A California federal court has dismissed a putative securities fraud class action alleging that a large title insurer that disclosed a data security incident in May 2019 made false and misleading statements related to its data security practices and the incident. The dismissal follows the June 2021 settlement of a related Securities & Exchange Commission enforcement action. An enforcement action brought by the New York Department of Financial Services, the first set of charges brought under that office’s cybersecurity regulations, remains pending.
In its September 22, 2021 opinion, the Court held the plaintiff failed to allege that any of the three categories of challenged statements—(1) statements about the company’s risk factor disclosures related to data security, (2) statements about the company’s information security program and commitment to protecting data, and (3) statements about a data security incident—was false or misleading, as required to state a claim for federal securities fraud.
Risk Factor Disclosures Related to Data Security. First, the plaintiff challenged certain risk factor disclosures on the company’s website and in its FY 2018 10-K, including that the company may be required to notify certain customers or could lose customers in the event of a “data breach or systems failure.” The Court held that the disclosures were not false and misleading because the plaintiff did not adequately allege that the company knew about the data security incident when it made the disclosures. The Court concluded that, if the company did not know about the data security incident at the time it made the disclosures, the disclosures were merely generalized warnings about potential future risks and, in any case, were not specific enough to misrepresent the company’s “current state of affairs.”
Finally, the Court found that allegations that the Board had general conversations about data security did not establish that the Board knew about existing security vulnerabilities when the company filed its 10-K.
Statements About the Company’s Information Security Program and Commitment to Protecting Data. Second, the plaintiff challenged several statements on the company’s website describing its commitment to data security, including that the company was “committed to safeguarding customer information,” “serious” about the protection of customer data, and “agree[d] that [customers] have a right to know how [the company] will utilize the personal information [customers] provide to [the company].” The Court held that these statements were either true or inactionable corporate puffery (i.e., positive statements that are too general to cause an investor to rely on them). For instance, the Court held that statements about the company’s “commitment” to safeguarding customer information were not false because the word “commitment” is not a “word of certainty.”
Statements About the Information Security Incident. Finally, the plaintiff challenged certain of the company’s statements about the data security incident at issue. For instance, the plaintiff alleged that the company’s statement that it was “working diligently” to address the data security incident was misleading because, according to plaintiff, the company had misclassified non-public information in an internal database in the years leading up to the data breach. The court found that the challenged statement was not false because the alleged misclassification had no bearing on the company’s conduct following the data security incident.
* * * * *
While few securities class action lawsuits related to data security incidents have survived the motion to dismiss stage, that has not stopped plaintiffs from continuing to file such suits. It remains to be seen whether recent dismissals will stem that tide. In any case, given the ever-changing cybersecurity landscape and the difficulty of predicting whether a data security incident may occur, public companies should carefully and regularly consider their data security related disclosures before and in the wake of a data security incident.