On December 13, 2018, the District Court for the Northern District of California dismissed a putative securities class action brought against PayPal Holdings, its subsidiary TIO Networks Corp., and several executives of both companies for a security breach that resulted in the potential compromise of personally identifiable information for 1.6 million customers.  In Sgarlata v. PayPal Holdings Inc., No. 17-cv-06956-EMC, 2018 WL 6592771 (N.D. Cal. Dec. 13, 2018) (“Sgarlata”), the court dismissed the complaint for failure to plead scienter because plaintiffs failed to adequately plead that defendants knew not only of an actual security breach, but also the magnitude of the breach and the type of data accessed.[1]

The suit stemmed from two November 10, 2017 press releases in which PayPal and TIO announced they had discovered “security vulnerabilities on the TIO platform” and were suspending TIO’s operations.[2]  On December 1, PayPal disclosed that there had in fact been a “potential compromise of personally identifiable information for approximately 1.6 million customers.”[3]  On December 6, a putative class of shareholders filed suit, alleging that defendants knew there had been a security breach when they issued the November press releases and therefore, the reference to a “security vulnerability” was a materially misleading omission.  To support their claim of scienter, plaintiffs relied on statements from three former TIO employees, who allegedly stated that at the time of the November press releases, PayPal and TIO knew customers’ confidential information had been accessed.

Although the court found that plaintiffs’ claim satisfied the pleading requirement for falsity, it held that plaintiffs failed to adequately plead scienter and ultimately dismissed the suit.  Regarding falsity, defendants argued that the press releases assured the public that only PayPal’s customer data remained secure and made no such assurance regarding TIO’s customer data, creating the “obvious implication” that TIO’s customer data did not remain secure.[4]  The court rejected this argument because it held that disclosing a “security vulnerability” affirmatively created the impression that only a potential vulnerability – not an actual breach – had been discovered.[5]

Nevertheless, the court held that plaintiffs failed to meet the heightened pleading standard for scienter.  Plaintiffs’ theory of loss causation was that investors had been damaged by defendants’ alleged omission that “concealed (a) the compromise of personally identifiable information for approximately 1.6 million customers; and (b) the failure of PayPal to protect users’ highly sensitive financial information.”[6]  As a result, the court held that plaintiffs were required to plead not only that defendants knew of an actual breach, but also that defendants knew the magnitude of the breach and that personally identifiable data was potentially accessed.  The alleged former employee statements failed to establish scienter because they showed, at best, that defendants may have known about the actual breach, but not that it resulted in access to the personal financial information of 1.6 million users.  Because plaintiffs failed to adequately plead scienter in support of their Rule 10b-5 claim, the court held they similarly failed to plead control liability against TIO’s former Chairman and CEO.[7]

Takeaways

“Stock drop” cases filed by investors on the heels of a disclosure of a cybersecurity incident have become a recent phenomenon.  The court’s decision in Sgarlata provides guidance as to how courts may examine claims that a company failed to meets its disclosure obligations in this context:

  • Falsity: Courts will closely review the details of public statements in determining whether they are false for purposes of Rule 10b-5. On the facts alleged in Sgarlata, the court found that the plaintiffs’ claim that defendants misleadingly disclosed only a “security vulnerability”—when defendants were allegedly aware of an actual data breach—was a sufficient allegation of falsity at the pleading stage.  The court’s ruling was based on law developed in other contexts holding that although an incomplete statement by itself is not misleading, an omission may be deemed misleading if it implies certain facts or “affirmatively create[s] an impression of a state of affairs that differs in a material way from the one that actually exists.”[8]  Companies will therefore be well-served to carefully consider, with the assistance of outside counsel as appropriate, whether any disclosures concerning the discovery of a cybersecurity incident and/or vulnerability could arguably create a misimpression about the nature or scope of the issue.
  • Scienter: At the same time, courts will require plaintiffs to plead scienter with particularity. In Sgarlata, the court held that although the plaintiffs alleged the defendants knew about the alleged data breach, they had not sufficiently alleged that defendants knew about the magnitude of the breach and the type of data accessed.  Companies therefore should keep in mind that courts will require plaintiffs to allege more than a false statement and knowledge of a data breach to adequately plead fraud under Rule 10b-5.  Plaintiffs must also have plausible grounds to claim that a defendant knew about the particular facts concerning a data breach that were falsely disclosed, or misleadingly omitted, and were the basis of the alleged damage to investors.

[1] Sgarlata v. PayPal Holdings Inc., No. 17-cv-06956-EMC, 2018 WL 6592771 (N.D. Cal. Dec. 13, 2018).

[2] First Am. Compl. ¶¶ 36-37, ECF 57.

[3] First Am. Compl. ¶ 39, ECF 57.

[4] Mot. to Dismiss 8, ECF 61.

[5] Sgarlata, 2018 WL 6592771, at *7.

[6] Id. (quoting Opp. Mot. to Dismiss 21, ECF 64).

[7] Id. at *8.

[8] Id. at *6 (quoting Brody v. Transitional Hosps. Corp., 280 F.3d 997, 1006 (9th Cir. 2002)).