Attorney: Hui Chang
Pomerantz Monitor May/June 2018
Pomerantz is co-lead counsel in a securities fraud class action suit brought by investors in the Northern District of California on behalf of shareholders of Yahoo! Inc. (“Yahoo”). The case arises from the two biggest data breaches in U.S. history, in which Russian hackers stole the records of all of Yahoo’s three billion users in 2013 and compromised the accounts of 500 million users in 2014. In early March 2018, Yahoo agreed to pay $80 million to settle the action filed by the plaintiff shareholders in the action. Plaintiffs alleged that Yahoo and some its officers failed to disclose that these breaches had occurred and also failed to disclose two additional massive data breaches in 2015 and 2016, which affected approximately 32 million Yahoo users and caused financial harm to its investors. The suit further alleged that defendants knowingly concealed its deficient security practices and the 2014 data breach from the market. Plaintiff shareholders alleged that the company’s share price fell over 31 percent during the class period in reaction to its data-breach disclosures. These data breach disclosures also had a substantial and quantifiable financial impact on Yahoo when Verizon Communications, Inc. reduced its bid to acquire Yahoo by $350 million, to $4.4 billion.
The proposed Yahoo settlement, which is still subject to final court approval, will be the first substantial shareholder recovery in a securities fraud class action related to a cybersecurity breach. Historically, data-breach disclosures by publicly traded companies have not been generally followed by significant stock price declines, making it hard to show that investors suffered material harm. With stock prices largely unaffected, cyber-related disclosures have instead mainly driven shareholder derivative orconsumer protection actions. For years, data breach classactions have been typically dismissed early on by courts, and were generally unsuccessful.
Recently, however, investors are far more focused on cybersecurity issues and more highly-publicized data breaches have been accompanied by stock price declines. While in the past, investors seemed to be indifferent to news of data breaches, investors now appear more aware of the increased risks of security breaches. This past year alone saw the filing of a handful of securities fraud class actions related to cybersecurity breaches, with the publicly traded companies Equifax Inc., PayPal Holdings, Inc. and Intel Corporation among those sued following cybersecurity breach announcements.
The Yahoo action is significant for another reason as well: on April 24, 2018, the U.S. Securities and Exchange Commission (“SEC”) imposed a $35 million fine on Yahoo in connection with the 2014 data breach, marking the first time a publicly traded company has been fined for a cybersecurity hack. The SEC recounted in its order that Yahoo found out in December 2014 about Russian hackers breaching the company’s systems to obtain user-names, phone numbers, encrypted passwords and other sensitive information, yet did not disclose the hack until 2016, when it was closing a deal with Verizon. While the SEC acknowledges that large companies are at risk of persistent cyber-related breaches by hackers, it did not excuse companies from reasonably dealing with these risks and of responding to known cyber-breaches. The SEC said that Yahoo continued to mislead investors with generic public disclosures about the risks of cyber-related breaches when it knew a significant breach had occurred.
The SEC has also recently toughened its reporting guidelines by updating its guidance on cybersecuritydisclosures. The guidance stresses the importance ofcybersecurity policies and procedures and advisescompanies that they need “disclosure controls andprocedures that provide an appropriate method ofdiscerning the impact that such matters may have on the company and its business, financial condition andresults of operations.” It also calls for public companies to be more open when disclosing cybersecurity risks, with companies expected “to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal or reputational consequence.”
This milestone settlement in Yahoo, in combination with updated SEC guidelines, may provide the foundation that allows plaintiff shareholders to bring securities fraud actions to pursue these claims with greater success.As exemplified by the Yahoo action, Pomerantz has been at the forefront of cyber-related securities fraud actions.