• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

California Federal Court Dismisses Data Security-Related Securities Fraud Class Action

October 1, 2021 By Sierra Shear, Cara Peterman and Madeleine Juszynski

A California federal court has dismissed a putative securities fraud class action alleging that a large title insurer that disclosed a data security incident in May 2019 made false and misleading statements related to its data security practices and the incident.  The dismissal follows the June 2021 settlement of a related Securities & Exchange Commission enforcement action.  An enforcement action brought by the New York Department of Financial Services, the first set of charges brought under that office’s cybersecurity regulations, remains pending.

In its September 22, 2021 opinion, the Court held the plaintiff failed to allege that any of the three categories of challenged statements—(1) statements about the company’s risk factor disclosures related to data security, (2) statements about the company’s information security program and commitment to protecting data, and (3) statements about a data security incident—was false or misleading, as required to state a claim for federal securities fraud.

Risk Factor Disclosures Related to Data Security. First, the plaintiff challenged certain risk factor disclosures on the company’s website and in its FY 2018 10-K, including that the company may be required to notify certain customers or could lose customers in the event of a “data breach[] or systems failure[].” The Court held that the disclosures were not false and misleading because the plaintiff did not adequately allege that the company knew about the data security incident when it made the disclosures.  The Court concluded that, if the company did not know about the data security incident at the time it made the disclosures, the disclosures were merely generalized warnings about potential future risks and, in any case, were not specific enough to misrepresent the company’s “current state of affairs.”

Finally, the Court found that allegations that the Board had general conversations about data security did not establish that the Board knew about existing security vulnerabilities when the company filed its 10-K.

Statements About the Company’s Information Security Program and Commitment to Protecting Data.  Second, the plaintiff challenged several statements on the company’s website describing its commitment to data security, including that the company was “committed to safeguarding customer information,” “serious” about the protection of customer data, and “agree[d] that [customers] have a right to know how [the company] will utilize the personal information [customers] provide to [the company].”  The Court held that these statements were either true or inactionable corporate puffery (i.e., positive statements that are too general to cause an investor to rely on them).  For instance, the Court held that statements about the company’s “commitment” to safeguarding customer information were not false because the word “commitment” is not a “word of certainty.”

Statements About the Information Security Incident.  Finally, the plaintiff challenged certain of the company’s statements about the data security incident at issue. For instance, the plaintiff alleged that the company’s statement that it was “working diligently” to address the data security incident was misleading because, according to plaintiff, the company had misclassified non-public information in an internal database in the years leading up to the data breach.  The court found that the challenged statement was not false because the alleged misclassification had no bearing on the company’s conduct following the data security incident.

*          *          *          *          *

While few securities class action lawsuits related to data security incidents have survived the motion to dismiss stage, that has not stopped plaintiffs from continuing to file such suits. It remains to be seen whether recent dismissals will stem that tide. In any case, given the ever-changing cybersecurity landscape and the difficulty of predicting whether a data security incident may occur, public companies should carefully and regularly consider their data security related disclosures before and in the wake of a data security incident.

Filed Under: California, Cyber Risk, Cybersecurity, Data Breach, Data Breach Litigation, NYDFS, Privacy Litigation, Security Breach

About Sierra Shear

Sierra Shear is a senior associate with Alston & Bird’s Securities Litigation Group and focuses her practice on securities litigation and enforcement matters, representing public companies, financial institutions, and their officers and directors in complex individual and class action cases.

[Read Bio]

About Cara Peterman

Cara Peterman is a partner with Alston & Bird’s Securities Litigation Group. Her practice focuses on fiduciary duty and shareholder derivative suits, securities fraud, and other complex commercial litigation.

[Read Bio]

About Madeleine Juszynski

Madeleine Juszynski is an associate with Alston & Bird’s Securities Litigation Group. Madeleine focuses her practice on internal investigations and complex securities litigation.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Belgian Supervisory Authority Sanctions News Media Company for Violating Cookie Rules
  • DOJ Issues New Policy on CFAA Prosecutions
  • EDPB Issues Draft Guidelines on the Calculation of Administrative Fines
  • The California Privacy Protection Agency Solicits Public Input on Forthcoming Privacy Regulations
  • U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.