Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

9th Circuit affirms dismissal of investors’ data breach disclosures suit

Courts Appellate Ninth Circuit Privacy/Cyber Risk & Data Security Data Breach Securities Fraud

Courts

On March 2, the U.S. Court of Appeals for the Ninth Circuit affirmed the dismissal of a class action suit for failure to state a claim, concluding that investors had failed to adequately allege that statements about the defendant company’s cybersecurity practices in the company’s 2018 Form 10-K amounted to securities fraud. The plaintiffs asserted that certain statements, including statements that the company maintained “a comprehensive security program,” “were misleading because they created the impression that [the company] implemented the data security best practices described in those statements no later than 2016, when in fact, the company did not implement those practices until later.” The plaintiffs argued that based on these statements, “a reasonable investor could have concluded that any data security improvements [the company] described would have been put in place in response to the two public hacks [the company] had experienced in the past, one in 2013 and one in 2016.” The 9th Circuit determined that the plaintiffs had failed to show that the company had misled investors into believing that it had made data security improvements specifically in response to the 2013 and 2016 data breaches and had “plead no facts supporting a reasonable inference that either of those hacks was a prominent enough milestone in company history that the average investor would be led to believe every data security improvement directly followed them.”

The plaintiffs further alleged that other statements in the 10-K were misleading because they “created the impression that it was unlikely [the company] had suffered an undetected data breach in the past, when in reality it was somewhat likely.” The appellate court rejected the plaintiffs’ argument and noted that “these statements would not give an ordinary investor reason to believe that [the company] was asserting that the risk that an undetected breach had occurred was particularly high or low, or that it had changed over time.” The 9th Circuit further agreed with the district court that the plaintiffs had failed to specifically allege that the company acted with the intent to deceive, manipulate, or defraud, or engage in “deliberate recklessness.”