FEATURE
 tigate, and therefore failed to act suffi- ciently upon, the full extent of knowl- edge known internally” regarding the breach.121 As a case study, Yahoo’s pre- and post-incident response, as discussed infra, merits close attention by directors and officers and their advisers.
In connection with this enforcement action, Steven Peikin, Co-Director of the SEC Enforcement Division, stated that “[w]e do not second-guess good faith ex- ercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforce- ment action would be warranted. This is clearly such a case.”122 While Yahoo and other recent SEC enforcement actions increase the pressure on corporations to implement cybersecurity measures, the steps outlined in the SEC’s guidance and recent orders confirm Peiken’s as- sertion that companies need only make a “good faith” effort to protect their in- formation assets to avoid liability in con- nection with an SEC investigation. Not- withstanding the SEC’s guidance, in the wake of Clovis and Marchand, Delaware officers and directors may find height- ened criticism of their oversight efforts, especially where shareholder derivative actions allege that cybersecurity was “mission critical.”123
2. Securities Class Actions
In addition to SEC enforcement, plaintiffs’ attorneys have begun to file securities class action lawsuits tied to cybersecurity incidents. While a relation- ship between stock price fluctuations and cybersecurity incidents often remains unclear, companies have more recently endured downturns in the stock mar- ket alleged to result in losses following the public announcement of cybersecu- rity crises. As a result, plaintiffs’ attor- neys have started to add securities fraud class actions to the routine enforcement actions that follow a cybersecurity inci- dent. To establish a claim for securities fraud pursuant to Section 10(b) and Rule 10b-5, a plaintiff must establish a defen- dant: (i) made a false or misleading state- ment; (ii) with scienter; (iii) in connec- tion with the purchase or sale of securi- ties; (iv) upon which plaintiffs relied; (v)
which resulted in economic loss; and (vi) that plaintiffs’ reliance was the proximate cause of their injury.124
i. Yahoo!
In September 2016, Yahoo revealed that in late 2014, personal information “associated with at least 500 million user accounts was stolen.” 125 Yahoo subse- quently revealed in December 2016 that “an unauthorized third party, in Au- gust 2013, stole [personal information] associated with more than one billion user accounts.” 126 However, roughly 10 months later, Yahoo announced that the 2013 breach compromised all 3 billion existing accounts.127 In January 2017, shareholders filed a securities class action against Yahoo and some of its directors and officers in the Northern District of California.128
Specifically, plaintiffs alleged that: “(i) Yahoo failed to encrypt its users’ person- al information and/or failed to encrypt its users’ personal data with an up-to- date and secure encryption scheme; (ii) consequently, sensitive personal account information from more than 1 billion users was vulnerable to theft; (iii) a data breach resulting in the theft of personal user data would foreseeably cause a sig- nificant drop in user engagement with Yahoo’s websites and services; and (iv) as a result, Yahoo’s public statements were materially false and misleading at all rel- evant times.”129 The complaint alleged that Yahoo’s stock price declined follow- ing each breach; 3.06 percent following the September 2016 disclosure and 6.11 percent following the December 2016 disclosure.130 Moreover, the disclosures negatively impacted Verizon Communi- cations’ acquisition plans of Yahoo’s core business.131
To establish the scienter requirement, the complaint alleged that Yahoo’s direc- tors and officers “knew that the public documents issued or disseminated in the name of Yahoo were materially false and misleading; knew that such statements or documents would be issued or dis- seminated to the investing public; and knowingly or substantially participated or acquiesced in the issuance or dissemi- nation of such statements or documents as primary violations of the securities
laws.”132
Settlement negotiations continued
following the plaintiffs’ survival of the motions to dismiss. On March 2, 2018, the parties disclosed that they had en- tered into a settlement agreement in the amount of $80 million.
ii. Marriott 133
On November 30, 2018, Marriott
announced that an estimated 500 mil- lion accounts of Starwood guests had been compromised, later revealing that the breach in fact only impacted about 383 million guest records. Specifical- ly, hackers exploited vulnerabilities in Starwood’s network to access informa- tion from the guest reservation system beginning in 2014.134 Marriott became aware of the breach on September 10, 2018, leading the press to criticize its due diligence efforts during the 2016 Starwood merger.135 Marriott also ne- glected to disclose this breach for over a month. “For approximately 327 million of these guests, the information includes some combination of name, mailing ad- dress, phone number, email address, passport number, Starwood Preferred Guest (SPG) account information, date of birth, gender, arrival and departure information, reservation date, and com- munication preferences.”136 However, some payment card numbers and pay- ment card expiration dates were among the compromised information.
On December 1, 2018, plaintiffs filed a securities class action against Mar- riott, its CEO, its CFRO, and its Chief Accounting Officer and Controller, in the United States District Court, East- ern District of New York.137 Plaintiffs sought “to recover compensable dam- ages caused by Defendants’ violations of the federal securities laws and to pursue remedies under Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5 promulgated thereun- der.” 138 Specifically, plaintiffs alleged that Marriott made false and misleading statements in various SEC filings: “(1) Marriott’s and Starwood’s systems stor- ing their customers’ personal data were not secure; (2) there had been unauthor- ized access on Starwood’s network since
22 DELAWARE LAWYER SPRING 2020