As we have discussed on this blog, the federal Security and Exchange Commission (“SEC”) has advised that data breaches and cybersecurity are issues that must be disclosed in required corporate filings. This is logical, of course, since data and network breaches have proven to be very costly for corporations that have experienced them. The Equifax data breach has cost the company over $430 million as of mid-2018 and experts expect the cost to eventually exceed $600 million. See report here.

In some positive news for those companies that have suffered massive data breaches, a federal court up in San Francisco recently held that a press release disclosing a potential data “vulnerability” was not securities fraud without showing an intent to defraud. See Sgarlata v. PayPal Holdings, Inc, Case No. 17-cv-06956-EMC (US N. D. Cal. December 13, 2018). Back in November 2017, PayPal announced in a press release that it was suspending services provided by its subsidiary, TIO Networks because PayPal discovered security vulnerabilities on the TIO platform. A couple of weeks later, on December 1, 2017, PayPal issued another press release disclosing that there had been a potential compromise of personally identifiable information for approximately 1.6 million customers. After the December 1 press release, PayPal’s stock prices fell and closed down 5.75% by the close of trading on the next trading day.

Various investors immediately filed suit claiming that PayPal committed securities fraud under both federal and California securities laws. In particular, the investors claimed that the press releases were “materially misleading” and that PayPal had known about the data breaches earlier and had fraudulently omitted and/or failed to disclose the data breaches. The November press release was deemed particularly misleading because, according to the investors, PayPal had not merely discovered “vulnerabilities” but actual hacking into and theft of the data.

PayPal challenged by filing a motion to dismiss arguing that there was no evidence of falsity or that PayPal had any intent to defraud. As of the November 2016, the full extent of the data breach was not known. The court agreed with PayPal. To succeed on a securities fraud claim, the investors needed to allege and prove both falsity and what is called “scienter” which is the intent to defraud. On the first issue, the court held that falsity could be predicated on the November press release if it was shown that PayPal knew of actual breaches, but only publicly disclosed “vulnerabilities.” However, the intent to defraud issue was not properly alleged and put in the court’s record. The court held that the intent element needed both knowledge of an actual breach and that the privacy of 1.6 million customers had been potentially compromised. The evidence and pleading did not show the latter part and, as such, the intent to defraud was not shown. The court has given the investors time to replead their case, potentially, to add additional evidence and facts.

This seems like a welcome result since, as a matter of common sense, we want companies to be incentivized to disclose potential data breaches and not wait until every detail is known.

Contact San Diego Corporate Law Today

If you would like more information, contact attorney Michael Leonard, Esq., of San Diego Corporate Law. Mr. Leonard tracks and reports on new legal developments impacting San Diego businesses. Mr. Leonard provides a full array of legal services for businesses including contract review and drafting, mergers & acquisitions, corporate formations, and private placement memorandums. Mr. Leonard can be reached at (858) 483-9200 or via email. Like us on Facebook.

You Might Also Like:

$1.8 Trillion Raised Via Regulation D Offering in 2017

Private Placements: Advantages of Using 506(c)

Private Placement Memorandums

California Corporate Securities Law of 1968

New SEC Guidance: Cryptocurrencies are Not “Securities” (but Sometimes They are)