In the aftermath of Equifax’s data breach, a federal court recently found that allegations of poor cybersecurity coupled with misleading statements supported a proper cause of action. In its decision, the U.S. District Court for the Northern District of Georgia allowed a securities fraud class action case to continue against Equifax. The lawsuit claims the company issued false or misleading statements regarding the strength and quality of its cybersecurity measures. In their amended complaint, the plaintiffs cite Equifax’s claims of “strong data security and confidentiality standards” and “a highly sophisticated data information network that includes advanced security, protections and redundancies,” when, according to the plaintiffs’ allegations, Equifax’s cybersecurity practices “were grossly deficient and outdated” and “failed to implement even the most basic security measures.” The court found that data security is a core aspect of Equifax’s business and that investors are likely to review representations on data security when making their investment decisions.
Key factors the court considered in allowing the case to continue were:
- Statements on the company’s website and in SEC filings that it maintained “strong data security” and strong controls;
- The company’s inadequate software patch management process;
- Failure to encrypt sensitive data;
- Inadequate authentication measures, such as weak passwords and lack of multi-factor authentication;
- Failure to implement measures to monitor its networks;
- Failure to segment its networks;
- Inadequate staff training;
- Failure to develop a data breach management plan; and
- Inadequate follow-up on outside security audits.
Putting it Into Practice: Investors are paying attention to what companies are doing and saying with regard to cybersecurity. Particularly when touting strong cybersecurity practices, companies should carefully craft messaging that accurately reflects their cybersecurity posture, and they should make sure that their actions match their words by maintaining vigilance on cybersecurity.