9th Circuit affirms dismissal of data breach class action against online payment firm
On December 17, the U.S. Court of Appeals for the Ninth Circuit affirmed dismissal of a class action suit brought against an online payments firm and associated entities and individuals (collectively, “defendants”) for allegedly misleading investors (plaintiffs) about a 2017 data breach. As previously covered by InfoBytes, the district court concluded that, while the plaintiffs plausibly alleged the defendants’ November 2017 announcement about the data breach was misleading because it only disclosed a security vulnerability and did not disclose a breach that “potentially compromised” 1.6 million customers until a month later in December, plaintiffs failed to show that the defendants knew the breach had affected 1.6 million customers when they made the initial statement. Moreover, the court concluded the plaintiffs failed to allege that plaintiffs’ cybersecurity expert was familiar with, or had knowledge of, the defendants’ specific security setup or that he actually talked to the defendants’ employees about the breach.
On appeal, the 9th Circuit agreed with the district court, noting that the complaint lacked any allegation that the defendants had a motive to mislead investors in November, but not in December, such as the selling of stock during the relevant period. Thus, the appellate court could not conclude that the plaintiffs showed that the November announcement “was intentionally misleading or so obviously misleading that he must have been aware of its potential to mislead.” Therefore, the appellate court affirmed dismissal for failure to state a claim.