In early September, Equifax disclosed a now well-known data breach that ultimately affected a reported 146 million customers in the United States. The breach allegedly occurred in May 2017, as a result of an online security flaw that was known to the company by March 2017 but that was not properly fixed. In late July, the company noticed suspicious traffic on its system. Ultimately, the breach was discovered, and the software flaw addressed, but not before the names, addresses, social security numbers and other personal information of millions of customers were stolen. The stock market’s reaction to the news of the Equifax data breach was immediate – the company’s share price plunged over 15% within days of the announcement.
That led to a group of Equifax shareholders promptly filing a class action against the company, its (now former) CEO and its CFO in a Georgia federal district court, alleging fraud under federal securities laws and seeking to recover damages. The complaint alleges, among other things, that “(1) the Company failed to maintain adequate measures to protect its data system; (2) the Company failed to maintain adequate monitoring systems to detect security breaches; (3) the Company failed to maintain proper security systems, controls and monitoring systems in place; and (4) as a result of the foregoing the Company’s financial statements were materially false and misleading at all relevant times.”
To date, shareholder lawsuits in the wake of data breaches, especially suits alleging securities fraud claims, have been relatively rare. And as we noted previously, derivative lawsuits filed to date have not fared well in court, with most having been dismissed in the initial stages.
The circumstances of the Equifax breach could make this case different. To begin with, one of the reasons shareholders have generally not filed securities class actions after a data breach is that the affected company did not experience a meaningful drop in share price and so there were insufficient damages to pursue in litigation. Here, Equifax’s stock priced dropped 15% the day after the breach was announced and dropped even further in the week after the announcement. The current stock price remains below the price prior to disclosure of the incident.
In addition, media reports indicate that three Equifax executives sold their company stock shortly after the company discovered the security breach but before the breach was disclosed to the public. The amount of stock sold was about $2 million. A special committee comprised of independent board members has investigated the stock sales and recently issued a report stating that the executives were unaware of the breach at the time they sold their stock. Nevertheless, shareholder allegations to the contrary could be enough to take the case into the discovery phase.
Finally, the seriousness of the breach (nearly half of all Americans affected), combined with the fact that Equifax’s business is based on securing and protecting customer information, may lay the groundwork for a derivative lawsuit claiming breach of fiduciary duty against Equifax’s directors and officers that could survive the initial pleadings hurdles that stymied similar lawsuits brought against directors and officers of Target, Wyndham and Home Depot (no such lawsuit against Equifax directors and officers has been filed yet).
As of the date of this article, derivative lawsuits against directors and officers of Wendy’s and Yahoo!, seeking damages in connection with data breaches experienced by those companies, remain pending. Moreover, a derivative lawsuit against Home Depot that was initially dismissed on the pleadings recently settled for $1.125 million after the shareholders sought to appeal dismissal. Thus, it remains worthwhile to keep an eye on the progression of these lawsuits.