To what extent can plaintiffs use allegations from a retained expert in a securities fraud complaint? In Sgarlata v. Paypal Holdings, Inc., 2019 WL 4479562 (N.D. Cal. Sept. 18, 2019), the plaintiffs claimed that PayPal had failed to adequately disclose a cybersecurity breach. To bolster their scienter (i.e., fraudulent intent) allegations, the plaintiffs engaged a cybersecurity expert to determine what information about the breach likely was available to the company at the time the breach was discovered and provided the expert’s opinions in the complaint.
In its motion to dismiss decision, the court found that it could consider the expert’s statements, but only if they satisfied the same standard applied to confidential witnesses, i.e., (1) the statements must be described with sufficient particularity to establish the expert’s reliability and personal knowledge; and (2) the statements must themselves be indicative of scienter. The cybersecurity expert had extensive experience in the field and opined that the company must have known more about the breach than it disclosed.
The court noted, however, that there was no allegation in the complaint that the expert “was familiar with, much less had knowledge of, the specific security architecture of Defendants’ privacy network.” Moreover, the expert “did not actually talk to employees . . . nor did he review documents that – in and of themselves – demonstrate inconsistencies that were available” to the company at the time of its disclosure. Even considered holistically with the entire complaint, the court found that the expert’s opinions did not support a finding of scienter.
Holding: Motion to dismiss granted.