Securities class actions based on corporate financial disclosures, which used to form the backbone of securities litigation, have been declining. Instead, in recent years the plaintiffs’ bar has turned its focus to “event-driven” securities litigation, bringing securities class actions based on external events that drive down a company’s stock price. These external events have included data security breaches, sexual harassment allegations, commercial litigation, allegations that a product has caused injury, and regulatory investigations or enforcement actions. The frequent challenge for the plaintiffs’ bar, however, is to find corporate statements that can be adequately alleged to have been rendered false or misleading by the external event.
In In re Marriott International, Inc., 2022 WL 1178526 (4th Cir. April 21, 2022), investors brought a securities class action based on a data breach that impacted approximately 500 million guest records in the Starwood guest reservation database. The plaintiffs alleged that Marriott’s failure to disclose severe vulnerabilities in Starwood’s IT systems rendered various public statements false or misleading. The district court dismissed the case, finding that the complaint failed to adequately allege falsity, scienter, and loss causation.
On appeal, the Fourth Circuit found that the challenged statements fell into three categories: “statements about the importance of protecting customer data; privacy statements on Marriott’s website; and cybersecurity-related risk disclosures.”
(1) As to the statements about the importance of data protection to Marriott’s business, the court held that “the investor’s whole theory of the case turns on those statements being true.” In other words, data protection was important to Marriott and the fact that the company said this “basic truth is neither misleading nor creates the false impression the investor suggests.” Moreover, Marriott also disclosed the “key risks that the investor alleges made Starwood’s systems vulnerable.”
(2) Marriott’s privacy statements on its website were inactionable for similar reasons. The company stated that it seeks to protect personal data, but also noted that no data system “can be guaranteed to be 100% secure.” The complaint conceded that “Marriott devoted resources and took steps to strengthen the security of Starwood’s systems.” Therefore, the court held, the fact that Marriott suffered a security breach “does not demonstrate that the company did not place significant emphasis on maintaining a high level of security.”
(3) Finally, the court concluded that Marriott’s risk factors were accurate when issued. The plaintiffs argued that “Marriott twice warned generally about cybersecurity breaches that could occur when it knew those events had in fact already occurred.” The court found, however, that the first alleged cybersecurity breach was “not supported by the investor’s own allegations” and after the Starwood breach the company updated its risk disclosures to specifically state that it had “experienced cyber-attacks.”
Holding: Dismissal affirmed.
Quote of note: “Marriott certainly could have provided more information to the public about its experience with or vulnerability to cyberattacks, but the federal securities laws did not require it to do so. Indeed, the SEC advises companies against ‘mak[ing] detailed disclosures that could compromise [their] cybersecurity efforts – for example by providing a ‘roadmap’ for those who seek to penetrate a company’s securities protections.’ Even as alleged here, Marriott provided sufficient information to ensure its statements were neither false nor misleading.”
Additional note: On the related issue of whether risk disclosures are material to investors, some courts (notably the Sixth Circuit in its Bondali decision) have held that investors do not rely upon risk disclosures because they are not meant to educate investors on what harms are currently affecting the company. In Marriott, the Fourth Circuit drops a footnote stating that “risk disclosures generally also lack materiality” and favorably quotes the Bondali decision.