In an article published by Corporate Board Member, Bass, Berry & Sims attorneys Joe Crace and Margaret Dodson outlined high-profile data breach cases and the major legal implications they presented for directors and officers of the affected corporations. In the specific data breach cases of Yahoo! and Equifax, shareholders claimed that the respective companies’ officers and directors violated federal securities laws by failing to disclose to the public in a timely manner known cybersecurity threats and data breaches.
In March 2018, Yahoo! settled a federal securities action filed in connection with immense data breaches that affected billions of Yahoo! users in 2013 and 2014 but were not disclosed until late 2016. In this lawsuit, Yahoo! shareholders sought to impose direct liability on the company’s directors and officers by “challenging the adequacy of the company’s public disclosures regarding its exposure to cybersecurity risk and the potential impact of the data breaches on the company’s business practices.” The Yahoo! settlement, which is the first settlement arising from alleged federal securities violations as a result of data breach-related disclosures, is also noteworthy because it may encourage other shareholders to pursue direct securities claims against directors and officers of companies who experience data breaches.
In the case of Equifax, the company announced in September 2017 that hackers accessed its system between mid-May and July 2017 and obtained highly personal information of about 145 million Americans. “Like the Yahoo! breaches, the Equifax data breach involved unique factual circumstances that have led observers to speculate as to whether claims against Equifax’s directors and officers will be the first D&O data breach claims to move past the motion to dismiss stage,” noted Joe and Margaret. For example, Equifax’s stock price fell sharply following the announcement of the breach. In addition, Equifax publicly stated it knew of the cybersecurity vulnerability that led to the breach as early as March 2017, and knew of the actual hack in late July 2017, but waited 41 days after discovering the breach to disclose it to the public – which could subject the company to liability. Also, three Equifax executives sold millions worth in company shares in early August right after the company learned about the breach but before it was publicly announced. The company’s CIO has since been indicted on related charges for insider trading.
The full article, “Is Data Breach Liability Inching Toward the Board Room?,” was published by Corporate Board Member on June 11, 2018, and is available online. This article was the first in a two-part series; the follow-up article, “Familiarize Yourself with SEC Guidance on Data Breach Disclosures,” was published on June 20 and is also available online.