A class action lawsuit filed against PayPal in connection with a breach it suffered in 2017 was dismissed recently because the plaintiffs did not adequately allege PayPal’s intent to deceive investors. The litigation began after PayPal’s acquired TIO Networks Corporation, a smaller payment processor and platform. Post-acquisition, PayPal announced that it had discovered “security vulnerabilities” in TIO’s operations and it thus suspended TIO’s operations. At that point, TIO had not yet been integrated into PayPal’s platform. PayPal confirmed that it was investigating TIO’s security measures with the help of outside assistance, and that PayPal customers’ data remained secure. PayPal further confirmed that it was not aware of any breach of personal information maintained by TIO. The following month, however, PayPal announced that a breach of personal information had in fact occurred. Confidential information belonging to 1.6 million customers had been potentially compromised, causing PayPal’s stock price to drop by 5.75%.
Plaintiffs, who bought stock between the two announcements, filed a putative class action lawsuit in California, alleging that they had purchased PayPal stock at fraudulently inflated prices. Plaintiffs alleged that the prices had been inflated because PayPal did not disclose the security breach and its potential magnitude in its original announcement. The district court dismissed the case for failure to plead sufficient facts. Namely, the plaintiff stockholders had not shown a “cogent and compelling” inference that PayPal made material representations with intent or “deliberate recklessness.”
The stockholders appealed, but the Ninth Circuit affirmed the district court’s ruling in PayPal’s favor. The court did not believe that the original disclosure was misleading, noting that PayPal had disclosed what information it had at the time. In reaching its decision, the Ninth Circuit also pointed to the fact that none of the defendants had sold stock during the intervening period between the two announcements. This suggested that they had no material, non-public information that they were taking advantage of.
Putting it Into Practice: This decision is a reminder of the risks associated with public announcements relating to potential data security incidents, as well as the close scrutiny that individuals, regulators, and courts may subsequently take when looking at a company’s cybersecurity risk disclosures and the timing of stock sales. Companies should consult closely with counsel when making a public announcement regarding a potential or confirmed data security incident to ensure they are thinking through the potential regulatory and litigation risks, whether a trading blackout period is appropriate during the period of investigation, and whether existing cybersecurity risk disclosures in the company’s public filings should be amended.