Data breaches and cybersecurity failures are appropriately a significant concern to American consumers and companies. Large data breaches, like the Equifax data breach in 2017 that affected approximately 143 million Americans, cause everyday consumers to be concerned about their personal information being used to commit identity theft or fraud. This threat extends to organizations and can cause enormous damage to a company’s shareholders: News of the Equifax data breach erased $6 billion in market capitalization.
The ever-changing cybersecurity landscape is challenging to navigate for all companies trying to protect consumer and proprietary data. Although cybersecurity data breaches are now considered inevitable, the court system is being presented with a plethora of new cases related to company data breaches. And how those courts analyze whether a company’s officers and directors can be held liable should be common knowledge among company executives.
The courts now consider if a company’s officers and directors could be held liable for failing to act in good faith to adequately protect the company’s stored data. When a company has a significant data breach, it should at this point expect to be sued in a class action lawsuit. Although many of these cases are dismissed due to the burden on consumers to show that they were considerably affected by a specific data breach, some public companies are seeing an increase in class action lawsuits by their own investors for securities fraud following a data breach. In recent years, investors have filed lawsuits after data breaches announced by Yahoo, Target, Home Depot, Wyndham, Wendy’s, and other large corporations.
With this increase in investor class actions, corporate boards are increasingly recognizing that they need to devote real resources to cybersecurity efforts, and those resources must be backed by a good faith effort to protect company data. A common thread to many of these investor class actions is an the allegation that the company’s SEC disclosures and statements misleadingly indicated that the company had enacted effective data-security measures or had improved its cybersecurity efforts to protect data collected by the company. Investors in these types of suits are typically those had invested shortly before the data breach, and they argue that those misleading statements entitle them to damages, interest, fees, and costs via class action lawsuits.
The investigations that have followed company data breaches typically reveal the cause to be inadequate data security measures that put the company at higher risk of cybersecurity failure. Accordingly, public statements that downplay, or fail to acknowledge, an insecurity could be considered materially false and misleading. Of course, it is all about the facts, and these cases can become complicated quickly. Investors who maintain these types of suits without the involvement and strategizing of experienced business lawyers run a higher risk of the case being dismissed .
Difficulty in establishing a material misrepresentation or omission, coupled with scienter, are just some of the obstacles associated with pursuing a securities fraud claim related to a data breach. While the facts in these cases may appear strong on the surface—such as recorded public statements about strong security followed by a data breach and drop in stock price—when looked at under a microscope, it is not easy to establish the necessary elements to advance the claim beyond a motion to dismiss.
As more companies are implementing heightened cybersecurity efforts, they also need to be aware of the information they are releasing on their data security to the public. Companies must consider how public statements on websites, letters to investors, or in public filings can be used against them in the aftermath of a data breach.
Although data breaches have not led to as many securities fraud claims as was expected, in the wake of increasing data breaches each year, corporate directors and officers should continue to be vigilant in the role they play in overseeing their company’s data privacy and security. Many companies hold significant corporate assets in the form of data and proprietary technology, and threats to those assets through even the smallest data breach will continue to increase. The actions of directors and officers will continue to be scrutinized in relation to cybersecurity. Keeping the company assets safe will require adopting a robust cybersecurity program along with effective policies and procedures that are aimed at protecting company and consumer data.