February 17, 2019

February 15, 2019

Subscribe to Latest Legal News and Analysis

Court Finds Cybersecurity-Related Claims Sufficient in Securities Class Action

In the aftermath of Equifax’s data breach, a federal court recently found that allegations of poor cybersecurity coupled with misleading statements supported a proper cause of action. In its decision, the U.S. District Court for the Northern District of Georgia allowed a securities fraud class action case to continue against Equifax. The lawsuit claims the company issued false or misleading statements regarding the strength and quality of its cybersecurity measures. In their amended complaint, the plaintiffs cite Equifax’s claims of “strong data security and confidentiality standards” and “a highly sophisticated data information network that includes advanced security, protections and redundancies,” when, according to the plaintiffs’ allegations, Equifax’s cybersecurity practices “were grossly deficient and outdated” and “failed to implement even the most basic security measures.” The court found that data security is a core aspect of Equifax’s business and that investors are likely to review representations on data security when making their investment decisions.

Key factors the court considered in allowing the case to continue were:

  • Statements on the company’s website and in SEC filings that it maintained “strong data security” and strong controls;

  • The company’s inadequate software patch management process;

  • Failure to encrypt sensitive data;

  • Inadequate authentication measures, such as weak passwords and lack of multi-factor authentication;

  • Failure to implement measures to monitor its networks;

  • Failure to segment its networks;

  • Inadequate staff training;

  • Failure to develop a data breach management plan; and

  • Inadequate follow-up on outside security audits.

Putting it Into Practice: Investors are paying attention to what companies are doing and saying with regard to cybersecurity. Particularly when touting strong cybersecurity practices, companies should carefully craft messaging that accurately reflects their cybersecurity posture, and they should make sure that their actions match their words by maintaining vigilance on cybersecurity.

Copyright © 2019, Sheppard Mullin Richter & Hampton LLP.

TRENDING LEGAL ANALYSIS


About this Author

Jonathan E. Meyer, Sheppard Mullin, International Trade Lawyer, Encryption Technology Attorney
Partner

Jon Meyer is a partner in the Government Contracts, Investigations & International Trade Practice Group in the firm's Washington, D.C. office.

Mr. Meyer was most recently Deputy General Counsel at the United States Department of Homeland Security, where he advised the Secretary, Deputy Secretary, General Counsel, Chief of Staff and other senior leaders on law and policy issues, such as cyber security, airline security, high technology, drones, immigration reform, encryption, and intelligence law. He also oversaw all litigation at DHS,...

202-747-1920
Elfin Noce Business Trial Attorney
Associate

Elfin L. Noce is an Associate in the Business Trial Practice Group in the firm's Washington, D.C. office.

Practices

  • Litigation

Industries

  • Communications

Education

  • J.D., University of Missouri, Columbia, 2005

  • B.A., Truman State University, 2000

Admissions

  • *Not admitted in District of Columbia; supervised by partners of the firm

  • Missouri

202.747.2196