On March 30, 2022, Judge Robert Pitman of the Western District of Texas denied a majority of a motion to dismiss a putative class action lawsuit asserting claims under the Securities Exchange Act of 1934 against a technology company. information, some of its leaders and private capital. companies that held the shares of the company. In re SolarWinds Corp. Dry. Litigation, no. 1:21-CV-138-RP (WD Tex. 30 Mar. 2022). The plaintiffs alleged that the company’s statements regarding its cybersecurity policies and practices were found to be false and misleading when disclosing a security breach.
The Court held that the plaintiffs had sufficiently alleged falsity, science and causation of the losses, except with respect to the CEO of the company, the allegations as to the person to whom the Court granted the plaintiffs authorization to represent oneself. The Court found that the plaintiffs had properly alleged that the CEO and vice president of corporate security architecture had made inaccurate statements based on the fact that they had reviewed and approved a “security statement on the company’s website that purported to falsely describe the company’s cybersecurity policies and practices. . Slippage Op. 14-15, 21. Additionally, the Court determined that statements indicating the company’s focus on cybersecurity “hygiene” could plausibly be found to be misleading in context due to “differences between the image projected by the speaker and the reality on the ground”. ground.” Identifier. at 16. And the Court further ruled that the company’s disclosures about the risk of cybersecurity attacks did not protect it because the plaintiffs had not simply pointed out that a security breach had place, but rather “alleged separate facts that the cybersecurity measures at the company were not as described. Identifier. at 17 years old.
The Court also ruled that the plaintiffs’ claims about the vice president of security architecture supported a strong scientific inference on his part because he touted the company’s security measures while portraying himself as a “responsible and well-informed authority with regard to [the company’s] cybersecurity measures. Identifier. at 10. Allegations that the VP authorized a separate server vulnerability, unrelated to the breach at issue, also supported a finding of scienter, the court ruled, and statements by former employees regarding the lack of proper cybersecurity protocols were also deemed relevant, even though these employees had not directly worked on the company’s security protocols or interacted with its security team. Identifier. at 11-12. The Court noted that several impugned statements concerned the practices of company employees in general, and that a trier of fact could infer that the vice president of security architecture “may have been aware” of the compliance with company security policies. Identifier. at 12-13.
With respect to the company’s CEO, however, the Court agreed that the plaintiffs had not sufficiently alleged scienter because the plaintiffs had pleaded “no facts to suggest that [the CEO] presented himself as an authority on [the company’s] cybersecurity measures. Identifier. at 22. Additionally, while plaintiffs pointed to the CEO’s sale of more than 39% of his company’s stock shortly before the security breach was publicly disclosed as evidence of scienter, the Court determined that the CEO had provided a plausible competing inference – that he had previously announced his departure from the company and sold his shares under a 10b5-1 plan put in place before the company became aware of the breach of security. Identifier. at 23 years old.
Regarding the causation of the losses, the defendants argued that stock price declines following the disclosure of a security breach could not be linked to specific company practices. Identifier. at 18-19. The Court, however, found that the alleged corrective disclosures “at the very least circumstantially suggest that the security breach was more likely than not caused by the company’s allegedly deficient security.” Identifier. at 19 years old.
The court also ruled that the plaintiffs had correctly alleged control person liability against two private equity firms that each controlled 40% of the company. Identifier. at 25-26. The private equity firms argued that neither was a majority shareholder and that their holdings should not be combined to infer majority control, but the Court determined that a “lax” and “lenient” applied to the assessment of claims of controlling persons. Identifier. at 26. The plaintiffs had sufficiently alleged, according to the Court, that the private equity firms “acted in unison, buying and taking the [c]private company together” then “taking the [c]ompany public together”, “by retaining equal amounts of shares of the [c]ompany,” then selling shares after the company’s IPO “together, on the same day and for nearly identical amounts.” Identifier.