review further demonstrates that large-cap corporations in the technology, services and financial sectors may be subject to increased risk of shareholder litigation in the wake of a cyber incident.
These recent actions foretell potential future developments in cyber-related securities litigation while building on trends observed over the last several years. As these cases demonstrate, shareholder plaintiffs will likely continue to focus on public companies' cybersecurity-related disclosures, particularly in the context of a quickly evolving technological landscape and regulatory environment.
Recent Illustrative Cases
Remote Technology Providers Affected by the Pandemic
The past year has seen a number of cyber-related shareholder suits directed at companies affected by the global COVID-19 pandemic.[2]
For instance, in In re: K12 Inc. Securities Litigation, on April 5, shareholder plaintiffs filed an amended complaint in the U.S. District Court for the Eastern District of Virginia against K12 Inc., now known as Stride Inc., a small-cap technology-based education company, and certain of its officers and directors, arising in part out of a series of cyberattacks affecting one of the company's largest customers.[3]
The plaintiffs allege that, amid school shutdowns due to the pandemic, "K12 embarked on an intensive campaign to convince the market that it was well positioned and technologically capable" of providing secure virtual schooling services and that the company issued false and misleading statements about the company's cybersecurity protocols and protections and its ability to prevent and mitigate cyberattacks, in violation of Sections 10(b) and 20(a) of the Securities Exchange Act.
According to the plaintiffs, the truth began to emerge in late August 2020, when the Miami Herald published an article detailing the concerns of one of K12's largest school district customers and later reported that the same customer had recorded 12 "intermittent" cyberattacks on its network that, according to the plaintiffs, "exposed K12's inadequate and insufficient protocols relating to cybersecurity threats." K12's stock price reportedly fell over 30% following the negative press.
The K12 defendants moved to dismiss the complaint, arguing in part that the alleged cyberattack was waged against the school district's systems — not K12's — and that the company had otherwise adequately disclosed the risks of a potential breach.[4] The motion is currently pending in the Eastern District of Virginia.[5]
Chinese Regulatory Litigation
Not all cyber-related securities litigation during the pandemic has arisen out of cyberattacks or data breaches. In fact, four of the suits filed since March 2020 relate to disclosure of cybersecurity reviews by Chinese regulators. For instance, in Balderas v. 360 DigiTech Inc., on July 13, shareholder plaintiffs filed suit against 360 DigiTech, the mid-cap Chinese operator of a digital consumer finance platform, and certain of its officers and directors in the U.S. District Court for the Southern District of New York.[6]
The plaintiff alleges that 360 DigiTech made materially false and misleading statements in its 2020 annual report and in subsequent press releases and earnings calls by touting the strength of the company's cybersecurity defenses and regulatory compliance while failing to disclose that the company "had been collecting personal information in violation of relevant [People's Republic of China] laws and regulations," which placed 360 Digitech at "increased risk of regulatory scrutiny and/or enforcement action."
The truth purportedly began to emerge on July 8, when social media users reported that 360 DigiTech's core application had been removed from major app stores and speculated that the removal was related to Chinese government regulatory scrutiny directed at online financial platforms. 360 DigiTech's stock price purportedly fell more than 20% on this news.
Actions Alleging Insufficient Post-Breach Disclosures
Shareholders and regulators have additionally continued to focus on the sufficiency of public disclosure following a data breach.
For instance, in May of this year, in Mölder v. Ubiquiti Inc., shareholder plaintiffs filed suit against Ubiquiti, a large-cap technology company, in the Southern District of New York, alleging that the defendants made false and misleading statements in a January email to customers disclosing a potential data breach of a system hosted by the company's third-party cloud storage provider and in the company's subsequent quarterly report describing the incident.[7]
The plaintiffs allege that Ubiquiti intentionally minimized the breach and failed to disclose that "attackers had obtained administrative access to Ubiquiti's servers," which allowed the "intruders" to remotely access the company's systems.
The truth allegedly began to emerge when, in March, the popular blog "Krebs on Security" published an article stating that Ubiquiti had "downplayed" the breach and disputing the company's characterization of the incident as "imply[ing] that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack."[8] Ubiquiti's stock allegedly fell 14.5% on that news.
Key Trends in Recent Cyber-Related Securities Class Actions
The K12, 360 Digitech and Ubiquiti cases provide only the most recent examples of trends in cyber-related securities class actions filed since the early days of the COVID-19 lockdown in the U.S. Between March 2020 and August 2021, at least 10 publicly traded companies were hit with cyber-related securities claims.
Pace of Filing
While overall securities litigation filing activity fell during 2020 and the first half of 2021 compared to previous years,[9] filing of cyber-related securities litigation remained relatively steady, with four cyber-related filings during 2020 and six to date in 2021.[10]
Market Capitalization of Defendants
Six out of the 10 companies that have faced suit during the review period are large-cap companies with over $10 billion in market capitalization. This class of companies has also faced the greatest risk of cyberattack during the last 10 years.[11]
Sectors and Industries
All the companies that faced cyber-related suits during the review period operate in the technology sector, with four suits, including Ubiquiti; the services sector, with three suits, including K12; or the financial sector, with three suits, including 360 Digitech.[12]
Notably, the technology sector has profited more than almost any other sector from the pandemic as people transitioned to remote work, shopping and entertainment.[13] Within the services sector, at least one of the companies that faced suit, Zoom Video Communications Inc., also underwent unprecedented growth during the review period, even as it endured cybersecurity challenges as its software became increasingly popular.
Jurisdictions
Given shareholder plaintiffs' focus on the technology, services and financial sectors, it is unsurprising that most of the suits are proceeding in federal district courts in states that are home to many companies in those sectors, like New York, with four suits, including Ubiquiti and 360 Digitech, and California with two suits, The remaining suits are pending in federal courts in Illinois, Virginia, Texas and New Jersey.
Key Takeaways and Predictions
As these cases demonstrate, shareholder plaintiffs will likely continue to focus on a company's cybersecurity-related public disclosures, particularly in the context of a quickly evolving technological landscape and regulatory environment and as the frequency and cost of cybersecurity incidents are poised to grow in 2022 and beyond.[14]
As cyber-related issues become more commonplace, it remains to be seen whether, after disclosure of a cyberattack, companies will continue to experience stock price declines significant enough to attract the attention of shareholder plaintiffs.
Companies in certain sectors that have historically seen the most significant drops in share price following a breach, including the financial sector, may remain more likely to face suit compared to companies in sectors like health care that have historically experienced smaller share price declines.[15]
Given these developments, it is important that companies consider ongoing securities litigation risks and trends related to cybersecurity.
Consider shareholder focus on companies providing remote services.
In light of the recent suits against purveyor of virtual learning systems K12 and the videoconferencing platform Zoom, companies providing remote services that have experienced rapid growth during the COVID-19 pandemic should remain particularly mindful of their cyber-related disclosures.
Evaluate risks as companies return to in-person work.
Companies returning to in-person operations should consider whether to update their cybersecurity disclosures in light of the potentially differing risks between in-person and remote work, and how continued hybrid work may affect those risks.
Analyze implications of cyber-related incidents on customer or vendor platforms.
Companies should consider whether a cyberattack on a customer, vendor or other third party may affect their systems and whether such incidents create potential disclosure obligations.[16] This is particularly important for companies that continue to offer remote and hybrid work options and rely on external data platforms that allow workers to access company files offsite.
Review cybersecurity-related disclosures — even in customer communications.
These recent cases suggest that companies facing significant cyber-related incidents may remain subject to shareholder litigation based in part on customer communications apart from their routine disclosures to the U.S. Securities and Exchange Commission.
Companies should continue to not only pay close attention to their disclosures of cybersecurity-related risks in SEC filings and investor communications but also keep in mind the breadth of potential claims based on this recently filed litigation.
Stay apprised of the changing regulatory landscape, including in China.
Companies that are subject to regulatory scrutiny related to cybersecurity and data privacy in the U.S. or abroad should carefully consider their disclosures, and, in particular, companies subject to Chinese law should remain keenly aware of the quickly changing regulatory and legal landscape related to cybersecurity in China.
[1] Cedric Nabe, Impact of COVID-19 on Cybersecurity, Deloitte (Dec. 7, 2020), https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html (last visited Aug. 16, 2021); Zinnia Lee, China's Cybersecurity Regulator Targets More U.S.-Listed Tech Companies After Didi Investigation, Forbes (Jul. 5, 2021), https://www.forbes.com/sites/zinnialee/2021/07/05/chinas-cybersecurity-regulator-targets-more-us-listed-tech-companies-after-didi-investigation/?sh=2b0d6c3721a8; Press Release, Securities & Exchange Commission, SEC Announces Annual Regulatory Agenda (June 11, 2021), https://www.sec.gov/news/press-release/2021-99.
[2] Each of these illustrative cases alleges violations of Section 10(b) of the Exchange Act, and Rule 10b-5 promulgated thereunder, and Section 20(a) of the Exchange Act, which prohibit misstatements or omissions in connection with the purchase or sale of securities and require a plaintiff to plead scienter, i.e., an intent to defraud.
[3] Amended Compl., In re K12 Inc. Sec. Litig., No. 1:20-cv-01419-LO-TCB (E.D. Va. Apr. 5, 2021), ECF No. 31.
[4] Memorandum in Support of Defendants' Motion to Dismiss, In re K12 Inc. Sec. Litig., No. 1:20-cv-01419-LO-TCB (E.D. Va. May 20, 2021), ECF No. 35.
[5] Additionally, on December 23, 2020, a shareholder plaintiff filed an amended complaint against Zoom Video Communications Inc., a platform which has grown markedly since the beginning of the COVID-19 pandemic. The plaintiff alleges in part that Zoom failed to disclose that it did not provide end-to-end encryption and a "flaw allowing hackers to take over Zoom webcams." Amended Compl., In re Zoom Sec. Litig., No. 3:20-cv-02353-JD (N.D. Cal. Dec. 23, 2020), ECF No. 63. The Zoom defendants moved to dismiss, arguing in part that, because there is no "exclusive definition" of "end-to-end encryption," the plaintiff failed to allege that Zoom made a false statement and that the company had no duty to disclose the other purportedly omitted information. Motion to Dismiss, In re Zoom Sec. Litig., No. 3:20-cv-02353-JD (N.D. Cal. May 20, 2021), ECF No. 78.
[6] Compl., Balderas v. 360 DigiTech, Inc., No. 1:21-cv-06013 (S.D.N.Y. July 13, 2021), ECF No. 1.
[7] Compl., Mölder v. Ubiquiti, Inc., No. 1:21-cv-04520 (S.D.N.Y. May 19, 2021), ECF No. 1.
[8] https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrophic/.
[9] Securities Class Action Filings 2021 Midyear Report, Cornerstone Research (July 15, 2021), https://www.cornerstone.com/Publications/Reports/Securities-Class-Action-Filings-2021-Midyear-Assessment.pdf; Securities Class Action Filings 2020 Year in Review, Cornerstone Research (Apr. 3, 2020), https://www.cornerstone.com/Publications/Reports/Securities-Class-Action-Filings-2020-Year-in-Review.
[10] Cornerstone 2021 Midyear Report.
[11] John Cheffers, Cybersecurity Incident and Litigation Review 2021, D&O Diary (Aug. 10, 2021), https://www.dandodiary.com/2021/08/articles/cyber-liability/guest-post-cybersecurity-incident-and-litigation-review-2021/.
[12] The company sector information is from the Stanford Law School Securities Class Action Clearinghouse website. See https://securities.stanford.edu/index.html.
[13] Sachin Nagarajan, These Sectors Performed Best and Worst in the Pandemic, Morningstar (Feb. 26, 2021), https://www.morningstar.com/articles/1026616/these-sectors-performed-best-and-worst-in-the-pandemic.
[14] The cyber-threat landscape: The digital rush left many exposed, PricewaterhouseCoopers (last visited Aug. 16, 2021), https://www.pwc.com/us/en/services/consulting/cybersecurity-privacy-forensics/library/2021-digital-trust-insights/cyber-threat-landscape.html; Rob Sobers, 134 Cybersecurity Statistics and Trends for 2021, (Mar. 16, 2021), https://www.varonis.com/blog/cybersecurity-statistics/.
[15] Cybersecurity breaches and their impact on corporate stock prices, Capitol Tech. Univ. (May 18, 2020), https://www.captechu.edu/blog/cybersecurity-breaches-and-their-impact-on-stock-prices.
[16] Notably, in June 2021 – approximately six months after SolarWinds announced a third-party cyberattack that reportedly resulted in malicious software being installed on certain of its customers' own systems – the SEC issued letters to numerous potentially impacted SolarWinds customers requesting information about their disclosures related to the attack and the remedial steps they took in response. See Frequently Asked Questions, Securities & Exchange Commission, In the Matter of Certain Cybersecurity-Related Events (HO-14225) (June 25, 2021), https://www.sec.gov/enforce/certain-cybersecurity-related-events-faqs.