For years, following the announcement of a corporate merger or acquisition, courts could expect to see shareholder class action suits that, in the main, were resolved by “disclosure-only” settlements. Plaintiff shareholders would allege that the officers of the merging entities failed to adequately disclose the material terms of the transaction, and failed to carry out their fiduciary duties of care and loyalty when they entered into the deal. The parties typically chose to settle these cases early on rather than litigate them. The resulting settlements generally required that defendants pay plaintiffs’ attorney fees and make additional disclosures, as opposed to changing the economic terms of the deal (hence the name, “disclosure-only” settlements).
As we have previously described, Delaware courts have come to disfavor disclosure-only settlements, expressing concerns that such settlements are significantly more beneficial to the plaintiffs’ attorneys than to the plaintiff class, and allow defendants to be released from a broad array of potential future claims at little cost. See Margaret A. Dale & Mark D. Harris, The Effect of ‘Trulia’ on Takeover Litigation, N.Y.L.J. (Oct. 25, 2016). In In re Trulia Shareholder Litigation, 129 A.3d 887, 891-92 (Del. Ch. 2016), the Delaware Chancery Court noted that “far too often,” disclosure-only settlements serve only to “generate fees for certain lawyers who are regular players in the enterprise of routinely filing hastily drafted complaints on behalf of stockholders on the heels of the public announcement of a deal and settling quickly on terms that yield no monetary compensation to the stockholders they represent.” After Trulia, Delaware courts have largely stopped approving disclosure-only settlements.
Because of the trend away from these types of settlements, plaintiffs’ attorneys seem to have embraced data-breach suits as the next frontier in shareholder class actions. Such cases are brought by investors against a company following a data breach, and generally feature a few types of allegations. Investors might allege that the company was aware that its security systems were faulty, so its public disclosures regarding those security systems were incorrect or misleading. Or investors might allege that the company’s officers and directors breached their fiduciary duty to ensure that the company had adequate and functional systems. They also might claim that the announcement of the data breach caused the company’s stock price to drop, and that the data breach (and resulting stock drop) occurred as a result of false or misleading disclosures or a breach of fiduciary duty.
Data-Breach Shareholder Class Actions Initiated in 2018
Increasingly, the announcement of a major data breach is followed closely by the institution of a securities class action on behalf of the shareholders. In 2018 alone, several prominent companies faced such suits. One was filed against the Marriot hotel chain, following a massive data breach that affected approximately 500 million guests—one of the five largest data breaches in history. See McGrath v. Marriot Int’l, No. 18-06845 (E.D.N.Y. filed Dec. 1, 2018). In McGrath, shareholders alleged that the statements Marriot made in its SEC filings regarding the importance of information-technology security were materially false and misleading. Another such suit was filed against Alphabet Inc., Google’s parent company, in connection with a breach that compromised the data of thousands of Google+ social network users. See Wicks v. Alphabet, No. 4:18-cv-06245 (N.D. Cal. filed Oct. 11, 2018). As in McGrath, the shareholders in Wicks alleged that Alphabet made false and misleading disclosures regarding its security measures. Shareholders also filed a separate derivative complaint against Alphabet executives, alleging that the executives knew of the breach for months prior to disclosing it. See Bao v. Page, No. 3:19-cv-00314 (N.D. Cal. filed Jan. 18, 2019).
A similar suit was filed against Chegg, an educational-services company, after an unauthorized entity accessed a company database hosting user data. See Shah v. Chegg, No. 18-05956 (N.D. Cal. filed Sept. 27, 2018). In addition to allegations regarding false or misleading disclosures, the shareholders claimed that Chegg’s stock price dropped as a result of the breach. Yet another suit was filed against Huazhu Group, a Chinese hotel group. See Hayes v. Huazhu Group Ltd., No. 2:18-cv-08633 (N.D. Cal. filed Oct. 8, 2018). As in Chegg, the shareholders alleged that Huazhu made false or misleading statements regarding its security systems, then suffered a data breach, which in turn caused the value of Huazhu’s stock to drop. The shareholders alleged that the company’s false and misleading disclosures about its security systems caused the plaintiff class to buy shares at an artificially inflated price.
Settlement: Data-Breach Plaintiffs’ Most Common Path to Success
While the cases listed above all remain pending, these types of suits rarely result in successful judgments for plaintiffs; courts tend to dismiss most at the motion to dismiss stage. Those that are not dismissed at this stage often settle.
Perhaps the most prominent data-breach class action settlement occurred in In re Yahoo! Sec. Litig., No. 17-00373 (N.D. Cal. filed Jan. 24, 2017). In re Yahoo was brought in connection with the largest data breach in history to date, affecting as many as 3 billion Yahoo user accounts. Investors alleged that Yahoo had known the accounts had been compromised as early as 2014, but still continued to file corporate notices that did not disclose it. Investors also alleged that in its corporate filings, Yahoo had falsely or misleadingly represented that it had industry-leading cybersecurity practices, despite knowing that its practices were inadequate. Additionally, investors put forth a stock-drop claim, alleging that the company’s stock price plummeted as a result of the public announcement of the breach.
The final settlement required Yahoo to pay $80 million, including $14.4 million in attorney fees. The settlement was proposed in March 2018 and approved in September. The approval came only four months after Yahoo agreed to pay $35 million to settle SEC claims in connection with a 2014 data breach affecting over 500 million user accounts. These terms were far from typical for a data-breach class action. The high settlement figure has been described as an outlier, attributable to the sheer magnitude of the data breach (which, in turn, may have caused a more significant stock drop than is seen following most data breaches).
Another settlement was recently reached in In re MobileIron Shareholder Litig., No. 2015-1-CV-284001 (Santa Clara Cty. Super. Ct. filed Aug. 5, 2015). MobileIron is an information-technology company that provides mobile security systems to corporate clients. In May 2014, a few weeks before MobileIron’s IPO, a hacker gained access to the MobileIron server. The hacker conducted a “full wipe” of the mobile devices belonging to one of MobileIron’s clients, Aviva. As a result, Aviva cancelled its contract with MobileIron and moved its employees onto a competing security system. MobileIron shareholders alleged that because MobileIron’s offering documents failed to disclose the breach, the likely impact of announcing the breach, and Aviva’s move, and because MobileIron represented that the platform it provided was secure, the documents were “materially inaccurate, misleading and/or incomplete.”
The shareholders further alleged that this caused MobileIron’s IPO offering price to be artificially inflated. About a year after its IPO, MobileIron’s stock prices fell from $9 to $2.39. MobileIron disputed the extent to which the stock drop was attributable to the data breach, and denied that any of the public statements alleged to be “misleading” were anything more than mere puffery.
The parties reached a settlement requiring MobileIron to pay $7.5 million with no admission of wrongdoing. The terms of the settlement required that 33 percent of the common fund (approximately $2.475 million) be used for attorney fees. Notably, in the order granting final approval of this settlement, Judge Kuhnle of Santa Clara County Superior Court stated that 33 percent is a “reasonable” allotment for attorney fees—significantly more than the 18 percent allotment obtained in Yahoo.
While the settlements reached in Yahoo and MobileIron each provided a sizable fund for affected shareholders, arrangements more closely resembling disclosure-only settlements have been attempted in the context of data-breach class actions, too. In In re Wendy’s Co. Shareholder Deriv. Action, No. 16-01153 (S.D. Ohio filed December 2016), the parties proposed a settlement that did not require payment to shareholders, after the fast-food giant suffered a point-of-sale data breach. The settlement would have required Wendy’s only to implement certain remedial and preventative cybersecurity measures, and to pay $950,000 in attorney fees. This past December, the court denied the plaintiffs’ motion for approval of the settlement, finding it premature. The court’s disapproval did not stem from the absence of a fund for shareholders, however, but from the fact that the plaintiffs had not yet designated which of two complaints was to be the operative one.
So-called “event-driven” securities class actions are on the rise, with data breaches representing one of the most significant categories of events driving this trend. How the courts will treat the proposed settlements that arise in these cases remains to be seen.
Margaret A. Dale and Mark D. Harris are partners at Proskauer Rose. Anisha D. Shenai-Khatkhate, an associate at the firm, assisted in the preparation of this article.