Corporate

When Data Hacks Lead to D&O Lawsuits, Actual and Threatened

 Many observers, including even this blog, have speculated whether the rising wave of data breaches and cyber security attacks will result in litigation against the directors and officers of the affected companies. Indeed, in 2014, there were two sets of lawsuits filed against the boards of companies that had experienced high-profile data breaches, Target Corp. (refer here) and Wyndham Worldwide (refer here). But the Wyndham lawsuit was dismissed in late 2014, and since that time there really have been no additional significant cyber security related D&O lawsuits filed, even though there have been a number of high profile data breaches in interim (including, for example, Home Depot, Anthem and Sony Entertainment). However, as discussed below, there have been  a couple of recent developments suggesting that the plaintiffs’ lawyers are working along the edges of this issue, and, at a minimum, looking for ways to develop D&O claims out of data breach incidents.

I should hasten to underscore at the outset of this blog post that many of the items referenced in this post were provided to me by Jim Blinn, of Advisen. Many thanks to Jim for providing the information, which made this blog post possible.

The first of the recent developments is a securities class action lawsuit filed on August 5, 2015 in the Santa Clara (California) Superior Court against MobileIron, Inc.; certain of its directors and officers; and its offering underwriters. This lawsuit is one of the several recent IPO-related securities lawsuits filed in state court pursuant to the concurrent jurisdiction provisions of Section 22 of the ’33 Act. (For a further discussion of these state court securities suit, refer here and here.) The lawsuit relates to a strange set of circumstances that the plaintiffs contend took place before the company’s June 12, 2014 IPO but that became public following the IPO and that allegedly affected the company’s business reputation and performance after the information became public.

MobileIron is an information technology company that provides a platform for companies to utilize secure mobile applications, content and devices while providing customer employees device choice and privacy. According to the plaintiff’s complaint (a copy of which can be found here), the day after MobileIron completed its IPO, press reports appeared stating that MobileIron’s customer, the UK-based insurance company Aviva, had its employees’ mobile devices hacked.

A subsequent news article reported that the Aviva phone hack had taken place on May 20, 2014, weeks before MobileIron’s IPO. According to these later reports, the Complaint alleges, a hacker had compromised the MobileIron administrative server and was able to perform a “full wipe” of the mobile devices used by Aviva personnel. The article quoted an Aviva employee as saying that Aviva had moved its “impacted personnel” onto a new service offered by MobileIron competitor Blackberry and entered discussions with MobileIron’s reseller Esselar to cancel its contract.

The complaint alleges that even though this hack incident occurred weeks before MobileIron’s IPO, the company’s offering documents “failed to disclose the breach,” Aviva’s move to Blackberry’s services, and “the likely impact that the publication of the breach would have on MobileIron’s ability to secure contracts with large customers.” The complaint alleges that as a result, the offering documents were “materially inaccurate, misleading and/or incomplete,” as a result of which the company’s IPO offering price was materially inflated at the time of the offering. The plaintiff’s complaint seeks to recover damages on behalf of the class of investors who bought company securities in or traceable to the offering, under Sections 11, 12 and 15 of the Securities Act of 1933.

As an aside, I should also note here that there is also at least one federal court securities class action lawsuit involving MobileIron pending as well, as discussed here. However, this prior federal court lawsuit, which was filed in May 2015, does not appear to relate to MobileIron’s IPO and does not expressly refer to the Aviva breach incident.

The incident involving the phones at Aviva is detailed in numerous media reports, and it is quite a strange story. As revealed in press reports (for example, here) when the breach first came to light, the breach involved over 1,000 smart devices such as iPhones and iPads. On May 20, 2014, a hacker compromised the MobileIron administrative server and posted a message to the devices and to email accounts. According to the news reports, the hacker then performed a full wipe of every device and subsequently took down the MobileIron server itself. All of the affected users received a message that read “it makes my hart bled to say good by lik this, love u mobile iron.” MobileIron is quoted as saying that the problem at Aviva was an isolated incident that did not affect other customers and did not result from or exploit any  vulnerability of MobileIron systems.

This story became stranger still as information about the hack came out. It now appears that the hack was the result of an act of revenge gone awry. The hack perpetrator turned out to be a former director of Esselar, the MobileIron reseller. Richard Neale, the former director, had orchestrated the attack the night that Esselar was giving a demonstration of its services at an IT showcase event. As reported in August 24, 2015 news accounts (here), Neale has admitting committing four cyber crimes against his former company, for which he has been sentenced to a prison term of 18 months. Neale reportedly planned the attack as an act of revenge after a bitter falling out with his former company. Neale had helped organize Esselar in 2009. In his defense, while admitting that his actions had been “foolish and childish,” he contended that no data had been lost or compromised as a result of the breaches, nor had any individual’s private information been exposed.

So we clearly have both a data security breach and a subsequent related D&O lawsuit. But the company sued in the D&O lawsuit is not the one whose systems were breached; rather the company that was sued was a technology service company that was in the position of providing security services. The lawsuit is not exactly the kind of thing that the predictions about data breaches leading to D&O lawsuits were about. The circumstances involved here are unquestionably unusual and even a bit odd, but it does suggest a least one type of D&O lawsuit that can arise, and that is the a lawsuit like this one, where the sued company was not the one experiencing the breach, but rather was responsible for providing security against the breach.

Clearly in a world of interdependent systems and outsourced information technology services, there could be other claims of this type ahead, where the claims allege that information technology services companies either misrepresented the quality of the security services the company is providing, or where, as there, the company allegedly failed to disclosure compromises that have taken place with respect to its security services.

Trolling E-Mail Foreshadows Possible Data Breach-Related Securities Suit: A standard plaintiffs’ securities law firm practice, after a company has reported negative news, is for the plaintiffs’ firm to issue a press release declaring that the firm is investigating the affected company and the circumstances surrounding the negative news. These kinds of emails are often referred to (except for by the plaintiffs’ firms themselves) as trolling emails, because it is suspected that the law firms are trolling for someone to act as the named plaintiff in the lawsuit the law firm is considering filing.

On August 19, 2015, a plaintiffs’ firm issued one of these kinds of press releases in connection with a company that had experienced a data breach. The press release (here), which relates to Web.com Group, Inc., refers to the company’s August 18, 2015 filing with the SEC on Form 8-K. In its filing, a copy of which can be found here, the company reported that on August 13, 2015, it had discovered that one of its computer systems had been hacked. The 8-K reported that the security breach compromised the personal information of around 93,000 customers. The 8-K filing further reports that: “Upon the discovery of this unauthorized activity, Web.com began working with a nationally recognized IT security firm to conduct a thorough investigation and reported the attack to credit card processors and to the proper federal and state authorities. Web.com continues to make significant investments in its internal security processes and systems to prevent incidents like this from occurring. The company will provide one-year of free credit monitoring for all customers who have been impacted by this incident.”

Whether or not a lawsuit will follow the plaintiffs’ law firm’s trolling email remains to be seen. Whether or not a lawsuit ultimately results, it is clear that the plaintiffs’ lawyers are monitoring companies that report data breach incidents and are looking into possible lawsuit filings. Especially when the technology services provider type of lawsuit described above is taken into account, the possibility of further significant data breach related D&O litigation seems probable.

 Read other items of interest from the world of directors & officers liability, with occasional commentary, at the D&O Diary, a blog by Kevin LaCroix.

For more information about LexisNexis products and solutions, please connect with us through our corporate site.