October 7, 2022

Volume XII, Number 280

Advertisement

October 06, 2022

Subscribe to Latest Legal News and Analysis

October 05, 2022

Subscribe to Latest Legal News and Analysis

October 04, 2022

Subscribe to Latest Legal News and Analysis

Successful Dismissal of PayPal Class Action Over Breach Disclosures Serves as Risks Reminder

A class action lawsuit filed against PayPal in connection with a breach it suffered in 2017 was dismissed recently because the plaintiffs did not adequately allege PayPal’s intent to deceive investors.  The litigation began after PayPal’s acquired TIO Networks Corporation, a smaller payment processor and platform.  Post-acquisition, PayPal announced that it had discovered “security vulnerabilities” in TIO’s operations and it thus suspended TIO’s operations.  At that point, TIO had not yet been integrated into PayPal’s platform.  PayPal confirmed that it was investigating TIO’s security measures with the help of outside assistance, and that PayPal customers’ data remained secure.  PayPal further confirmed that it was not aware of any breach of personal information maintained by TIO.  The following month, however, PayPal announced that a breach of personal information had in fact occurred.  Confidential information belonging to 1.6 customers had been potentially compromised, causing PayPal’s stock price to drop by 5.75%.

Plaintiffs, who bought stock between the two announcements, filed a putative class action lawsuit in California, alleging that they had purchased PayPal stock at fraudulently inflated prices.  Plaintiffs alleged that the prices had been inflated because PayPal did not disclose the security breach and its potential magnitude in its original announcement.  The district court dismissed the case for failure to plead sufficient facts.  Namely, the plaintiff stockholders had not shown a “cogent and compelling” inference that PayPal made material representations with intent or “deliberate recklessness.”

The stockholders appealed, but the Ninth Circuit affirmed the district court’s ruling in PayPal’s favor.  The court did not believe that the original disclosure was misleading, noting that PayPal had disclosed what information it had at the time.  In reaching its decision, the Ninth Circuit also pointed to the fact that none of the defendants had sold stock during the intervening period between the two announcements.  This suggested that they had no material, non-public information that they were taking advantage of.

Putting it Into Practice:  This decision is a reminder of the risks associated with public announcements relating to potential data security incidents, as well as the close scrutiny that individuals, regulators, and courts may subsequently take when looking at a company’s cybersecurity risk disclosures and the timing of stock sales.  Companies should consult closely with counsel when making a public announcement regarding a potential or confirmed data security incident to ensure they are thinking through the potential regulatory and litigation risks, whether a trading blackout period is appropriate during the period of investigation, and whether existing cybersecurity risk disclosures in the company’s public filings should be amended.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 35
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Kari Rollins Intellectual Property Lawyer Sheppard
Partner

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....

212.634.3077
James Fazio Intellectual Property Attorney Sheppard Mullin Law Firm
Special Counsel

James Fazio is special counsel in the Intellectual Property Practice Group in the firm's San Diego (Del Mar) office.

Areas of Practice

James focuses on intellectual property and business litigation. He represents public and private companies in disputes such as those involving patent and trademark infringement, theft of trade secrets, fraud, breach of contract, unfair competition, false advertising and various business tort claims. James has more than 24 years of litigation experience and was selected by his peers among the top ten intellectual property...

858.720.7418
Advertisement
Advertisement
Advertisement