In early July, investigations by a Chinese cybersecurity regulatory agency, the Cyberspace Administration of China (“CAC”), into at least three China-based technology companies—DiDi Global Inc. (“DiDi”), Full Truck Alliance Co. Ltd. (“FTA”), and Kanzhun Limited (“Kanzhun”)—were purportedly revealed weeks after each conducted a substantial initial public offering (“IPO”) on a United States stock exchange. These purported disclosures follow, and appear to align with, China’s recent promulgation of significant data privacy rules and increased interest in data sovereignty and reigning in the power of homegrown technology companies.
In the weeks following the alleged announcements of the CAC investigations, shareholder plaintiffs filed securities class action lawsuits against DiDi, FTA, and Kanzhun alleging violations of the federal securities laws. In this wave of cases, shareholder plaintiffs have focused on each company’s alleged failure to disclose that they were subject to a cybersecurity review by the CAC and that, as a result of that review, the company could be forced to limit their business, either by removing their app from app stores or suspending new user registrations on their platform. As these cases demonstrate, shareholder plaintiffs will likely continue to focus on company’s cyber and data privacy-related public disclosures, particularly in the context of a quickly evolving regulatory landscape in China.
DiDi Global. The first securities class action related to a newly-public Chinese company’s disclosure of a CAC cybersecurity review was filed on July 6, 2021 against DiDi, a Chinese ride-hailing company, and certain of its officers, directors, and IPO underwriters, in the Southern District of New York. The complaint was filed one week after DiDi’s closely-followed June 30, 2021 IPO that raised $4.4 billion. Plaintiff alleges claims under Sections 11 and 15 of the Securities Act, which prohibit misstatements or omissions in a company’s registration statement and do not require a plaintiff to plead intent or knowledge of wrongdoing (or “scienter”). Plaintiff also alleges claims under Section 10(b) of the Securities Exchange Act (“Exchange Act”) and Rule 10b-5 promulgated thereunder, and Section 20(a) of the Exchange Act, which prohibit misstatements or omissions in connection with the purchase or sale of securities and require a plaintiff to plead scienter.
Plaintiff alleges that DiDi’s registration statement and prospectus failed to disclose that its apps did not comply with applicable Chinese privacy laws and regulations, which rendered the company “likely to incur scrutiny from” the CAC and reasonably likely to be forced to remove its apps from app stores in China. Plaintiff further alleges that DiDi failed to disclose that the CAC had “warned DiDi to delay its IPO to conduct a self-examination of its network security.” The complaint concludes that, as a result of this purported scrutiny, DiDi’s positive statements about its business prospects were misleading.
Plaintiff further alleges that the truth began to emerge on July 2, two days after the IPO, when the CAC purportedly announced that it had launched an investigation into DiDi “to protect national security and the public.” The CAC also allegedly asked DiDi to halt “new user registrations” to its app “during the course of the investigation.” Two days later, on July 4, DiDi allegedly further disclosed that the CAC ordered it to stop offering one of its apps because the app “collect[ed] personal information in violation of relevant PRC laws and regulations.” The following day, the Wall Street Journal reported that the CAC asked DiDi as early as three months before its IPO to postpone its IPO due to “national security concerns” and to “conduct a thorough self-examination of its network security.” DiDi’s share price allegedly declined on each of these disclosures to close, at the time the complaint was filed, 14% below its IPO price.
Full Truck Alliance. Less than a week later, a similar suit was filed against FTA, an online road logistics platform that has been called an “Uber-like trucking startup,” and certain of its officers, directors, IPO underwriters, and its authorized US representative in the Eastern District of New York. The complaint, which was filed approximately three weeks after FTA’s approximately $1.6 billion IPO, alleges claims solely under Sections 11, 12(a)(2), and 15 of the Securities Act.
The FTA complaint in many ways parallels the complaint filed against DiDi. Plaintiff alleges that FTA was the subject of a cybersecurity review by the CAC that threatened FTA’s ability to operate and “would require FTA to suspend new user registration.” Plaintiff further alleges that FTA failed to disclose that it needed to conduct a “comprehensive self-examination of any cybersecurity risks” and to “continue to improve its cybersecurity systems” and technology, which rendered its registration statement materially misleading.
Per the plaintiff, the truth was soon revealed when on July 5, FTA allegedly issued a press release confirming that it was subject to CAC review and that the CAC had ordered FTA to suspend all new user registrations pending its investigation. FTA purportedly further disclosed that it was conducting a “comprehensive self-examination” of potential cybersecurity risks and would “continue to improve its cybersecurity systems” and technology. FTA’s share price reportedly declined 6% on this news.
Kanzhun Limited. That same day, Kanzhun, the operator of Chinese online recruitment platform BOSS Zhipin, became the third target of a securities class action complaint alleging a failure to disclose a cybersecurity review by the CAC. The complaint was filed in the District of New Jersey approximately one month after Kanzhun’s nearly $1 billion IPO and alleges claims under the Section 10(b) of the Exchange Act and Rule 10b-5 promulgated thereunder, and Section 20(a) of the Exchange Act.
Like the DiDi and FTA complaints, plaintiff alleges that Kanzhun failed to disclose that it would be subject to an “imminent” cybersecurity review by the CAC and that, in connection with the review, the CAC would require Kanzhun to cease new user registration on its BOSS Zhipin app. Plaintiff further alleges that Kanzhun failed to disclose that it needed to “conduct a comprehensive examination of cybersecurity risks” and enhance its cybersecurity technologies. Plaintiff alleges that these purported failures rendered Kanzhun’s positive statements about its business prospects false and misleading.
Per the complaint, the truth was revealed on July 5 when Kanzhun issued a press release disclosing that it was subject to a cybersecurity review by the CAC, that Kanzhun was required to suspend new user registration on its BOSS Zhipin app during the review, and that Kanzhun planned to conduct a “comprehensive examination of cybersecurity risks” and to continue to enhance its cybersecurity technologies. Kanzhun’s stock reportedly fell 15% on that news.
* * * * *
While these cases are in their early stages, they provide the first examples of securities class actions related to the Chinese government’s increased focus on cybersecurity and data privacy. It remains to be seen whether China’s increased interest in data sovereignty and cybersecurity regulation, including the use of CAC investigations and the timing of their announcements, will result in a decline in the number of China-based companies seeking to conduct IPOs on U.S. stock exchanges. In the meantime, companies that are subject to Chinese regulatory scrutiny should carefully consider their disclosures related to cybersecurity and data privacy and should remain keenly aware of the fast-changing regulatory and legal landscape in China.