The dispute stems from an incident in which the insured’s clients notified the company of suspicious activity on its servers, which was later identified as ransomware. The impact was confined to the company’s accounting department, and the company was able to restore the data that had been encrypted from backups. The insurer claimed its insured’s operations “continued unabated” following the breach and there was no impact on the company’s ability to service its clients during this time, thus precluding coverage for the loss of income afforded for business interruptions under its policy. The company, however, said that as a result of its decision to use its own staff to remediate the malware, rather than hire an outside firm, it was unable to serve some of its customers, which led to a loss of six accounts. In response, the insurer contended that the company’s hardship was not the result of a loss of functionality, but rather that “too many of [its] customers were having issues simultaneously.” A ruling is pending.
In their suit, the shareholders contended that previous statements by the company about its security being “of the highest quality” were deceptive and led to artificially inflated share prices. As a result, in the wake of the company’s announcement of the breach, the stock price dropped. In support of their claim, the shareholders pointed to cyber incidents in 2013 and 2016, the latter of which had gone undetected for three years and involved the compromise of at least 10,000 customer records.
The Ninth Circuit, however, held the shareholders failed to plead that the company’s officers acted with fraudulent intent. The court also concluded the company’s statements would not have led an ordinary investor to draw incorrect assumptions about the risk of an undetected breach. Notably, the court held the shareholders failed to plead facts “supporting a reasonable inference that either of those hacks was a prominent enough milestone in the company history that the average investor would be led to believe that every data security improvement directly followed them.”
Some of the worrisome practices the FTC cited included Social Security numbers stored in plain text and poorly encrypted passwords and password reset answers. The FTC also alleged the company failed to implement common security protections and failed to respond to security incidents when made aware of them. One particular breach highlighted in the complaint allegedly resulted in the disclosure of millions of names, physical addresses and passwords, over 180,000 Social Security numbers, and thousands of credit card records, with a portion of this information ending up for sale on the so-called “Dark Web.” The complaint further alleged the company repeatedly ignored warnings from a variety of sources, including one from a foreign government, and did not notify impacted customers of the breach until months later. Moreover, the FTC contended the company misled users regarding the use of their email addresses, stating they would only be used for order fulfillment while actually sharing them for marketing purposes.
This case makes it clear that the Federal government will not be a passive observer when a company’s lack of cybersecurity amounts to an unfair trade practice.