Last fall, I wrote about board oversight of cybersecurity and derivative litigation in the wake of cybersecurity breaches. I plan to update my thoughts later this year, after we see developments in the recently filed Target and Wyndham derivative actions, and learn the results of the 2014 installment of Carnegie Mellon’s bi-annual CyLab Governance of Enterprise Security Survey, which explores oversight of cybersecurity by boards of directors and senior management.
In this post, I’d like to focus on cybersecurity disclosure and the inevitable advent of securities class actions following cybersecurity breaches. In all but one instance (Heartland Payment Systems), cybersecurity breaches, even the largest, have not caused a stock drop big enough to trigger a securities class action. But there appears to be a growing consensus that stock drops are inevitable when the market better understands cybersecurity threats, the cost of breaches, and the impact of threats and breaches on companies’ business models. When the market is better able to analyze these matters, there will be stock drops. When there are stock drops, the plaintiffs’ bar will be there.
And when plaintiffs’ lawyers arrive, what will they find? They will find companies grappling with cybersecurity disclosure. Understandably, most of the discussion about cybersecurity disclosure focuses on the SEC’s October 13, 2011 “CF Disclosure Guidance: Topic No. 2” (“Guidance”) and the notorious failure of companies to disclose much about cybersecurity, which has resulted in a call for further SEC action by Senator Rockefeller and follow-up by the SEC, including an SEC Cybersecurity Roundtable on March 24, 2014. But, as the SEC noted in the Guidance, and Chair White reiterated in October 2013, the Guidance does not define companies’ disclosure obligations. Instead, disclosure is governed by the general duty not to mislead, along with more specific disclosure obligations that apply to specific types of required disclosures.
Indeed, plaintiffs’ lawyers will not even need to mention the Guidance to challenge statements allegedly made false or misleading by cybersecurity problems. Various types of statements – from statements about the company’s business operations (which could be imperiled by inadequate cybersecurity), to statements about the company’s financial metrics (which could be rendered false or misleading by lower revenues and higher costs associated with cybersecurity problems), to internal controls and related CEO and CFO certifications, to risk factors themselves (which could warn against risks that have already materialized) – could be subject to challenge in the wake of a cybersecurity breach.
Plaintiffs will allege that the challenged statements were misleading because they omitted facts about cybersecurity (whether or not subject to disclosure under the Guidance). In some cases, this allegation will require little more than coupling a statement with the omitted facts. In cybersecurity cases, plaintiffs will have greater ability to learn the omitted facts than in other cases, as a result of breach notification requirements, privacy litigation, and government scrutiny, to name a few avenues. The law, of course, requires more than simply coupling the statement and omitted facts; plaintiffs must explain in detail why the challenged statement was misleading, not just incomplete, and companies can defend the statement in the context of all of their disclosures. But in cybersecurity cases, plaintiffs will have more to work with than in many other types of cases.
Pleading scienter likely will be easier for plaintiffs as well. With increased emphasis on cybersecurity oversight at the senior officer (and board) level, a CEO or CFO will have difficulty (factually and in terms of good governance) suggesting that she or he didn’t know, at some level, about the omitted facts that made the challenged statements misleading. That doesn’t mean that companies won’t be able to contest scienter. Knowledge of omitted facts isn’t the test for scienter; the test is intent to mislead purchasers of securities. However, this important distinction is often overlooked in practice. Companies will also be able to argue that they didn’t disclose certain cybersecurity matters because, as the Guidance contemplates, some cybersecurity disclosures can compromise cybersecurity. This is a proper argument for a motion to dismiss, as an innocent inference under Tellabs, but it may feel too “factual” for some judges to credit at the motion to dismiss stage.
As this analytic overview shows, cybersecurity securities class actions, on the whole, likely will be virulent. Companies, of course, are talking about cybersecurity risks in their boardrooms – and they should also think about how to discuss those risks with their investors. The best way for companies to lower their risk profile is to start to address this issue now, by thinking about cybersecurity in connection with all of their key disclosures, and enhancing their disclosures as appropriate.
Perfection and prescience are not required. Effort matters most. Companies that don’t even try will stand out. As I’ve written in the context of the Reform Act’s Safe Harbor for forward-looking statements, judges are skeptical of companies whose risk factors remain static over time, and look favorably on companies who appear to try to draft meaningful risk factors. I thus construct a defense of forward-looking statements by emphasizing, to the extent I can, ways in which the company’s risk disclosures evolved, and were tailored and focused. I predict that the same approach will prove effective in cybersecurity cases.