In a recent decision, a federal court partially reversed the dismissal of a securities class action data privacy lawsuit against a technology company (the “Company”). The lawsuit stems from a stock drop following the public disclosure that the Company knew a third party had improperly harvested its user data, but the Company failed to timely alert users about the misconduct.

In its 10-K filed with the SEC, the Company warned that such misconduct was a hypothetical risk, without stating that it had already occurred. The Company also continually assured users that they controlled their own data and content on the platform. Instead, the Company covered up the news for years and thus arguably misled users regarding its internal data controls, while historically and continually assuring its users that they controlled their own data and content on the platform.

Initially, the lower court granted a motion to dismiss, in part, because the 10-K was filed after the misconduct was already public knowledge and, therefore, plaintiffs could not prove actionable fraud by hindsight. 

On appeal, and in a high-profile decision, the reviewing federal court reversed the lower court’s dismissal. The reviewing court held that warning only of hypothetical risk after the occurrence could be misleading to shareholders regardless of news announcements on the issue. The court also found that the Company failed to make public statements about the misconduct for several years until it came to light due to a company whistleblower. Finally, the court found that the complaint adequately pleaded loss causation given the correlation between the stock price drop and the truth coming to light through revelations that its users did not have complete control over their own data. 

In the underlying case, a Lender loaned money to a mortgage company (the “Company”). The Company hired an Auditor to examine its financials over three years and prepared a single audit report for each year. Each audit incorrectly stated that the loans were secured when they were not. 

As a result of a mortgage fraud, the Lender lost millions of dollars. The Lender sued claiming the Auditor negligently prepared its audit reports. 

The Auditor sought coverage from its Insurer. Several claims have settled; however, others did not. Eventually, a coverage dispute arose with the key issue being the question of whether the claims arising from each of the three audits were separate or “interrelated” under the policy. The policy defined interrelated claims as “all claims arising out of a single act or omission or arising out of interrelated acts or omissions in the rendering of professional service.” The policy further stated that interrelated acts or omissions are “all acts or omissions in the rendering of professional services that are logically or causally connected by any common fact, circumstance, situation, transaction, event, advice or decision.” If the court deems multiple claims as “related” claims, the court will treat them as one claim, thus limiting the Auditor to a single limit as opposed to the full policy limit.

The Insurer agreed to pay the full amount for a single claim deeming the three audits as one claim. The Lender disagreed and sued the Insurer for the remaining amount, arguing that each audit was separate and had a separate limit. The lower court held that claims stemming from the same audit report are interrelated, while the claims arising from different reports are not. The Insurer appealed and prevailed in the Tenth Circuit. 

According to the Tenth Circuit, “logically connected” means “connected by an inevitable or predictable interrelation or sequence of events.” Applying this legal framework, the court held that the three audits constituted one “interrelated claim” and the “same common facts and circumstances tie the recurring negligence acts together.” The court reasoned that there was one auditor, that auditor performed the same service three separate times, and made the same error each time. Thus, the court held that the auditor’s negligence was a “common circumstance” that flowed across the different audits and “made additional negligently conducted audits predictable, and therefore, logically connected.”

A grain facility’s (the “Company”) employee, throughout several decades of their employment, conducted a fraudulent scheme of misrepresenting the price at which the grain was sold to the market and entering false sales contracts in the Company’s system. Upon discovering the scheme, the Company notified the law enforcement authorities and its commercial crime insurance carrier (the “Carrier”) of the “potential fraud/embezzlement” by the employee. 

The Company and the Carrier leaned on the “investigative settlement clause” of the policy which enabled them to utilize an investigator to determine facts and the quantum of loss. After investigating the facts for over two years, the investigator determined that the Company’s loss was over thirty million dollars. A small fraction of the loss was embezzled, while the majority of the loss amount resulted from the costs of shipping the grain. 

At issue in the coverage litigation was to what extent the policy would cover the entire loss to the Company, versus only the amount that the employee had actually embezzled in the scheme. The crime policy contained an employee “theft” coverage which was defined as “the unlawful taking of property for the deprivation of the Insured” for loss that resulted “directly from” such employee theft. The policy omitted the definition of “taking,” yet the Carrier and the Company relied on the Black’s Law Dictionary definition which stated that “taking” was “[t]he act of seizing an article, with or without removing it, but with an implicit transfer of possession or control.” 

The Carrier argued that the employee’s control over the grain (and the ensuing loss of $29 million in freight costs) did not amount to “taking.” The court disagreed, ruling that the employee exercised implicit control over the grain and misused her authority to direct the transfer of sale of the grain, even if she never physically seized the grain. The court underscored that “implicit transfer” of control was sufficient to characterize the employees’ actions as “taking” under the policy. The court highlighted that the employee’s illegal conduct directly induced the Company to ship the grain, and that the $29 million in loss associated with the shipment fell within the terms of covered loss within the policy.