While in the past, companies that experienced cyber-attacks and data breaches were usually successful in defeating derivative actions and securities class action lawsuits, this may no longer be the case. Recent events may make shareholders’ firms more encouraged about their chances for a successful outcome.
Carlton Fields dug into two of these events in a recent post: the settlement in the Yahoo!, Inc. securities fraud class action and the Securities and Exchange Commission’s latest guidance on public company disclosures of cyber risk.
Earlier this month, Yahoo announced a proposed settlement in In re Yahoo Inc. Securities Litigation, resulting from alleged grossly outdated and substandard information security methods and technologies leading to hackers stealing 3 billion user records in 2013, compromising 500 million user accounts in 2014 and causing investors great financial harm: $80 million.
“[T]he settlement is a milestone because it is the first significant securities fraud settlement from a cybersecurity breach.”
Just prior to the announcement of this proposed settlement, the SEC released updated guidelines on cybersecurity disclosure, which urged public companies to be more candid with investors and provide more information about cybersecurity risks and incidents. Says Cartlon Fields:
“The primary objective of the updated SEC guidance is for board directors and company executives to review their controls and procedures to ensure they properly discharge their cybersecurity disclosure responsibilities.”
The firm points out that the guidelines explicitly state that it’s the board of directors that are responsible for immediate, clear disclosure and for ensuring appropriate disclosure controls and procedures are in place. Such disclosures include both recent cyber-attacks and any potential weaknesses that could be targeted.
Carlton Fields says the guidance is also clear that companies have to be prepared for cybersecurity exams from the SEC, the Financial Industry Regulatory Authority (FINRA) or state regulators. The firm also advises companies on how to best prepare for such exams.
“Conducting comprehensive cybersecurity program assessments under privilege can help to both prepare organizations for these exams as well as mitigate risks of problematic findings and/or noncompliance.”
In conclusion, both of these events are among others that point to a new trend in securities litigation in which plaintiff shareholders have more success.
For more on cybersecurity, don’t miss our recent white paper: “Best Practices for Counsel Serious About Cybersecurity“.