(The opinions expressed here are those of the author, a columnist for Reuters.)
By Alison Frankel
NEW YORK, Sept 13 (Reuters) - Shareholders haven’t had much success in securities class actions blaming investor losses on corporate data breach disclosures.
There have been occasional settlements – the data broker ChoicePoint, for instance, agreed to pay $10 million to settle a shareholder data breach class action in 2008 – and there’s a potentially consequential shareholder case under way against Yahoo in federal court in San Jose.
But for the most part, as Kevin LaCroix explained Wednesday at the D&O Diary blog, shareholder lawyers haven’t even bothered bringing securities class actions against big corporations that left confidential data vulnerable to hackers because company shares didn’t drop after data breach disclosures. There’s no point suing unless you can show investors lost money.
Equifax is a different story.
The credit reporting company’s share price plummeted by as much as 18 percent after it disclosed a hack that compromised personal data on as many as 143 million people.
To be sure, Equifax has only about 120 million outstanding shares and a relatively small market capitalization of about $17 billion. So the company’s potential liability to investors in a securities class action is probably going to be dwarfed by the class action claims of consumers whose social security numbers and other confidential data was snatched by hackers. Nevertheless, securities class action firms told me Wednesday that Equifax appears to be that rare creature: a data breach defendant worth suing for securities fraud.
One plaintiffs’ firm, Levi & Korsinsky, has already filed a securities class action against the company in federal court in Atlanta.
Two other prominent shareholder firms – Robbins Geller Rudman & Dowd and Bernstein Litowitz Berger & Grossmann – told me they are investigating suits for their clients, who include institutional investors.
Many other plaintiffs’ lawyers, including the firms leading the Yahoo data breach securities litigation, issued shareholder alerts this week, advising Equifax investors to sign up for litigation.
“We are actively investigating the case,” said Samuel Rudman of Robbins Geller. “From what we know so far, it looks like a strong case, with suspicious insider trading that warrants discovery.”
Eduard Korsinsky, whose firm filed the Atlanta securities class action against Equifax, said in an email that this company isn’t like previous data breach defendants.
“This is a company that’s in the business of protecting people’s data and charging for it, so a breach here is not merely peripheral, as in virtually all of the other cases, but core to its business model,” Korsinsky said.
It’s all the more egregious, he said, for a credit monitoring company to sit on evidence of a hack and to allow corporate insiders to sell shares before disclosing the breach publicly.
“Whether or not Equifax should be held to a higher breach standard given their business is debatable, but one would be hard pressed to justify the executives’ conduct subsequent to the breach,” Korsinsky said.
Equifax did not respond to specific questions about investors’ allegations. Company representatives said in an email statement that Equifax cannot comment on litigation. “We are remaining focused on helping (consumers) to navigate this situation and providing the best customer support possible,” the statement said. Its statement did not address securities litigation and it did not respond to my followup email.
As Rudman and Korsinsky said, one crucial piece of the securities case against Equifax will almost certainly be trades by corporate insiders in the time period between Equifax’s discovery of a hack and the company’s public disclosure of the breach.
Investors have to show evidence of a company’s fraudulent intent in order to survive defense dismissal motions and obtain the right to depose insiders and see internal documents.
If shareholders can plausibly allege that Equifax insiders delayed disclosure of the data breach to dump shares, they will sail past any defense motion to toss their case before they’re entitled to discovery.
The magnitude of Equifax’s potential liability, though, will depend on how far back its alleged misstatements go.
The company has said it realized it had been hacked in July, several weeks before it disclosed the breach. Plaintiffs’ lawyers will try to establish that Equifax began deceiving investors long before it found out about the breach so they can include more shareholders in the class action. (Only investors who acquired shares during the class period can claim damages.)
The Levi & Korsinsky complaint alleges that Equifax’s fraud began in February 2016, when the company said in its annual report to the Securities and Exchange Commission that it was a global leader in data security and continually invested in cutting edge technology to protect consumer data.
“These material misstatements and/or omissions had the effect of creating in the market an unrealistically positive assessment of the company and its well-being and prospects, thus causing the company’s securities to be overvalued and artificially inflated,” the complaint asserted.
It’s tough for shareholders to convince judges of a company’s fraudulent intent from the sort of SEC disclosure statements cited in the Levi & Korsinsky complaint.
But if Equifax investors can get past early dismissal motions, they can obtain discovery that could help them flesh out allegations that the company knowingly misrepresented the security of its data. (Or could squelch those allegations. It’s important to remember that shareholder lawyers have no idea yet what Equifax’s internal documents will show.)
Like I said, the Equifax securities litigation won’t be as consequential as the consumer case. I doubt the competition among plaintiffs’ lawyers to lead the securities case will be as fierce as the inevitable battle to run the consumer class action. In the Yahoo data breach securities litigation, only two firms, Pomerantz and Glancy Prongay & Murray, asked to be named lead counsel. (They were appointed co-leads.)
But the drop in Equifax’s share price and the company’s delay in disclosing the hack set it apart from most previous data breach securities defendants. If investors are going to break the mold on shareholder data breach class actions, this case seems like their chance. (Reporting by Alison Frankel. Editing by Alessandra Rafferty.)