image description

Shareholders Sue Companies for Lying About Cyber Security

by Michael W. Stocker
Forbes |
We share our experience advising boards and shareholders regarding legal implications of data breaches.

Partner Michael W. Stocker was featured in a Q&A for Forbes to discuss investor concerns given the rise of cyber security risks in U.S. markets with Christopher P. Skroupa, CEO and Founder of Skytop Strategies and Forbes Columnist. The full Q&A can be viewed below:

Christopher P. Skroupa: What concerns should investors have about cyber security breaches?

Michael W. Stocker: There are two key ways that companies can take a hit as the result of a breach. The first is something that a lot of investors don’t even think about—and that’s the possibility that a breach can result in the loss of corporate intellectual property, and competitive advantages along with it. If your business depends on a proprietary software or a formula for a product that makes its way into the hands of a competitor, that theft may mean a huge threat to your bottom line.

Another key area to focus on is litigation exposure. While this area of law is still developing, breaches can give rise to consumer litigation, securities fraud litigation, even liability for corporate directors under Delaware law.

Skroupa: Why is it that there have been relatively few securities fraud cases brought relating to breaches?

Stocker: These cases depend on investors being able to demonstrate that they were hurt by a false statement by a company. So in theory at least, if a company is hit by a major breach and fails to disclose that, it could be subject to a fraud suit.

The problem for plaintiffs has been that at least so far, even large breaches have mostly not been accompanied by huge hits to share prices—undercutting the ability of investors to show harm. This is largely because the markets are still learning what breaches will really cost.

Skroupa: Is there any reason to think that litigation exposure will increase?

Stocker: Yes. The markets are becoming much more sophisticated in their understanding of the financial consequences of breaches that result in the loss of key intellectual property, and legal exposure is also expanding rapidly, especially on the consumer front. Some courts are starting to permit consumers to bring cases based on the fear of fraud that they suffer after their data is stolen—even without being able to show that anybody has actually tried to use their data. As we start to see share prices drop after news of previously undisclosed breaches emerges, I think we will be seeing more securities fraud suits as well.

Skroupa: Should executives and directors be worried about liability arising from breaches?

Stocker: Absolutely. Directors owe fiduciary duties to their shareholders and have an important role in overseeing corporate risk management, which is now understood to include cyber security risk.

There are two ways that breaches can give rise to suits in this context. The first involves a board making an affirmative decision regarding cyber security that permitted a breach—say, putting a woefully inadequate security system in place, or just delegating the whole issue to IT. A second factual scenario would involve the failure to take any precautions at all. Because it established that a board has a duty with respect to cybersecurity, doing nothing about risk would land you in trouble.

Skroupa: Are there any big cyber security cases currently on the horizon?

Stocker: Yes. A fascinating new twist is the dispute that has erupted in the context of Verizon’s pending $5 billion acquisition of Yahoo: Verizon is arguing that it has a reasonable basis to believe the massive data of Yahoo customers materially affects the value of Yahoo, and may give it a way out of the deal. This highlights the role that cybersecurity can play in destabilizing some mergers and acquisitions, and is something we can expect to see a lot more of.