Privacy legislation for online activities is long overdue. Most consumers welcome it because they hope it will help protect their data. However, from a corporate perspective, privacy legislation opens the door for more compliance lawsuits brought on by shareholders, especially for technology companies.
Do Stock Dips from Data Breaches Count as Securities Fraud?
These unique lawsuits are being presented as securities fraud. It may be a valid argument when companies promote data security as a positive element for investors. In other cases, companies did not disclose data breaches for years, causing investors to have confidence when things were not as they should be, making the explanation of security fraud obvious. However, it is important to note that there have been lawsuits in which neither of these conditions was met.
Examples of Lawsuits Under Privacy Legislation
The famous Equifax breach caused a lot of havoc for both consumers and businesses. More than 143 million accounts were compromised. Soon after the breach was uncovered, a lawsuit popped up claiming the company's promises of data security were false and misleading.
Earlier in 2018, Intel chips, which are in a large percentage of computers, were discovered to have inherent flaws, now known as Meltdown and Spectre. These allowed hackers to access data even in programs with flawless security engineering. Lawsuits claimed Intel misled shareholders by omitting any mention of security in several of its reports, and some make claims of insider trading.
Yahoo was the subject of two breaches in 2013 and 2014. However, it took them until the end of 2016 to disclose them, leading to lawsuits. Between 2013 and 2016, the company even put out documents and materials with statements about their robust security. The lawsuit brought against the company stated that shareholders were misled about the security practices of the company and thus, the soundness of their investment.
Facebook has also been the subject of two such lawsuits due to lower stock prices and valuation after the Cambridge Analytica scandal and some alleged GDPR violations. Shareholders argued that the company should have kept them apprised as to how these types of actions could affect shareholder earnings.
How Data Breaches & Shareholder Lawsuits Affect Businesses
A data breach can have long-lasting effects on a company in many ways. First of all, it's a PR nightmare. Companies can lose the trust of long-time loyal consumers. From a legal and financial standpoint, the losses are much worse. For example, when Yahoo finally disclosed their data breaches, their stock went down by 30%. Equifax's stock dropped 27% after they revealed their breach. One lawsuit pointed out that Facebook lost $50 billion in valuation after the Cambridge Analytica scandal. These are pain points not only for shareholders but also for the company itself.
Shareholder lawsuits, now a normal occurrence after a data breach, rub salt into the wound. Yahoo's settled for $80 million with their shareholders. Equifax's lawsuit brings claims not only against the company as a whole but also specifically against 15 of the company's top executives who sold stock the month before disclosure of the breach.
What Can Legal Departments Do?
It has been shown that shareholder lawsuits are brought forth in cases where companies talk about strong security practices, but don't actually have them, in ones where they don't talk about security at all, and in ones where they admit a security breach may happen. There may not be much a legal department can do to prevent these shareholder lawsuits, but by studying the latest cases in this emerging field and staying on top of the latest privacy laws like Europe's GDPR and California's Consumer Privacy Act they can be ready to represent the company and minimize losses.