When a public company experiences a data breach, investors invariably look with renewed scrutiny at the company’s prior disclosures regarding its security practices. But when can a company’s communications with investors about their data security risks rise to the level of violations of the federal securities laws?  A recent Ninth Circuit decision, Local 353 v. Zendesk, Inc.^[1] provides a helpful data point – and was followed just days later by a new rule proposed by the SEC regarding disclosure by companies of material cybersecurity incidents and their cybersecurity risk management policies, strategy and governance.

To pass muster in the Ninth Circuit, investors alleging claims pursuant to Section 10(b) of the Securities Exchange Act of 1934 must allege (among other elements) with specificity facts supporting (1) a reasonable inference that a company’s statements were false or misleading at the time they were made, and (2) a cogent and compelling inference that the statements were made with intent to deceive, manipulate, or defraud or were made with deliberate recklessness.  The investors’ claims against Zendesk fell short of satisfying the pleading requirements for either of these elements.

By way of background, Zendesk announced in 2019 that it had discovered a data breach that occurred three years earlier, which compromised personally identifiable information and authentication information for thousands of client accounts.  The company’s stock price subsequently dropped following the announcement.

Investors holding Zendesk securities subsequently filed a securities class action claiming that Zendesk’s statements about the strength of its cybersecurity program misled them into paying artificially inflated prices for the company’s securities.  Statements the investors alleged were misleading, included:

• A statement that Zendesk “maintain[s] a comprehensive security program,” and that it “completed the EU approval process for [its] global Binding Corporate Rules” in 2017, which “validated our implementation of the highest possible standards for protecting [personally identifiable information] globally;
• Warnings Zendesk provided investors regarding the risks, including liabilities and loss of customers, that “could” occur “if” Zendesk suffered a data breach; the possibility that Zendesk “may” experience undetected data breaches; and the possibility that security breaches may remain undetected for an extended period of time.

The plaintiffs asserted that these statements created the impression that Zendesk implemented the data security best practices no later than 2016, when in fact the company had not implemented those practices until after the data security breach. They also alleged that the statements created the impression that it was unlikely that the company had experienced undiscovered data breaches, when in reality it was somewhat likely.

The Ninth Circuit affirmed the dismissal of the complaint by the district court.  The court held that the plaintiffs had fallen short of satisfying their burden of alleging that the statements would mislead the average investor. The statements investors pointed to were truthful, and referred to Zendesk’s data security practices at the time they were made – not their data security practices in 2016, when the time the company experienced the data breach. Ultimately, the plaintiffs failed to allege facts to support their claim that the average investor would be misled by those statements.

Similarly, the court held that the plaintiffs failed to allege that the key Zendesk officers that signed off on the statements about the company’s data security program did so with the requisite mental state to be liable for securities fraud—intent to “deceive, manipulate or defraud” or “deliberate recklessness” toward that possibility.  Namely, the court determined that the plaintiffs did not adequately allege that the officers were closely involved enough with the company’s data security policies or that those policies were of such importance to support an inference that the officers knew the statements to be false.

Although the court’s decision is unpublished, it highlights the potential risk public companies face regarding disclosures concerning their cybersecurity and data privacy practices following a data breach.  In an environment in which data security-related risks can be managed, but never fully eliminated, it is important that companies are thoughtful and deliberate about the ways they communicate those risks to their investors.