IN RE EQUIFAX INC. SECURITIES LITIGATION
Filing
84
OPINION AND ORDER GRANTING IN PART AND DENYING IN PART the Defendants' #62 Joint Motion to Dismiss for Failure to State a Claim. It is GRANTED as to the Defendants Gamble, Ploder, and Dodge. It is DENIED as to the Defendants Equifax and Smith. Signed by Judge Thomas W. Thrash, Jr. on 1/28/2019. (sap)
IN THE UNITED STATES DISTRICT COURT
FOR THE NORTHERN DISTRICT OF GEORGIA
ATLANTA DIVISION
IN RE EQUIFAX INC. SECURITIES
LITIGATION
CIVIL ACTION FILE
NO. 17-CV-3463-TWT
OPINION AND ORDER
This is a securities fraud class action. It is before the Court on the
Defendants’ Joint Motion to Dismiss [Doc. 62]. For the reasons set forth below,
the Defendants’ Joint Motion to Dismiss [Doc. 62] is GRANTED in part and
DENIED in part.
I. Background
This case arises out of a massive data breach incident. On September 7,
2017, the Defendant Equifax Inc. announced that it was the subject of a data
breach affecting more than 148 million Americans (the “Data Breach”).1
Criminal hackers breached Equifax’s Computer network and obtained a vast
amount of personally identifiable information in the company’s custody. The
Lead Plaintiff, Union Asset Management Holding AG, seeks to represent a
putative class of investors that purchased the securities of Equifax from
February 25, 2016 through September 15, 2017. The Plaintiff alleges that the
Defendants committed fraud in connection with the Data Breach that caused a
1
Am. Compl. ¶ 3.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
loss in value of the class’s investments. Specifically, the Plaintiff alleges that the
Defendants made multiple false or misleading statements and omissions about
the sensitive personal information in Equifax’s custody, the vulnerability of its
internal systems to cyberattack, and its compliance with data protection laws
and cybersecurity best practices.2 Despite these assurances, Equifax allegedly
failed to take some of the most basic precautions to protect its computer systems
from hackers. According to the Plaintiff, these material misrepresentations
artificially inflated the value of Equifax’s securities, causing a loss in value of
the class’s investments when the truth was revealed after the Data Breach.
Equifax is a Georgia corporation with its headquarters in Atlanta,
Georgia.3 It is one of the three largest credit reporting agencies in the world.4
Equifax operates primarily through four segments: U.S. Information Solutions,
a segment that provides products and services to businesses; Equifax’s
International operating segment, which includes its Asia, Europe, Latin
America, and Canada business units; Equifax’s Workforce Solutions segment,
which provides verification and employer services; and Global Consumer
Solutions, its direct-to-consumer business that provides consumers with
products to protect and monitor their credit and identity.5 The Defendants
2
Id. ¶ 3.
3
Id. ¶ 19.
4
Id.
5
Id. ¶ 20.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-2-
Richard F. Smith, John W. Gamble, Jr., Rodolfo O. Ploder, and Jeffrey L. Dodge
(the “Individual Defendants”) were corporate officers at Equifax during the
putative class period. The Defendant Richard F. Smith is the former Chief
Executive Officer and Chairman of the Board of Directors of Equifax.6 Smith
resigned from both of these positions on September 26, 2017.7 The Defendant
John W. Gamble is the Corporate Vice President and Chief Financial Officer of
Equifax.8 The Defendant Rodolfo O. Ploder is the President of Equifax’s
Workforce Solutions operating segment.9 The Defendant Jeffrey L. Dodge is the
Senior Vice President of Investor Relations at Equifax.10
As part of its business, Equifax collects, maintains, and sells a huge
quantity of personal data about consumers and employees all over the world.11
This personally identifiable information is highly sensitive.12 It includes Social
Security numbers, addresses, birthdays, employment history, driver’s license
information, detailed payment history, loans, credit card information, and
6
Id. ¶ 21.
7
Id.
8
Id. ¶ 22.
9
Id. ¶ 23.
10
Id. ¶ 24.
11
Id. ¶ 29.
12
Id. ¶ 36.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-3-
more.13 Credit bureaus such as Equifax acquire this information from banks,
mortgage lenders, credit card issuers, and other financing companies.14 This
personally
identifiable
information
is
a
highly
valuable
target
for
cybercriminals; it includes some of the most private information about
consumers.15 This information can be used to enter into a mortgage, set up a
bank account, change a phone number, and even more.16
The Defendants recognized the importance of safeguarding this highly
sensitive personal information.17 In its SEC filings, Equifax acknowledged that
it collected and stored sensitive data, including the personally identifiable
information of consumers, and stated that safeguarding this data was “critical”
to its “business operations and strategy.”18 It noted that its success was
dependent upon its “reputation as a trusted steward of information.”19 Equifax
also acknowledged that it was a valuable target for cybercriminals due to the
vast trove of information it collected.20 In its SEC filings, Equifax recognized
13
Id. ¶¶ 30, 36.
14
Id. ¶ 30.
15
Id. ¶ 36.
16
Id. ¶ 37.
17
Id. ¶ 38.
18
Id.
19
Id.
20
Id. ¶ 39.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-4-
that it was regularly the target of criminal hackers, and that a cybersecurity
incident could subject it to a variety of serious consequences.21
Acknowledging the importance of protecting the data in its custody, the
Defendants made a number of statements during the class period regarding
Equifax’s networks and the security of the personal data in its custody.
According to the Plaintiff, the Defendants issued statements concerning the
strength of Equifax’s cybersecurity systems, its compliance with data protection
laws, and the integrity of its internal controls.22 For example, with regard to the
strength of its data security, Equifax’s website provided that the company
employed “strong data security and confidentiality standards” and maintained
“a highly sophisticated data information network that includes advanced
security, protections and redundancies.”23 With regard to Equifax’s compliance
with data protection laws, regulations, and standards, the Defendants stated in
SEC filings that they continuously monitored federal and state legislative and
regulatory activities “in order to remain in compliance” with those laws.24 The
Defendants also certified in SEC filings during the class period that Equifax had
effective internal controls that would provide “reasonable assurance regarding
21
Id.
22
Id. ¶ 52.
23
Id. ¶ 53.
24
Id. ¶ 277.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-5-
prevention or timely detection of unauthorized acquisition, use or disposition of
our assets.”25
However, despite these assurances, Equifax’s cybersecurity was
dangerously deficient. The Data Breach, according to the Plaintiff, was the
inevitable result of widespread shortcomings in Equifax’s data security systems.
According to the Plaintiff’s allegations, Equifax’s data protection measures were
“grossly inadequate,” “failed to meet the most basic industry standards,” and
“ran afoul of the well-established mandates of applicable data protection laws.”26
These shortcomings spanned a number of facets of cybersecurity practices,
including a failure to implement proper patching protocols, failure to encrypt
sensitive information, the storage of sensitive data on public-facing servers, the
use of inadequate network monitoring practices, the use of obsolete software,
and more. Overall, according to cybersecurity experts, a “catastrophic breach of
Equifax’s systems was inevitable because of systemic organizational disregard
for cybersecurity and cyber-hygiene best practices.”27
According to the Plaintiff, Equifax failed to implement an adequate patch
management process, while also failing to remediate known deficiencies in its
cybersecurity infrastructure.28 The company relied upon a single individual to
25
Id. ¶ 62.
26
Id. ¶ 208.
27
Id. ¶ 66 (emphasis omitted).
28
Id. ¶ 209.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-6-
manually implement its patching process across its entire network.29 This
individual had no way to know where vulnerable software in need of patching
was being run on Equifax’s systems.30 This protocol was far less secure than the
automatic patching processes that many other companies, including Equifax’s
peers, employ in their systems.31 According to cybersecurity experts, this
patching process fell far short of industry standards.32
Equifax also failed to encrypt sensitive data in its custody. According to
the Amended Complaint, Equifax admitted that sensitive personal information
relating to hundreds of millions of Americans was not encrypted, but instead
was stored in plaintext, making it easy for unauthorized users to read and
misuse.33 Not only was this information unencrypted, but it also was accessible
through a public-facing, widely used website.34 This enabled any attacker that
compromised the website’s server to immediately have access to this sensitive
personal data in plaintext.35 Smith also admitted during congressional
testimony that, with respect to its core credit databases, Equifax failed to
29
Id.
30
Id.
31
Id.
32
Id. ¶¶ 210-11.
33
Id. ¶ 217.
34
Id.
35
Id.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-7-
encrypt any of its data.36 It also failed to encrypt its highly vulnerable mobile
applications, meaning that in addition to keeping sensitive data unencrypted in
its own systems, it also failed to encrypt data being transmitted over the
internet.37 This, according to experts, was a major security failure.38 And, when
Equifax did encrypt data, it left the keys to unlocking the encryption on the
same public-facing servers, making it easy to remove the encryption from the
data.39 These inadequacies in Equifax’s encryption protocol fell far short of
industry standards and data security laws, and showed that Equifax did not
“know what they were doing” with respect to data security.40
Moreover, Equifax also failed to implement adequate authentication
measures.41 Authentication measures are mechanisms, such as passwords, that
verify that a party attempting to access a system or network is authorized to do
so.42 According to the Amended Complaint, Equifax’s authentication measures
were insufficient to protect the sensitive personal data in its custody from
36
Id.
37
Id. ¶ 218.
38
Id.
39
Id. ¶ 217.
40
Id. ¶¶ 218-19.
41
Id. ¶¶ 224-30.
42
Id. ¶ 224.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-8-
unauthorized access.43 These mechanisms included weak passwords and security
questions.44 For example, Equifax relied upon four digit pins derived from Social
Security numbers and birthdays to guard personal information, despite the fact
that these weak passwords had already been compromised in previous
breaches.45 Furthermore, Equifax employed the username “admin” and the
password “admin” to protect a portal used to manage credit disputes, a password
that “is a surefire way to get hacked.”46 This portal contained a vast trove of
personal information.47 According to cybersecurity experts, these shortcomings
demonstrated “poor security policy and a lack of due diligence.”48 Equifax’s
authentication practices fell short of the data security standards, which
recommend the use of multi-factor authentication.49
Equifax also failed to adequately monitor its networks and systems,
which greatly exacerbated the fallout of the Data Breach.50 According to the
Plaintiff, Equifax failed to establish mechanisms for monitoring its networks
43
Id.
44
Id.
45
Id.
46
Id. ¶ 225 (emphasis omitted).
47
Id.
48
Id.
49
Id. ¶ 226.
50
Id. ¶¶ 231-34.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-9-
and systems to alert when a threat existed.51 Such mechanisms include
maintaining activity logs, setting up processes for tracking malicious scripts,
and implementing file integrity monitoring.52 According to cybersecurity experts,
logging is a “simple but crucial cybersecurity technique” in which a company
monitors its systems by continuously logging network access so as to identify
unauthorized users.53 This failure by Equifax greatly compounded the
magnitude of the Data Breach’s impact. According to experts, a breach as large
scale as this one would not have occurred if Equifax had implemented better
monitoring systems. If adequate monitoring systems had been in place, Equifax
could have identified the breach much earlier and prevented the exfiltration of
consumer data from its network.54 Improved logging techniques also could have
enabled Equifax to expel the hackers from its systems and minimize the impact
of the breach.55 Instead, due in part to Equifax’s failure to implement effective
logging techniques, hackers were able to continuously access this sensitive
personal data for over 75 days.56 Equifax’s failure to utilize proper network
51
Id. ¶ 231.
52
Id.
53
Id.
54
Id. ¶ 232.
55
Id.
56
Id.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-10-
monitoring, one of the most basic cybersecurity practices, demonstrates the
fundamental deficiencies in its networks.57
Equifax’s handling of the sensitive data in its custody also reflected a poor
cybersecurity regime.58 There were two main shortcomings as to this category.
First, Equifax stored sensitive personal information, in unencrypted plaintext
form, on public-facing servers and web portals.59 Second, it failed to partition
this sensitive information to limit the exposure if a breach occurred.60 In
contrast, standard security best practices recommend that companies ensure
that sensitive data is stored on non-public servers and is inaccessible through
public-facing networks.61 Equifax’s failure to properly segment its networks also
contravened standard cybersecurity practices.62 Experts note that network
segmentation, which consists of dividing a network into smaller partitions,
isolates critical assets from one another and controls the access to sensitive
data.63 Equifax’s failure to properly handle this sensitive data is another
example of the deficiencies in its cybersecurity regime.
57
Id. ¶ 233.
58
Id. ¶¶ 235-40.
59
Id. ¶ 235.
60
Id.
61
Id. ¶ 236.
62
Id. ¶ 237.
63
Id.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-11-
Many other aspects of Equifax’s cybersecurity practices were also
deficient. According to the Plaintiff, Equifax relied upon outdated security
systems and software,64 allowed its “attack surface” to grow too big by leaving
thousands of servers exposed on the internet;65 allowed unused data to
accumulate and failed to dispose of unneeded data;66 failed to restrict access to
sensitive data to only those employees whose job responsibilities required such
access;67 failed to adequately train its security personnel;68 failed to perform
adequate reviews of its systems, networks, and security;69 and failed to develop
a data breach management plan.70 However, despite the woeful state of
Equifax’s cybersecurity, the Defendants made a number of statements touting
the strength of Equifax’s data systems and the cybersecurity practices that it
employed.71
According to the Plaintiff, the Defendants also ignored a number of
warnings that Equifax’s data security measures were inadequate. In 2014,
64
Id. ¶¶ 241-45.
65
Id. ¶¶ 246-47.
66
Id. ¶¶ 248-50.
67
Id. ¶¶ 251-53.
68
Id. ¶¶ 254-60.
69
Id. ¶¶ 261-63.
70
Id. ¶¶ 264-66.
71
Id. ¶¶ 285-353.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-12-
KPMG performed a security audit of Equifax which found that, among other
deficiencies, Equifax left encryption keys on the same public servers where
encrypted data was stored.72 Then, in 2016, Equifax hired Deloitte to perform
another security audit.73 Deloitte discovered several problems in its audit,
including inadequate patching systems.74 However, according to former
cybersecurity employees at Equifax, the company’s management did not take
the security audit seriously.75 Equifax employees and cybersecurity researchers
continued to warn Equifax of deficiencies in its cybersecurity protocol.76 They
warned Equifax about its inadequate patching systems, its failure to encrypt
sensitive personal data, its storage of personal data on public-facing servers, and
more.77 Furthermore, in March 2017, Equifax hired Mandiant, a cybersecurity
firm, to investigate weaknesses in its data protection systems.78 This
investigation, which was described as a “top-secret project,” was personally
overseen by Smith.79 Mandiant concluded that Equifax’s data protection systems
72
Id. ¶ 71.
73
Id. ¶ 77.
74
Id.
75
Id.
76
Id. ¶¶ 78-83.
77
Id.
78
Id. ¶ 91.
79
Id.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-13-
were grossly inadequate.80 Mandiant specifically identified Equifax’s unpatched
systems and “misconfigured security policies” as indicative of major problems.81
However, instead of heeding Mandiant’s advice, Equifax squelched a broader
review of Equifax’s security systems.82
Equifax also experienced other, smaller data breaches prior to the Data
Breach here. According to the Plaintiff, these previous breaches should have
warned
the
Defendants
that
Equifax’s
cybersecurity,
including
its
authentication and network monitoring measures, was severely deficient. In
April 2016, hackers breached Equifax’s W2Express website, a service that offers
downloadable W-2 forms for companies.83 The hackers were able to access the
W-2 data of hundreds of thousands of employees of numerous companies that
contracted with Equifax to use this service.84 The hackers were able to access
this information by entering an employee’s default PIN code, which was the last
four digits of the employee’s Social Security number and their four-digit birth
year.85 According to cybersecurity experts, these authentication measures fell
80
Id. ¶ 92.
81
Id.
82
Id. ¶ 93.
83
Id. ¶ 73.
84
Id.
85
Id.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-14-
short of data security best practices.86 The hackers were also able to remain
undetected in Equifax’s networks for approximately one year before they were
discovered, which the Plaintiff alleges reflected a failure to employ adequate
network monitoring practices.87 Then, in February 2017, Equifax learned that
another breach occurred in its Workforce Solutions segment.88 From April 2016
to March 2017, hackers were able to obtain wage and W-2 data maintained by
Equifax’s TALX division, now called Equifax Workforce Solutions.89 The hackers
were again able to exploit Equifax’s use of personal identifiers and weak fourdigit PIN codes to protect this sensitive data.90 The hackers also were able to
remain in Equifax’s network for over a year.91 Cybersecurity experts opined that
Equifax’s authentication protections, which were exploited in this breach, were
inadequate and failed to meet basic industry standards.92 After this incident
Equifax promised to make improvements in its cybersecurity defenses, but failed
to do so.93
86
Id.
87
Id. ¶ 73.
88
Id. ¶ 85.
89
Id.
90
Id.
91
Id. ¶ 87.
92
Id. ¶ 89.
93
Id. ¶ 90.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-15-
On or about March 7, 2017, security firms began issuing warnings that
attackers were exploiting a vulnerability in Apache Struts, an open-source
software application used to build interactive websites.94 This software is
commonly used for websites where customers submit online forms.95 Apache
Struts is widely used by large businesses, including a substantial percentage of
the Fortune 100 companies.96 Equifax used Apache Struts at this time. Security
firms began reporting that Apache Struts was vulnerable to a “remote code
execution attack.”97 This attack is a dangerous type of exploit that allows
attackers to force the vulnerable systems into running computer programs
written by the attackers, which can make it easy to either steal data or establish
a foothold in the vulnerable system.98 This weakness in Apache Struts was not
just highly dangerous – it was also especially easy to exploit.99 Due to both the
dangerous nature of this vulnerability and the widespread use of Apache Struts
in the business community, the vulnerability and the corresponding update to
the software aimed at addressing the vulnerability were widely publicized.100
94
Id. ¶ 95.
95
Id.
96
Id.
97
Id. ¶ 96.
98
Id.
99
Id.
100
Id. ¶ 97.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-16-
Both Apache itself and security firms publicized the vulnerability.101 By March
8, 2017, Apache released updated versions of Apache Struts to mitigate this
vulnerability in the software.102
In March 2017, hackers breached Equifax’s network using the Apache
Struts vulnerability.103 On or about May 13, 2017, the hackers accessed files
containing Equifax usernames and passwords, which they then used to access
documents and sensitive information in Equifax’s “legacy environment,” an area
where it stored old data that it no longer used.104 The attackers accessed
numerous databases and compromised multiple systems.105 The collection of
information that the hackers obtained was so large that they had to break it up
into smaller pieces to avoid setting off alarms.106 The hackers ultimately stole
the names, Social Security numbers, birthdays, addresses, drivers license
information, tax identification numbers, and other personal data of 148 million
Americans, as well as personal information of nearly one million foreign
101
Id.
102
Id. ¶ 98.
103
Id. ¶¶ 109-10.
104
Id. ¶ 112.
105
Id. ¶ 113.
106
Id. ¶ 114.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-17-
consumers and employees.107 They also obtained the credit card information for
209,000 consumers.
On July 29 and 30 of 2017, Equifax discovered that criminal hackers had
gained unauthorized access to its network.108 Susan Mauldin, Equifax’s Chief
Security Officer, notified John Kelly, Equifax’s Chief Legal Officer, about the
Data Breach on July 31.109 Mauldin informed Kelly that personally identifiable
information may have been compromised in the Data Breach.110 Under Equifax’s
data security protocol, the chief of security is alerted about any issues, who then
determines the severity of the breach.111 If the chief of security determines the
breach to be severe, he or she then informs the executive leadership of the
issue.112 On July 31, Smith was notified about the Data Breach.113 Kelly told
Smith that Chief Information Officer David Webb would meet with him in
person to discuss a data security issue.114 In this meeting, Webb notified Smith
107
Id. ¶ 115.
108
Id. ¶ 116.
109
Id. ¶ 117.
110
Id.
111
Id. ¶ 118.
112
Id.
113
Id. ¶ 118.
114
Id.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-18-
of the Data Breach, informing him that it had occurred in an online consumer
dispute portal.115
On August 2, 2017, Equifax notified the FBI of the Data Breach.116 It also
retained legal counsel to guide its investigation into the breach.117 The same day,
Equifax’s legal counsel retained Mandiant to assist in the investigation into the
incident.118 Experts would later note that these steps suggested that Equifax
knew that the Data Breach was serious.119 In the days immediately following the
discovery of the Data Breach, Gamble and Ploder sold more than $1 million in
Equifax stock.120 On August 1, Gamble, Equifax’s Chief Financial Officer, sold
stock for $946,374, representing more than thirteen percent of his holdings.121
On August 2, Ploder sold stock for $250,458, representing four percent of his
holdings.122 These sales were not made pursuant to a Rule 10b5–1 trading
plan.123 Smith would later state in congressional testimony that Ploder and
115
Id. ¶ 119.
116
Id. ¶ 120.
117
Id.
118
Id.
119
Id.
120
Id. ¶ 121.
121
Id.
122
Id.
123
Id.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-19-
Gamble would have been in many of the meetings he had concerning the Data
Breach.124
By August 11, 2017, Mandiant confirmed that hackers accessed databases
containing a large amount of consumers’ personally identifiable information.125
Smith requested a briefing on the Data Breach on August 15, 2017.126 At this
briefing, Smith was informed that it was likely that personally identifiable
information had been stolen.127 On August 16, 2017, at an Equifax investor
conference, the Defendants stated that Equifax’s “role as a Trusted Steward is
a Key Execution Enabler” and stated that it was making “investments to
address critical data security throughout the company.”128 On August 17, 2017,
Smith spoke at an event at the Terry College of Business at the University of
Georgia.129 When asked by an audience member how Equifax prepares for data
fraud, Smith responded “when you have the size database we have, it’s very
attractive for others to try to get into our database, so it is a huge priority for us
124
Id.
125
Id. ¶ 122.
126
Id.
127
Id.
128
Id. ¶ 123.
129
Id. ¶ 334.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-20-
as you might guess. [] [Data fraud] is my number one worry, obviously.”130
On September 7, 2017, Equifax disclosed the Data Breach to the public
for the first time.131 In a press release after the close of trading that day, Equifax
revealed that it had suffered a data breach affecting the personal information
of approximately 143 million American consumers.132 Equifax continued to make
subsequent disclosures over the following days, ending on September 15, 2017,
providing additional details concerning the Data Breach.133 The company stated
that it had engaged Mandiant, a cybersecurity firm, to conduct a review, and
that it had reported the breach to law enforcement.134 Experts, analysts, and the
media immediately began to weigh in, with one analyst describing the breach
as “one of the biggest cyber-attacks in US history.”135 Cybersecurity experts
opined that massive cybersecurity failures on Equifax’s part resulted in the
Data Breach, and that its public response and outreach were “haphazard and
ill-conceived.”136 Financial experts also began to weigh in. Some financial
130
Id. This speech was recorded and uploaded to YouTube.com on
August 22, 2017.
131
Id. ¶ 124.
132
Id. ¶ 125.
133
Id. ¶ 124.
134
Id. ¶ 126.
135
Id. ¶ 128.
136
Id. ¶ 131.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-21-
analysts predicted from the outset of this public revelation that, due to the
unprecedented size of this incident, Equifax’s stock price would decline.137 Other
analysts predicted that Equifax would incur substantial costs relating to the
Data Breach for years to come.138
On September 8, 2017, the price of Equifax’s common stock dropped
nearly fifteen percent, closing at $123.13 per share.139 There was also an
extraordinarily high trading volume of 16.85 million shares of Equifax stock.140
On Monday, September 11, 2017, in response to more revelations made over the
weekend, Equifax’s stock price fell another nine percent to $113.32 per share.141
Over the course of the next few days, more information concerning Equifax’s
cybersecurity and the Data Breach was revealed to the public.142 By September
15, 2017, Equifax’s stock price had fallen to $92.98, nearly a thirty-six percent
decline since the initial public disclosure of the Data Breach.143
On September 8, 2017, this action was commenced. In the Amended
Complaint, the Plaintiff asserts one claim for violation of section 10(b) of the
137
Id. ¶ 128.
138
Id. ¶ 129.
139
Id. ¶ 138.
140
Id.
141
Id. ¶ 151.
142
Id. ¶¶ 154-79.
143
Id. ¶ 177.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-22-
Exchange Act and Rule 10b–5 promulgated thereunder against all of the
Defendants (Count I), and one claim for violation of section 20(a) of the
Exchange Act against the Individual Defendants (Count II). The Plaintiff alleges
that the Defendants made false or misleading statements on Equifax’s website,
in Equifax’s SEC filings, and at Equifax Investor Conferences and
Presentations. According to the Plaintiff, these false or misleading statements
concerned the state of Equifax’s cybersecurity, Equifax’s compliance with data
protection laws, regulations, and industry best practices, and Equifax’s internal
controls. On June 18, 2018, this Court modified the PSLRA’s automatic stay of
discovery to allow for limited case management and discovery planning
activities.144 The Defendants now move to dismiss.
II. Legal Standard
A complaint should be dismissed under Rule 12(b)(6) only where it
appears that the facts alleged fail to state a “plausible” claim for relief.145 A
complaint may survive a motion to dismiss for failure to state a claim, however,
even if it is “improbable” that a plaintiff would be able to prove those facts; even
if the possibility of recovery is extremely “remote and unlikely.”146 In ruling on
a motion to dismiss, the court must accept the facts pleaded in the complaint as
144
See [Doc. 64].
145
Ashcroft v. Iqbal, 129 S. Ct. 1937, 1949 (2009); FED. R. CIV. P.
12(b)(6).
146
Bell Atlantic v. Twombly, 550 U.S. 544, 556 (2007).
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-23-
true and construe them in the light most favorable to the plaintiff.147 Generally,
notice pleading is all that is required for a valid complaint.148 Under notice
pleading, the plaintiff need only give the defendant fair notice of the plaintiff’s
claim and the grounds upon which it rests.149
Complaints that allege fraud under federal securities law must satisfy the
heightened pleading requirements of both Rule 9(b) and the Private Securities
Litigation Reform Act of 1995. Rule 9(b) requires a complaint to “state with
particularity the circumstances constituting fraud.”150 “A complaint satisfies
Rule 9(b) if it sets forth precisely what statements or omissions were made in
what documents or oral representations, who made the statements, the time and
place of the statements, the content of the statements and manner in which they
misled the plaintiff, and what benefit the defendant gained as a consequence of
the fraud.”151
See Quality Foods de Centro America, S.A. v. Latin American
Agribusiness Dev. Corp., S.A., 711 F.2d 989, 994-95 (11th Cir. 1983); see also
Sanjuan v. American Bd. of Psychiatry and Neurology, Inc., 40 F.3d 247, 251
147
(7th Cir. 1994) (noting that at the pleading stage, the plaintiff “receives the
benefit of imagination”).
148
See Lombard’s, Inc. v. Prince Mfg., Inc., 753 F.2d 974, 975 (11th
Cir. 1985), cert. denied, 474 U.S. 1082 (1986).
149
See Erickson v. Pardus, 551 U.S. 89, 93 (2007).
150
FED. R. CIV. P. 9(b).
In re Theragenics Corp. Sec. Litig., 105 F. Supp. 2d 1342, 1348
(N.D. Ga. 2000) (citing Brooks v. Blue Cross and Blue Shield of Fla., Inc., 116
151
F.3d 1364, 1371 (11th Cir. 1997)).
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-24-
The PSLRA also sets forth heightened pleading standards. This law was
“enacted to cure perceived abuses in prosecuting class actions brought pursuant
to federal securities laws.”152 The PSLRA supplements Rule 9(b) in two ways.
First, a plaintiff must specify “the reason or reasons why the statement is
misleading, and, if an allegation regarding the statement or omission is made
on information and belief, the complaint shall state with particularity all facts
on which that belief is formed.”153 Second, a plaintiff must set forth particular
facts that give rise to a strong inference that the defendants acted with the
required state of mind.154 Specifically, it requires that “the complaint shall, with
respect to each act or omission alleged to violate this chapter, state with
particularity facts giving rise to a strong inference that the defendant acted with
the required state of mind.”155 A complaint that fails to comply with any of these
requirements must be dismissed.156
III. Discussion
Section 10(b) of the Exchange Act of 1934 makes it unlawful “[t]o use or
employ, in connection with the purchase or sale of any security . . . any
152
In re Scientific–Atlanta, Inc., Sec. Litig., 239 F. Supp. 2d 1351,
1358 (N.D. Ga. 2002).
153
15 U.S.C. § 78u–4(b)(1).
154
15 U.S.C. § 78u–4(b)(2).
155
15 U.S.C. § 78u–4(b)(2).
156
15 U.S.C. § 78u–4(b)(3)(A).
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-25-
manipulative or deceptive device or contrivance in contravention of such rules
and regulations as the Commission may prescribe.”157 Rule 10b–5, promulgated
thereunder by the Commission, states:
It shall be unlawful for any person, directly or indirectly, by use of
any means or instrumentality of interstate commerce, or of the
mails or of any facility of any national securities exchange, (a) To
employ any device, scheme, or artifice to defraud, (b) To make any
untrue statement of a material fact or to omit to state a material
fact necessary in order to make the statements made, in the light
of the circumstances under which they were made, not misleading,
or (c) To engage in any act, practice, or course of business which
operates or would operate as a fraud or deceit upon any person, in
connection with the purchase or sale of any security.158
To establish a securities fraud claim under these provisions, a plaintiff must
allege: “(1) a material misrepresentation or omission; (2) made with scienter; (3)
a connection with the purchase or sale of a security; (4) reliance on the
misstatement or omission; (5) economic loss; and (6) a causal connection between
the material misrepresentation or omission and the loss, commonly called ‘loss
causation.’”159
The Defendants make four main arguments. First, they argue that the
Plaintiff has failed to adequately plead that they made false or misleading
statements. Second, they contend that the Plaintiff has failed to plead a strong
157
158
17 C.F.R. § 240.10b–5.
159
2008).
15 U.S.C. § 78j(b).
Mizzaro v. Home Depot, Inc., 544 F.3d 1230, 1236-37 (11th Cir.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-26-
inference of scienter, as required under the PSLRA. Third, they argue that the
Plaintiff fails to adequately plead loss causation, an essential element of a
section 10(b) claim. Finally, they argue that the Plaintiff’s section 20(a) claim
fails. The Court addresses each of these arguments in turn.
A. False or Misleading Statements
The Defendants first argue that the Plaintiff fails to sufficiently plead
that the statements in question were false or misleading, as required by the
PSLRA.160 Complaints alleging fraud must meet the heightened-pleading
standards of Rule 9(b), which requires that in “alleging fraud or mistake, a party
must state with particularity the circumstances constituting fraud or
mistake.”161 A fraud claim meets the requirements of Rule 9(b) if it sets forth
precisely what statements or omissions were made in what documents or oral
presentations, who made the statements, the time and place of the statements,
the contents of the statements or manner in which they misled the plaintiff, and
what the defendants gained as a consequence.162 Additionally, the PSLRA
requires a securities-fraud plaintiff to “specify each statement alleged to have
been misleading” and “the reason or reasons why the statement is
160
Defs.’ Mot. to Dismiss, at 9.
161
FED. R. CIV. P. 9(b).
162
Brooks v. Blue Cross and Blue Shield of Fla., 116 F.3d 1364, 1371
(11th Cir.1997).
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-27-
misleading.”163 “To show falsity, one typically juxtaposes an alleged
misrepresentation to a contrary true fact.”164 “A statement is misleading if in the
light of the facts existing at the time of the statement a reasonable investor, in
the exercise of due care, would have been misled by it.”165 If an allegation
regarding a statement or omission is made on information and belief, the
complaint must state with particularity the facts on which the belief is
formed.166
This securities-fraud case is based primarily on the Defendants’ alleged
misrepresentations during the class period about the security of Equifax’s
networks and its efforts to ensure the protection of the data in its custody. The
Defendants’ purported misrepresentations can be grouped into three main
categories: (1) statements concerning Equifax’s cybersecurity and its efforts to
protect consumer data; (2) statements concerning Equifax’s compliance with
data protection laws, regulations, and industry best practices; and (3)
statements concerning Equifax’s internal controls. The Defendants make four
main arguments in favor of dismissal. First, they argue that many of the
Plaintiff’s claims allege mere corporate mismanagement. Second, they argue
163
15 U.S.C. § 78u–4(b)(1).
164
In re HomeBanc Corp. Sec. Litig., 706 F. Supp. 2d 1336, 1353 (N.D.
Ga. 2010).
165
FindWhat Inv. Grp. v. FindWhat.com, 658 F.3d 1282, 1305 (11th
Cir. 2011) (internal quotations and alterations omitted).
166
Id.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-28-
that the Plaintiff has not sufficiently pleaded the falsity of the alleged
statements as required by the PSLRA. Third, they argue alleged statements of
opinion or belief are not actionable. Fourth, they argue that they were under no
duty to disclose the Data Breach prior to September 7, 2017. The Court
addresses each of these.
1. Corporate Mismanagement
The Defendants first contend that many of the Plaintiff’s allegations
concern mere corporate mismanagement, which is not actionable under the
federal securities laws.167 Specifically, the Defendants contend that “[a]llegations
that Defendants should have implemented different or better security measures
to protect data are, at most, allegations of ‘mismanagement,’ for which the
securities laws do not provide a remedy.”168 In Santa Fe Industries, Inc. v.
Green, the Supreme Court held that allegations of corporate mismanagement
are not actionable under section 10(b) because the federal securities laws do not
regulate corporate fiduciary duties.169 There, the Supreme Court rejected a
minority shareholder’s claim that the company’s majority shareholders violated
167
Defs.’ Mot. to Dismiss, at 12-13.
168
Id.
169
Santa Fe Indus., Inc. v. Green, 430 U.S. 462, 477 (1977) (“No doubt
Congress meant to prohibit the full range of ingenious devices that might be
used to manipulate securities prices. But we do not think it would have chosen
this ‘term of art’ if it had meant to bring within the scope of s 10(b) instances of
corporate mismanagement such as this, in which the essence of the complaint
is that shareholders were treated unfairly by a fiduciary.”).
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-29-
section 10(b) by utilizing a short-form merger to eliminate the minority’s
interest.170 The Court concluded that the transaction at issue was not
manipulative or deceptive within the meaning of section10(b), and consequently
not actionable.171 Thus, a plaintiff who alleges mere corporate mismanagement
or breach of fiduciary duty does not state a claim under section10(b). From this,
the Defendants argue that many of the Plaintiff’s claims fail because they
merely make hindsight criticisms of the adequacy of Equifax’s management of
its data security efforts.
“However, ‘false or misleading statements or omissions concerning
material facts about management or internal operations may be actionable,’
such as when a defendant ‘makes certain statements while that defendant
knows that existing mismanagement makes those statements false or
misleading.’”172
Thus,
while
allegations
that
Equifax
engaged
in
mismanagement would fail under section 10(b), allegations that the Defendants
made false or misleading statements or omissions concerning such corporate
mismanagement at Equifax can constitute basis for a section 10(b) claim.173 The
170
Id. at 465.
171
Id. at 465, 473.
In re Ebix, Inc. Sec. Litig., 898 F. Supp. 2d 1325, 1340 (N.D. Ga.
2012) (quoting In re Premiere Techs. Inc., No. 1:98-CV-1804-JOF, 2000 WL
172
33231639, at *14 (N.D. Ga. Dec. 8, 2000)).
173
The Defendants cite cases for the proposition that misstatements
concerning corporate mismanagement, along with allegations of corporate
mismanagement, are also not cognizable under the federal securities
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-30-
Defendants misconstrue the Plaintiff’s argument. The Plaintiff does not argue
that the Defendants violated section 10(b) by failing to implement better
cybersecurity practices. Instead, the Plaintiff contends that the Defendants
violated section 10(b) by making false or misleading statements as to the
strength and quality of Equifax’s cybersecurity. Such a claim is not barred by
Santa Fe.
2. The Adequacy of Equifax’s Data Security
Next, the Defendants argue that the statements touting the strength of
Equifax’s data security systems and the adequacy of Equifax’s efforts to promote
cybersecurity do not constitute material misrepresentations. In the Amended
Complaint, the Plaintiff alleges that the Defendants made a variety of material
laws/section 10(b). See Defs.’ Mot. to Dismiss, at 13 (citing Cutsforth v.
Renschler, 235 F. Supp. 2d 1216, 1242-44 (M.D. Fla. 2002)). However, the
Supreme Court’s holding in Santa Fe does not support such a conclusion, and
the cases cited are not binding authority on this Court. The Court instead agrees
with the courts in this District that have concluded that false or misleading
statements or omissions concerning corporate mismanagement are cognizable
under the federal securities laws. See, e.g., In re Ebix, Inc. Sec. Litig., 898 F.
Supp. 2d 1325, 1340 (N.D. Ga. 2012). The Defendants cite Cutsforth v.
Renschler for the proposition that a failure to disclose mismanagement is also
not cognizable under the federal securities laws. The Court finds the reasoning
in Cutsforth and similar cases unconvincing. In those cases, the courts do not
explain why nondisclosure of mismanagement is inactionable under Santa Fe.
Furthermore, the facts of those cases are distinguishable. The court in Cutsforth
found that the mere nondisclosure of mismanagement itself was not actionable.
In contrast, the Plaintiff here alleges that the Defendants made affirmative
misstatements concerning mismanagement of cybersecurity, not a mere failure
to disclose. Even applying the holding in Cutsforth and similar cases, such
misstatements would be actionable. Thus, the Court also finds that Cutsforth
is distinguishable.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-31-
misrepresentations as to the state of Equifax’s data security and Equifax’s
efforts to promote cybersecurity. For example, the Defendants allegedly stated
that Equifax was a “trusted steward” of personal data and that it employed
“strong data security and confidentiality standards on the data that we provide
and on the access to that data.”174 They allegedly stated that Equifax
“maintain[ed] a highly sophisticated data information network that includes
advanced security, protections and redundancies.”175 According to the Plaintiff,
the fundamental shortcomings in Equifax’s cybersecurity, including a failure to
take some of the most elementary precautions, render these statements false or
misleading.176
The Defendants make two main arguments for why these statements are
not material misrepresentations. First, they argue that the alleged statements
are not actually false or misleading because the facts pleaded do not show that
Equifax’s data security was actually inadequate. Second, they contend that
these statements constitute inactionable puffery. According to the Defendants,
these statements were vague, meaningless, statements of corporate optimism
that no reasonable shareholder would rely upon in making investment decisions.
The Court addresses each of these arguments in turn.
174
Am. Compl. ¶ 289.
175
Id.
176
Pl.’s Br. in Opp’n to Defs.’ Mot. to Dismiss, at 16.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-32-
i. Falsity
The Defendants contend that the Plaintiff has failed to plead the falsity
of each of the alleged statements concerning the strength of Equifax’s systems.
They argue that the Plaintiff has not shown that the statements boasting of the
strength and complexity of Equifax’s cybersecurity are actually false.177 Instead,
according to the Defendants, the Plaintiff has only alleged that Equifax was the
victim of a criminal attack that was out of its control. They contend that the fact
that a company suffered a significant cyberattack does not necessarily mean
that its cybersecurity was deficient, and thus does not render its prior
statements about its commitment to data security false.178
However, the Plaintiff alleges more than just the mere occurrence of the
Data Breach. The Plaintiff has pleaded a multitude of specific, detailed factual
allegations demonstrating that Equifax’s cybersecurity systems were grossly
deficient and outdated, despite the Defendants’ various assurances to the
contrary. In the Amended Complaint, the Plaintiff alleges that Equifax failed
to implement even the most basic security measures, reflecting a “systemic
organizational disregard for cybersecurity and cyber-hygiene best practices.”179
Cybersecurity experts opined that Equifax’s data security failures flowed from
177
Defs.’ Mot. to Dismiss, at 13-15.
178
Id. at 15.
179
Am. Compl. ¶ 66.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-33-
an inadequate “tone at the top” and that “the real problem was a very poor focus
on information security at the highest levels of the company.”180 For example,
according to the Plaintiff, Equifax failed to implement an effective patch
management process, relying upon a single employee to manually implement
the company’s patching process across its entire network.181 This process failed
to meet the most basic industy standards – application of security patches is a
critical cybersecurity practice.182 Because of this shortcoming, Equifax allegedly
failed to remediate known deficiencies in its cybersecurity infrastructure, such
as the Apache Struts vulnerability.183 Furthermore, according to the Plaintiff,
Equifax failed to implement adequate encryption measures to protect sensitive
information, in contrast to its representation that it encrypted confidential
information.184 Equifax allegedly stored and transmitted the personal
information of hundreds of millions of consumers in unencrypted, plaintext,
making it easy for intruders to read and misuse.185
Overall, the Plaintiff alleges that, among other things, Equifax: (1) failed
to implement adequate patching processes; (2) failed to create adequate
180
Id. ¶ 257.
181
Id. ¶ 209.
182
Id. ¶ 210.
183
Id. ¶ 209.
184
Id. ¶¶ 65, 217-23, 295.
185
Id. ¶ 65.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-34-
encryption measures to protect the information in its custody; (3) failed to
implement adequate authentication measures to ensure that parties attempting
to access its networks were authorized to do so; (4) failed to establish
mechanisms for monitoring its networks for security breaches; (5) stored
personal data in easily accessible public channels; (6) relied on outdated and
obsolete software; and (7) failed to warehouse obsolete personal information.186
Together, according to the Plaintiff, each of these shortcomings created an
inadequate cybersecurity system.
Given the dangerously deficient state of Equifax’s cybersecurity, the
Court concludes it was false, or at least misleading, for Equifax to tout its
advanced
cybersecurity
protections.
In
contrast
to
the
Defendants’
representations that, among other things, Equifax employed a “highly
sophisticated data information network” and “advanced security protections,”187
Equifax’s data security was dangerously lacking. While it is true that the mere
occurrence of a data breach may not necessarily mean that a company’s data
security systems are inadequate, the Plaintiff here does not rely solely upon the
occurrence of the Data Breach to establish that the Defendants’ statements were
false. Instead, the Plaintiff has pleaded a variety of facts showing that Equifax’s
186
Id. ¶ 65.
187
Id. ¶ 289.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-35-
cybersecurity systems were outdated, below industry standards, and vulnerable
to cyberattack, and that Equifax did not prioritize data security efforts.
Furthermore, as the Plaintiff points out, a number of courts have come
to a similar conclusion, holding that statements touting the strength or quality
of an important business operation are false, and thus actionable, when those
operations are, in reality, deficient.188 For example, in In re ValuJet, Inc.,
Securities Litigation the court explained that:
The Plaintiffs allege that, despite the numerous safety-related
incidents and FAA heightened scrutiny of ValuJet's operations, (1)
Defendants Jordon and Priddy fraudulently represented in the
1995 report to shareholders that ValuJet's paramount goal was
profitability while maintaining operational integrity; (2) Defendant
Priddy fraudulently represented at an investor's conference in
April, 1996 that ValuJet planned to add additional aircraft and
that growth would be significant; and (3) Defendant Jordan
fraudulently represented in a press release in April, 1996 that
ValuJet's safety record had been certifiably among the very best in
the airline industry. When viewing the allegations in the
Complaint as true, the Court finds that Defendants Jordan and
Priddy's alleged misrepresentations during the class period are
sufficiently plead under the PSLRA heightened-pleading standards
See, e.g., Bricklayers & Masons Local Union No. 5 Ohio Pension
Fund v. Transocean Ltd., 866 F. Supp. 2d 223, 243 (S.D.N.Y. 2012) (“Likewise,
188
the Complaint plausibly alleges facts indicating that a reasonable investor
would assume that Transocean’s safety and training measures were not only
‘large in extent and range or amount,’ but adequate, when, in fact, the measures
were insufficient to address applicable legal requirements and created a high
risk of legal exposure.”); In re Massey Energy Co. Sec. Litig., 883 F. Supp. 2d
597, 617-18 (S.D.W. Va. 2012) (holding that the defendants’ statements
concerning their commitment to safety, including that safety was a “first priority
every day,” were actionable); In re ValuJet, Inc., Sec. Litig., 984 F. Supp. 1472,
1477-78 (N.D. Ga. 1997) (concluding that statements touting “operational
integrity” and safety were false given numerous safety incidents).
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-36-
to constitute false statements for the purposes of a Rule 10b–5
claim.189
Similarly, the Defendants’ representations that Equifax employed a highly
sophisticated data information network are allegedly false given the actual state
of its systems.
The case that the Defendants primarily rely upon, In re Heartland
Payment Systems, Inc. Securities Litigation is distinguishable. In Heartland,
the corporate defendant, a provider of bank card payment processing services
to merchants, suffered a “Structured Query Language” attack by criminal
hackers.190 This attack placed hidden, malicious software on the defendant’s
network, which infected its payment processing system.191 Because of this,
hackers were able to steal 130 million credit card and debit card numbers.192
After this incident, the plaintiffs filed a securities action, alleging that the
defendants misrepresented the state of Heartland’s network security, that they
concealed the occurrence of data breach from investors, and they made false
statements concerning the adequacy of its security systems and the efforts they
took for network security.193 Specifically, Heartland had stated that it “‘place[d]
189
ValuJet, 984 F. Supp. at 1477-78.
190
In re Heartland Payment Sys., Inc. Sec. Litig., Civ. No. 09-1043,
2009 WL 4798148, at *1 (D.N.J. Dec. 7, 2009).
191
Id.
192
Id.
193
Id. at *2.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-37-
significant emphasis on maintaining a high level of security’ and maintained a
network configuration that ‘provides multiple layers of security to isolate our
databases from unauthorized access.’”194 The plaintiffs argued that those
statements were untruthful “because Heartland had suffered the SQL attack
and had not fully resolved security issues arising out of that attack.”195 The court
concluded, however, that these statements were not false or misleading because
there was “nothing inconsistent” between these statements and “the fact that
Heartland had suffered an SQL attack.”196 “The fact that a company has suffered
a security breach does not demonstrate that the company did not ‘place
significant emphasis on maintaining a high level of security.’”197 The court
further explained that it was “equally plausible” that Heartland did place a high
emphasis upon security.
In contrast, the Plaintiff here has not alleged that the Defendants’
statements concerning Equifax’s cybersecurity practices are false merely
because Equifax suffered a security breach. Instead, the Plaintiff has asserted
specific factual allegations describing the poor state of Equifax’s cybersecurity.
These allegations depict a data security system that was dangerously deficient
and fell far short of industry standards. Unlike in Heartland, where it was
194
Id. at *5.
195
Id.
196
Id.
197
Id.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-38-
plausible that the company placed a high emphasis on security but nonetheless
was a victim of a breach, Equifax’s data security is alleged to have been in
disrepair, in contrast to the Defendants’ statements otherwise. Thus, Heartland
is distinguishable.
The Defendants also argue that these allegations fail because the Plaintiff
has failed to plead the falsity of the statements concerning the adequacy of
cybersecurity with particularity.198 The PSLRA requires a plaintiff to specify
“the reason or reasons why the statement is misleading.”199 For example, the
Defendants contend that the Plaintiff has not adequately alleged the falsity of
the statement that the “Equifax network is reviewed on a continual basis by
external security experts who conduct intrusion testing, vulnerability
assessments, on-site inspections, and policy/incident management reviews.”200
However, the Court concludes that the Plaintiff has satisfied its requirement to
plead the falsity of these statements with particularity. The Plaintiff alleges in
the Amended Complaint that this statement was false or misleading because
Equifax “ignored advice issued by those external ‘security experts’ warning the
Company about gross inadequacies in its cybersecurity,” because Equifax “failed
to heed the calls of its cybersecurity consultants to perform comprehensive
198
Defs.’ Mot. to Dismiss, at 22.
199
15 U.S.C. § 78u–4(b)(1).
200
See Defs.’ Mot. to Dismiss, at 22; see also Am. Compl. ¶ 292.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-39-
system reviews,” and because Equifax’s vulnerability scanning was deficient
since scans were performed “infrequently, examined only portions of Equifax’s
systems, relied on outdated technology, and lacked appropriate redundancies.”201
The Defendants argue that these allegations merely second-guess the extent or
efficacy of these efforts. However, the Court concludes that these allegations are
sufficient because they explain why this statement was false, or at a minimum,
misleading. These allegations explain that it was misleading to state that
cybersecurity experts continually review Equifax’s systems when Equifax
ignored those experts’ suggestions and used superficial vulnerability scanning.
The Defendants also challenge the statements that Equifax had a
“rigorous enterprise risk management program” that targeted its cybersecurity
risks,202 that Equifax used “a variety of technical, administrative and physical
ways to keep personal credit data safe,”203 that Equifax “regularly review[ed]
and update[d] [its] security protocols,”204 and that Equifax “develop[ed],
maintain[ed], and enhance[d] secured proprietary information databases.”205
According to the Defendants, the Plaintiff’s allegations that Equifax’s efforts
were inadequate fail because they do not show that Equifax did not have a risk
201
Am. Compl. ¶ 293.
202
Am. Compl. ¶ 346.
203
Id. ¶ 339.
204
Id.
205
Id. ¶ 311.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-40-
management program, or that it did not attempt to comply with data security
regulations.206 However, the Plaintiff adequately alleges the falsity of each of
these statements with particularity. With each of these statements, the Plaintiff
explains how the context of Equifax’s cybersecurity makes them false or
misleading.207 The Plaintiff alleges that each of these areas of cybersecurity was
so deficient that it was misleading for Equifax to assure investors that these
efforts were promoting the security of its data systems. These statements do
more than merely tell investors that a risk management program existed or that
it used various cybersecurity techniques. Instead, Equifax used these
statements to assure investors that they were taking cybersecurity seriously.
Furthermore, the Defendants also take many of these statements out of
context in their brief. For example, the Defendants argue that the Plaintiff has
not shown that it was false or misleading to state that Equifax had an
enterprise risk management program.208 But, in the Amended Complaint, the
Plaintiff alleges that Equifax stated that it has “a rigorous enterprise risk
management program targeting . . . data security.”209 An assurance that Equifax
employed a rigorous enterprise risk management program is more misleading
206
Defs.’ Mot. to Dismiss, at 22-23.
207
See Am. Compl. ¶¶ 312, 340, 347 (explaining the falsity of each of
these challenged statements).
208
Defs.’ Mot. to Dismiss, at 22.
209
Am. Compl. ¶ 346.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-41-
to investors than simply affirming the existence of an enterprise risk
management program. Similarly, the Defendants argue that the Plaintiff has
not alleged that it was false to state that Equifax “regularly review[ed] and
update[d] [its] security protocols,” even if those efforts were not effective or to
the necessary extent.210 However, in the Amended Complaint, the Plaintiff
alleges that Equifax stated that “[w]e regularly review and update our security
protocols to ensure that they continue to meet or exceed established best
practices at all times.”211 This statement does not merely state that Equifax
reviewed and updated its security protocols, but instead that it did so to ensure
that it met established best practices. Furthermore, the Defendants argue that
the Plaintiff has not shown that the statement that Equifax “monitor[ed] federal
and state legislative and regulatory activities that involve credit reporting, data
privacy and security” is false, when in reality the Plaintiff alleges that Equifax
stated that “[w]e continuously monitor federal and state legislative and
regulatory activities that involve credit reporting, data privacy and security to
identify issues in order to remain in compliance with all applicable laws and
regulations.”212 This context, omitted by the Defendants in their argument, is
important in determining whether the statements were false or misleading.
210
Defs.’ Mot. to Dismiss, at 22.
211
Am. Compl. ¶ 339 (emphasis added).
212
Compare Defs.’ Mot. to Dismiss, at 22-23, with Am. Compl. ¶ 342.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-42-
ii. Puffery
Next, the Defendants argue that many of the challenged statements
concerning Equifax’s commitment to data security constitute inactionable
puffery.213 Alleged misrepresentations must be based upon a material fact to
give rise to a securities law violation.214 “Subjective characterizations of a
company’s current performance or predictions about future performance, absent
a false misstatement of fact, are generally not actionable.”215 Such statements
of “corporate optimism” or “puffery” are not actionable because they both lack
an underlying factual basis and also fail the materiality requirement of Rule
10b-5.216 Thus, “vague, optimistic statements are not actionable because
reasonable investors do not rely on them in making investment decisions.”217
Statements constitute “puffery” if they are “too general to cause a reasonable
investor to rely upon them.”218 According to the Defendants, many of the alleged
213
Defs.’ Mot. to Dismiss, at 18-21.
214
Amalgamated Bank v. Coca-Cola Co., No. 1:05-CV-1226, 2006 WL
2818973, at *3 (N.D. Ga. Sept. 29, 2006).
215
Id.
216
Id.
217
Id. (quoting Grossman v. Novell, Inc., 120 F.3d 1112, 1119-20 (10th
Cir. 1997)) (internal alterations omitted).
218
In re Australia & New Zealand Banking Grp. Ltd. Sec. Litig., No.
08 Civ. 11278(DLC), 2009 WL 4823923, at *11 (S.D.N.Y. Dec. 14, 2009) (quoting
ECA, Local 134 IBEW Joint Pension Tr. of Chi., 553 F.3d 187, 206 (2d Cir.
2009)).
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-43-
statements reflected corporate optimism and aspiration that a reasonable
investor would not rely upon, and thus constitute puffery. Such statements of
puffery cannot serve as the basis for a section 10(b) claim because a reasonable
investor would not rely upon them.219 For example, the Defendants contend that
many of the statements “generally avow a commitment to data security or
characterize security as a priority for Equifax.”220 According to the Defendants,
a reasonable investor would not rely upon statements such as these, which are
“generalized, non-verifiable, and vague statements of commitment to and
aspirations about data security.”221
However, the Court finds that these alleged statements are not
inactionable puffery. An alleged misstatement or omission must be “so obviously
unimportant to a reasonable investor that reasonable minds could not differ on
the question of their importance” to be deemed inactionable puffery.222 For
example, in the context of a drilling company’s statements concerning its safety
and training efforts, one court noted that it could not “say, as a matter of law,
that Transocean’s representation that such efforts were extensive was ‘obviously
unimportant’ to GSF shareholders” since “[i]n an industry as dangerous as
219
Defs.’ Mot. to Dismiss, at 18.
220
Id. at 19.
221
Id. at 18.
Bricklayers & Masons Local Union No. 5 Ohio Pension Fund v.
Transocean Ltd., 866 F. Supp. 2d 223, 239 (S.D.N.Y. 2012).
222
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-44-
deepwater drilling, it is to be expected that investors will be greatly concerned
about an operator’s safety and training efforts.”223 Likewise, the Court cannot
say, as a matter of law, that Equifax’s representations that its cybersecurity
efforts were extensive or that it was “committed” to data security were so
“obviously unimportant” to its shareholders that they should be considered
immaterial. Furthermore, the fact that these statements relate to a core aspect
of Equifax’s business makes it even more likely that a reasonable investor would
assign weight to them. Since data security plays an important part of a business
such as Equifax, investors would be even more likely to find these types of
representations important in making their investment decisions. For these
reasons, the Court cannot, as a matter of law, conclude that these statements
are obviously unimportant to Equifax’s investors.
Moreover, the context of these alleged statements is important to this
determination. Although the alleged statements, when viewed in isolation,
might constitute puffery, the fact that they were made repeatedly to assure
investors that Equifax’s systems were secure could lead a reasonable investor
to rely upon them as reflecting the state of Equifax’s cybersecurity.224 Thus, the
223
Id. at 244.
224
See In re Petrobras Sec. Litig., 116 F. Supp. 3d 368, 381 (S.D.N.Y.
2015) (“While some of the alleged statements, viewed in isolation, may be mere
puffery, nonetheless, when (as here alleged) the statements were made
repeatedly in an effort to reassure the investing public about the Company’s
integrity, a reasonable investor could rely on them as reflective of the true state
of affairs at the Company. Accordingly, the Court cannot find that all of
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-45-
context of these supposedly “aspirational” statements matters: the Defendants
repeatedly stated that cybersecurity, an important aspect of their business, was
a top priority for senior management, despite the fact that Equifax failed to
employ some of the most elementary cybersecurity practices. Even if, in a
vacuum, each of these statements seems like a meaningless, corporate vaguery,
when taken together a reasonable investor would rely upon them to conclude
that Equifax made cybersecurity a serious priority.
The cases cited by the Defendants are unpersuasive. For example, in Ong
v. Chipotle Mexican Grill, Inc. (Chipotle II), the court concluded that statements
that Chipotle was “committed to serving safe, high quality food” and that its
“food safety programs are . . . designed to ensure” that Chipotle “compl[ies] with
applicable federal, state and local food safety regulations” were inactionable
puffery.225 However, the court provided little analysis for why those statements
constituted puffery. Here, statements affirming a commitment to cybersecurity
can be actionable because a reasonable investor might rely upon such
statements in making investment decisions. Although the court in Chipotle II
found statements that the company was “committed” to serving safe food to
constitute puffery, the Court concludes that the statements here are not so
Petrobras’ alleged statements regarding its general integrity and ethical
soundness were immaterial as a matter of law.”).
225
Ong v. Chipotle Mexican Grill, Inc. (Chipotle II), 294 F. Supp. 3d
199, 232 (S.D.N.Y. 2018).
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-46-
obviously unimportant to investors given the repeated nature of these
statements, the context of Equifax’s business, and the widespread nature of the
deficiencies alleged in the Amended Complaint. Therefore, for these reasons,
Chipotle II is unpersuasive.
3. Failure to Disclose the Data Breach
Next, the Defendants move to dismiss the Plaintiff’s allegations based
upon their purported failure to disclose the Data Breach earlier.226 In the
Amended Complaint, the Plaintiff alleges that some of the alleged statements
were or became misleading by omission because the Defendants did not publicly
disclose the Data Breach until September 7, 2017.227 According to the Plaintiff,
the Defendants’ statements after March 2017 lauding Equifax’s data security
were false or misleading because Equifax “knew or recklessly disregarded that
hackers had already penetrated its databases.”228
However, the Court concludes that the Defendants were under no duty
to disclose the Data Breach prior to becoming aware of the incident in July 2017.
The Plaintiff has not alleged that the Defendants knew about the Data Breach
226
Defs.’ Mot. to Dismiss, at 16.
227
See, e.g., Am. Compl. ¶ 318 (contending that certain statements,
such as Equifax being a “trusted steward,” were “false and misleading because
Defendants knew or were reckless in failing to know, but failed to disclose, that
hackers had penetrated Equifax’s internal data systems”); see also id. ¶¶ 288,
300, 335, 338.
228
Pl.’s Br. in Opp’n to Defs.’ Mot. to Dismiss, at 28.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-47-
before July 29, 2017, but instead argues that they were reckless as to its
occurrence. It bases its argument upon warnings that the Defendants allegedly
received as to the deficient state of Equifax’s cybersecurity, its failure to employ
adequate patching processes, and its failure to use proper network monitoring.
These warnings might demonstrate that the Defendants knew of, or were
reckless as to, Equifax’s ability to prevent or detect a breach. However, these
warnings do not establish that the Defendants knew, or were reckless to the
existence of, the specific Data Breach at issue here. The allegations also do not
demonstrate that the Defendants knew of, or were reckless as to the existence
of, Equifax’s failure to patch the Apache Struts vulnerability. Therefore, the
Defendants were under no duty to disclose the existence of the Data Breach
before they knew it had occurred.
Second, the Plaintiff argues that the Defendants were under a duty to
correct their prior misstatements once they became aware of the Data Breach
in July 2017. According to the Plaintiff, even if some of the Defendants’
statements may not have been misleading at the time they were made, the
Defendants had a duty to correct the statements once they learned that the Data
Breach had occurred.229 A duty to disclose can be created by a defendant’s
previous decision to speak on the subject.230 “Where a defendant’s failure to
229
230
1986).
Pl.’s Br. in Opp’n to Defs.’ Mot. to Dismiss, at 29.
Rudolph v. Arthur Andersen & Co., 800 F.2d 1040, 1043 (11th Cir.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-48-
speak would render the defendant’s own prior speech misleading or deceptive,
a duty to disclose arises.”231 According to the Plaintiff, the Defendants had a
duty to disclose once they learned that their prior statements concerning the
security of Equifax’s systems became false due to the Data Breach.232
However, the Court finds that the occurrence of the Data Breach did not
itself make those prior statements false or misleading, and thus did not create
a duty to disclose. As the Court noted above, the occurrence of a data breach
does not necessarily imply that a company’s data security is inadequate. In
Heartland, the court concluded that the defendants were not under a duty to
disclose the occurrence of a data breach because the plaintiffs had not alleged
that the company’s systems were actually deficient.233 The court noted that the
occurrence of a data breach itself does not establish that a company’s data
security is inadequate.234 Similarly, here, the occurrence of the Data Breach
itself did not necessarily render the Defendants’ prior statements false, and thus
231
Id. (citing First Va. Bankshares v. Benson, 559 F.2d 1307, 1314
(5th Cir. 1977)).
232
Pl.’s Br. in Opp’n to Defs.’ Mot. to Dismiss, at 29.
233
In re Heartland Payment Sys., Inc. Sec. Litig., Civ. No. 09-1043,
2009 WL 4798148, at *4 (D.N.J. Dec. 7, 2009).
234
Id.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-49-
did not impose a duty to correct those statements by disclosing the occurrence
of the Data Breach.235 Therefore, the Court finds this argument unavailing.
4. Statements About Cybersecurity Risks
Next, the Defendants move to dismiss the Plaintiff’s allegations regarding
Equifax’s warnings of its cybersecurity risks.236 In the Amended Complaint, the
Plaintiff alleges that Equifax, Smith, and Gamble made false or misleading
statements in SEC filings concerning the cybersecurity risks that Equifax faced.
The Plaintiff alleges that Equifax stated in its 2015 and 2016 Forms 10-K that:
Despite our substantial investment in physical and technological
security measures, employee training, contractual precautions and
business continuity plans, our information technology networks
and infrastructure or those of our third-party vendors and other
service providers could be vulnerable to damage, disruptions,
shutdowns, or breaches of confidential information due to criminal
conduct, denial of service or other advanced persistent attacks by
hackers[.]237
However, according to the Plaintiff, it was false or misleading to state that
Equifax “could be vulnerable” to a breach “when, in fact, Equifax was highly
235
However, as discussed above, the Plaintiff has adequately alleged
that those prior statements were false. Whether those statements touting
Equifax’s cybersecurity are false, and thus actionable, is a separate question
from whether the Defendants were under a duty to disclose specifically the
occurrence of the Data Breach. Those statements are actionable merely because
of the fact that they were false or misleading at the time they were made due to
the widespread inadequacies in Equifax’s data systems, notwithstanding
whether the Data Breach occurred or not.
236
Defs.’ Mot. to Dismiss, at 26.
237
Am. Compl. ¶ 306.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-50-
vulnerable to such an attack, as, in fact, Defendants had been warned on
numerous occasions both before and during the Class Period.”238
The Defendants argue that these allegations fail to state a claim because,
through these statements, the Defendants warned of the precise risk that
caused the Plaintiff’s losses.239 The Court finds that these statements are not
actionable. The difference between disclosing that Equifax “could be vulnerable”
and that it was “highly vulnerable” would not mislead a reasonable investor in
making an investment decision. The case that the Plaintiff relies upon, In re
Van der Moolen Holding N.V. Securities Litigation, is distinguishable.240 There,
the court concluded that cautionary statements can give rise to a section 10(b)
violation.241 The court noted that “to caution that it is only possible for the
unfavorable events to happen when they have already occurred is deceit.”242
However, that case is distinguishable. There, the defendant warned investors
about regulatory risks, even though it knew or was recklessly ignorant that its
employees were violating NYSE rules.243 Here, in contrast, the risk warned of
238
Id. ¶ 308 (emphasis in original).
239
Defs.’ Mot. to Dismiss, at 27.
240
In re Van der Moolen Holding N.V. Sec. Litig., 405 F. Supp. 2d 388
(S.D.N.Y. 2005).
241
Id. at 400.
242
Id. (internal quotations omitted).
243
Id.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-51-
is different. The Defendants warned that Equifax could be vulnerable to a data
breach, but they did not fail to disclose the existence of a breach when they
made that statement. Thus, unlike in Van der Moolen, the Defendants did not
warn that Equifax could be at risk, when it in fact was suffering a data breach.
Therefore, the Court finds these risk statements inactionable.
5. Equifax’s Compliance With Data Protection Laws
Next, the Defendants move to dismiss the Plaintiff’s claims concerning
statements about Equifax’s compliance with data protection laws, regulations,
and best practices. In the Amended Complaint, the Plaintiff alleges that the
Defendants made various statements assuring that Equifax complied with
relevant data protection laws, regulations, standards, and best practices. For
example, the Plaintiff alleges that Equifax stated on its website that it “takes
great care to ensure that we use and process personal data in ways that comply
with applicable regulations and respects individual privacy.”244 Equifax also
stated that “[w]e regularly review and update our security protocols to ensure
that they continue to meet or exceed established best practices at all times”245
and that “[w]e continuously monitor federal and state legislative and regulatory
activities that involve credit reporting, data privacy and security to identify
issues in order to remain in compliance with all applicable laws and
244
Am. Compl. ¶ 336.
245
Id. ¶ 339.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-52-
regulations.”246 However, despite these affirmations, Equifax allegedly fell far
short of complying with these regulatory requirements.
The Defendants first assert that these claims merely allege corporate
mismanagement, which is not actionable under federal securities laws.247
However, as explained above, this argument fails. The Plaintiff does not allege
that the Defendants violated section 10(b) by failing to comply with
cybersecurity laws, regulations, and best practices. Instead, the Plaintiff argues
that they violated section 10(b) by stating that Equifax was in compliance with
these laws and regulations, when in fact it was not. As stated above, the Court
finds that such a claim is actionable under federal securities laws. If the
Plaintiff adequately alleged that Equifax made false statements concerning its
compliance with these laws, regulations, and standards, then such claims would
not be barred by Santa Fe.
The Defendants next argue that these alleged statements described
Equifax’s ongoing efforts to comply with data protection laws and standards,
and that the statements did not guarantee compliance.248 According to the
Defendants, the Plaintiff has not adequately alleged the falsity of these
statements because the fact that they were not in compliance does not mean
246
Id. ¶ 342.
247
Defs.’ Mot. to Dismiss, at 21.
248
Defs.’ Reply Br., at 23.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-53-
that they were not making efforts to comply. However, in the alleged
statements, Equifax did more than just say that it made efforts to comply with
these laws and standards. It stated that it monitored regulatory activities to
“remain in compliance with all applicable laws and regulations,” that it
reviewed its security protocols to “ensure that they continue to meet or exceed
established best practices,” and that it took “great care” to ensure that it
handled personal data in a way that complied with regulations.249 These
statements go beyond merely stating that it made an effort to comply with laws,
regulations, and industry standards, and instead assured that Equifax took
steps to remain in compliance with laws and regulations and meet industry
standards. According to the allegations in the Amended Complaint, Equifax in
reality failed to live up to these assurances.
And even if these statements only conveyed that Equifax made an effort
to comply with data security laws, regulations, and standards, they would still
be false or misleading. A reasonable investor would understand these
statements to assure that the company was making actual, good faith efforts to
maintain a data security protocol that complied with these standards. In reality,
according to the Amended Complaint, data security was not a priority at all for
Equifax’s management.250 The state of Equifax’s cybersecurity reflected a
249
Am. Compl. ¶¶ 340, 342.
250
See, e.g., Am. Compl. ¶¶ 66-67.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-54-
“systemic organizational disregard for cybersecurity.”251 Given this context,
these statements were false or misleading. It is misleading to a reasonable
investor to state that Equifax made an effort to comply with data laws,
regulations, and standards when, in fact, Equifax demonstrated a systemic
disregard for cybersecurity. For this reason, these statements concerning efforts
to comply with data laws, regulations, and industry best practices are false or
misleading.
The Defendants also argue that the fact Equifax experienced a
cyberattack does not render their aspirational statements concerning their data
security efforts and compliance false.252 However, as the Court explained with
regard to the statements concerning the adequacy of Equifax’s cybersecurity, the
Plaintiff does not rely solely upon the occurrence of the Data Breach to show the
falsity of the compliance statements. Instead, the Plaintiff alleges that these
statements regarding Equifax’s compliance with data security laws, regulations,
and standards were false due to widespread deficiencies in Equifax’s
cybersecurity and data protocols. According to the Plaintiff, Equifax assured the
public that it made efforts to remain in compliance with data laws, regulation,
and standards, even though in reality its cybersecurity was in a state of
disrepair. Therefore, under the facts alleged, these assurances that Equifax
251
Id. ¶ 66.
252
Defs.’ Mot. to Dismiss, at 17.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-55-
made efforts to comply with data protection laws and best practices were false
or misleading.
Next, the Defendants also argue that these allegations fail because,
unlike in the cases relied upon by the Plaintiff, the Plaintiff’s allegations do not
show that the Defendants had contemporaneous knowledge of the facts
contradicting their statements concerning legal compliance.253 However, this
argument addresses whether the Defendants acted with the requisite scienter,
which is addressed below. Whether a statement is false or misleading, and
whether a defendant made such a statement with the requisite state of mind,
are two separate questions. As discussed above, the Plaintiff has adequately
alleged that these statements were false or misleading.
Finally, at oral argument, the Defendants distinguished the cases relied
upon by the Plaintiff. They contended that the defendants’ statements in those
cases concerning their compliance with regulations were false because they had
already been told by regulators that their operations were deficient.254 It is true
that, in some of those cases, the court found the defendants’ statements
misleading due in part to the fact that regulators had informed them of
problems in their operations.255 However, this does not mean that any statement
253
Defs.’ Reply Br., at 24.
254
Transcript of Oral Argument, at 75 [Doc. 83].
See, e.g., In re Cryolife, Inc., No. Civ.A.1:02CV1868-BBM, 2003 WL
24015055, at *8-*9 (N.D. Ga. May 27, 2003) (noting that the defendant had
255
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-56-
touting compliance with laws, regulations, or industry standards is not false or
misleading if the company has not received communications from regulators.
Instead, this was just one fact that supported the courts’ holdings in those cases.
Here, the Defendants issued statements assuring that Equifax remained in
compliance with data security laws, regulations, and standards, even though its
security systems were grossly deficient. As described above, these statements
were false or misleading to investors, even if Equifax had never received an
enforcement letter from regulators informing it that it was not in compliance
with data laws or regulations.
6. Statements Concerning Internal Controls
The Defendants next move to dismiss the Plaintiff’s allegations
concerning the Defendants’ various statements about Equifax’s internal
controls. In the Amended Complaint, the Plaintiff alleges that Smith and
Gamble certified in SEC filings, pursuant to the Sarbanes-Oxley Act, that
contended it was in compliance with all FDA regulations despite the fact that
it had “received a letter from the FDA documenting specific problems with
Cryolife's quality assurance programs”); In re ValuJuet, Inc., 984 F. Supp. 1472,
1477 (N.D. Ga. 1997) (“In the Complaint, the Plaintiffs allege that
representatives of the Federal Aviation Administration (‘FAA’) identified
numerous safety-related incidents involving ValuJet. The Plaintiffs further
allege in the Complaint that in February of 1996, the FAA (1) began surveillance
of ValuJet; (2) expressed written concern about the training of pilots and
ValuJet's safety and maintenance procedures which included numerous,
uncorrected violations; and (3) as a result of the February 1996 inspection,
expressly required ValuJet to get FAA approval before buying more planes or
beginning access to new cities. As alleged in the Complaint, an FAA letter to
Defendant Jordan, dated February 29, 1996, expressed concern about ValuJet's
meeting the highest possible degree of safety in the public interest.”).
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-57-
Equifax maintained a system of internal controls that would provide “reasonable
assurance regarding prevention or timely detection of unauthorized acquisition,
use or disposition of our assets that could have a material effect on the financial
statements.”256 Nonetheless, according to the Plaintiff, these assurances in
Equifax’s 10-K and 10-Q filings concerning the quality of its internal controls
were materially false or misleading because Equifax lacked adequate
mechanisms for detecting and responding to data breaches.257 The Defendants
move to dismiss the allegations concerning this category of statements. They
argue that the Plaintiff has failed to plead the falsity of the challenged
statements because they address Equifax’s internal controls over financial
reporting, as opposed to controls over data security.258 According to the
Defendants, since these statements exclusively addressed financial reporting
controls at Equifax, deficiencies in Equifax’s cybersecurity mechanisms do not
render these statements false.259 Thus, deficiencies in Equifax’s data breach
protocol do not establish that these statements were false.
The Court concludes that the Plaintiff has failed to show that these
statements are false. “Congress enacted Sarbanes-Oxley to restore investor
confidence in the wake of numerous, highly-publicized, cases of accounting
256
Am. Compl. ¶ 349.
257
Id. ¶¶ 349-53.
258
Defs.’ Mot. to Dismiss, at 30-31.
259
Id. at 31-32.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-58-
fraud.”260 The purpose of Sarbanes-Oxley certifications is to ensure that proper
financial reporting processes are undertaken. In In re PetroChina Co. Ltd.
Securities Litigation, the district court rejected a section 10(b) claim premised
upon PetroChina’s Sarbanes-Oxley certifications.261 The court noted that the
plaintiffs’ allegations, concerning bribery by PetroChina officials, did not “imply
that the Company had flawed internal controls over financial reporting.”262 The
court explained that the plaintiffs did “not claim that PetroChina failed to
evaluate its internal controls or disclose any weaknesses to its auditors,” did not
“assert that the certifying officers neglected to inform PetroChina's auditor of
any relevant fraud,” and did not “establish that PetroChina's internal controls
in relation to financial reporting were insufficient; much less does the
[complaint] make any allegation as to how or why PetroChina's internal controls
were inadequate.”263
Likewise, the Plaintiff fails to allege that Equifax had flawed internal
controls over its financial reporting. Even if Equifax’s data breach protocol was
vastly deficient, this does not establish that it had insufficient internal controls
over financial reporting. The Plaintiff has not raised any allegations concerning
260
City of Roseville Emp. Ret. Sys. v. Horizon Lines, Inc., 686 F. Supp.
2d 404, 417 (D. Del. 2009).
261
In re PetroChina Co. Ltd. Sec. Litig., 120 F. Supp. 3d 340, 358-59
(S.D.N.Y. 2015).
262
Id. at 359.
263
Id.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-59-
the accuracy of Equifax’s accounting, books, or financial reporting. Therefore,
the Plaintiff has not established that Equifax, Smith, or Gamble’s statements
concerning Equifax’s internal controls over financial reporting were false. A
reasonable investor would understand that certifications under Sarbanes-Oxley
such as these are in the context of financial accounting scandals, and would
recognize that it related to Equifax’s financial reporting. A reasonable investor
would not take assurances of internal controls to detect improprieties in
accounting and bookkeeping to guarantee that there were systems in place to
deal with cybersecurity breaches. Since the Plaintiff has not alleged that
Equifax’s financial reports were inaccurate in any way, its claims concerning
Smith and Gamble’s certification of proper internal controls pursuant to
Sarbanes-Oxley fail.264 Therefore, the Plaintiff’s claims are dismissed to the
extent that they rely upon statements guaranteeing adequate internal controls
pursuant to Sarbanes-Oxley.
7. Statements of Opinion and Belief
Next, the Defendants contend that many of the challenged statements are
inactionable opinions or statements of belief.265 First, the Defendants contend
that almost all of the alleged statements are inactionable, in part, because they
See In re Braskem S.A. Sec. Litig., 246 F. Supp. 3d 731, 758
(S.D.N.Y. 2017) (rejecting securities fraud claims premised upon Sarbanes-Oxley
certifications because the complaint did not “concretely allege that any of
Braskem’s financial reports were in any way inaccurate”).
264
265
Defs.’ Mot. to Dismiss, at 24-26.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-60-
are opinions.266 However, many of these statements that the Defendants contend
are inactionable are not, in fact, opinions. For example, the Defendants contend
that the following statement is an inactionable opinion: “As a trusted steward
of consumer and business information, Equifax employs strong data security
and confidentiality standards on the data we provide and on the access to that
data. We maintain a highly sophisticated data information network that
includes advanced security, protections and redundancies.”267 While such
statements use some indefinite language, they do not constitute a subjective
opinion.
However, some of the allegedly false statements are closer calls.
According to the Defendants, statements such as Smith’s assurance that “I think
we are in a very good position now” are not actionable because the Plaintiff has
not shown that the Defendants did not in fact hold the stated opinions.268 The
Plaintiff contends that this statement, even if an opinion, is actionable because
it did not align with the information in his possession.269 “[C]ertain opinions may
be actionable because ‘if the real facts are otherwise, but not provided, the
266
See generally [Doc. 62-2].
267
See [Doc. 62-2], at 2.
268
Defs.’ Mot. to Dismiss, at 24-25.
269
Pl.’s Br. in Opp’n to Defs.’ Mot. to Dismiss, at 38.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-61-
opinion statement will mislead its audience.’”270 An investor “expects not just
that the issuer believes the opinion (however irrationally), but that it fairly
aligns with the information in the issuer’s possession at the time.”271 Opinion
statements can be “misleading in context,” and thus “actionable,” if they “conflict
with what a reasonable investor would take from the statement itself.”272
As discussed in more detail below, the Plaintiff only alleges that Smith
– not the other Individual Defendants – was given specific information as to the
deficiencies in Equifax’s cybersecurity. Around March 2017, Smith oversaw
Mandiant’s audit of Equifax’s systems, where Mandiant warned that these
systems were inadequate. The Plaintiff has not made specific allegations that
Gamble, Ploder, or Dodge had information in their possession contradicting any
opinion statements they issued. Without this knowledge, these opinion
statements are not actionable. Furthermore, any opinion statements Smith
made before receiving these warnings would also not be actionable.
B. Scienter
Next, the Defendants argue that the Plaintiff has failed to plead facts that
give rise to a strong inference of scienter on the part of any of the Defendants.
In re Flowers Foods, Inc. Sec. Litig., No. 7:16-CV-222 (WLS), 2018
WL 1558558, at *8 (M.D. Ga. Mar. 23, 2018) (quoting Omnicare, Inc. v. Laborers
Dist. Council Constr. Indus. Pension Fund., 135 S. Ct. 1318, 1328 (2015)).
270
271
Omnicare, 135 S. Ct. at 1329.
272
Flowers Foods, 2018 WL 1558558, at *8 (quoting Omnicare, 135 S.
Ct. at 1329).
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-62-
To state a section 10(b) claim, the PSLRA requires a plaintiff “to plead with
particularity facts giving rise to a strong inference that the defendants either
intended to defraud investors or were severely reckless when they made the
allegedly materially false or incomplete statements.”273 A “strong inference” is
an inference that is “cogent and at least as compelling as any opposing inference
one could draw from the facts alleged.”274 This inquiry asks whether all of the
facts alleged, taken as a whole, give rise to this strong inference of scienter.275
Thus, courts must consider the complaint in its entirety, and “not whether any
individual allegation, scrutinized in isolation, meets that standard.”276 This
inquiry is “inherently comparative” because courts must take into account
plausible opposing inferences.277 Where a lawsuit involves multiple defendants
and multiple allegations, moreover, “scienter must be found with respect to each
defendant and with respect to each alleged violation of the statute.”278
273
Mizzaro v. Home Depot, Inc., 544 F.3d 1230, 1238 (11th Cir. 2008)
(internal quotations omitted).
274
(2007).
Tellabs, Inc. v. Makor Issues & Rights, Ltd., 551 U.S. 308, 324
275
276
Id. at 1238.
277
Id. at 1239 (quoting Tellabs, 551 U.S. at 323).
278
2004).
Mizzaro, 544 F.3d at 1238.
Phillips v. Scientific-Atlanta, Inc., 374 F.3d 1015, 1017 (11th Cir.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-63-
To move beyond the pleading state, a plaintiff “must allege facts
sufficiently demonstrating each defendant’s state of mind regarding his or her
alleged violations.”279 But, the PSLRA does permit the aggregation of facts to
infer scienter.280 The factual allegations, taken as a whole, must give rise to this
strong inference as to each Defendant and each alleged violation.281
Circumstantial evidence can be sufficient to establish a strong inference of
scienter.282 Since scienter is highly fact-intensive inquiry, such questions are
most appropriate for a fact finder.283 “In sum, the reviewing court must ask:
When the allegations are accepted as true and taken collectively, would a
reasonable person deem the inference of scienter at least as strong as any
opposing inference?”284
In the Eleventh Circuit, it is well established that section 10(b) and Rule
10b-5 require a showing of either an intent to deceive, manipulate, or defraud,
279
Id. at 1018.
280
Id. at 1017; see also In re Cabletron Sys., Inc., 311 F.3d 11, 39 (1st
Cir. 2002) (“The plaintiff may combine various facts and circumstances
indicating fraudulent intent—including those demonstrating motive and
opportunity—to satisfy the scienter requirement.” (internal alterations and
quotations omitted)).
281
Phillips, 374 F.3d at 1018.
282
Mizzaro, 544 F.3d at 1249.
In re Sci. Atlanta, Inc. Sec. Litig., 754 F. Supp. 2d 1339, 1361 (N.D.
Ga. 2010) (citing S.E.C. v. Merchant Capital, LLC, 483 F.3d 747, 766 (11th Cir.
283
2007)).
284
Tellabs, 551 U.S. at 326.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-64-
or severe recklessness.285 The Eleventh Circuit has defined “severe recklessness”
as:
Severe recklessness is limited to those highly unreasonable
omissions or misrepresentations that involve not merely simple or
even inexcusable negligence, but an extreme departure from the
standards of ordinary care, and that present a danger of
misleading buyers or sellers which is either known to the
defendant or is so obvious that the defendant must have been
aware of it.286
“Plaintiffs may prove such recklessness by providing evidence that defendants
possessed knowledge of facts or access to information contradicting their public
statements, so as to prove that defendants knew or should have known that they
were misrepresenting material facts related to the corporation.”287 “Facts
indicating the scienter may include the particular times, dates, places, or other
details of the alleged fraudulent activity.”288 These particulars “are not required
per se,” but “their absence from the complaint may be indicative of the excessive
generality of the allegations' supporting scienter.”289 “With regard to Individual
Defendants, the question is ‘whether a reasonable person would infer that there
285
Mizzaro, 544 F.3d at 1238.
286
Id. (quoting Bryant v. Avado Brands, Inc., 187 F.3d 1271, 1282 n.18
(11th Cir. 1999)).
In re Sci. Atlanta, Inc. Sec. Litig., 754 F. Supp. 2d 1339, 1360 (N.D.
Ga. 2010) (citing Cornwell v. Credit Suisse Grp., 689 F. Supp. 2d 629, 637
287
(S.D.N.Y. 2010)).
288
In re Coca-Cola Enters. Inc. Sec. Litig., 510 F. Supp. 2d 1187, 1199
(N.D. Ga. 2007).
289
Id. (internal quotations omitted).
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-65-
was at least a fifty-fifty chance that the individual defendants knew about the
alleged fraud (or were severely reckless in not knowing about it) based on its
nature, duration, or amount.’”290
Here, the Plaintiff attempts to plead scienter by alleging, among other
things, that: (1) the Defendants received numerous warnings concerning the
inadequacies of Equifax’s cybersecurity; (2) the Defendants were aware of the
breach by late July 2017, but failed to disclose the breach and continued to make
false statements until September 7, 2017; (3) the false and misleading
statements concerned one of the most significant issues and severe risks that
Equifax faced; (4) the Defendants were in charge of cybersecurity and received
routine updates about the state of Equifax’s data security; (5) the egregiousness
of the deficiencies in Equifax’s data security practices supports an inference of
scienter; (6) the sudden departure of high-ranking officers at Equifax after
disclosure of the Data Breach supports a finding of scienter; and (7) suspicious
stock sales by Gamble and Ploder support an inference of scienter.291 Since
scienter is an essential element of a securities fraud claim, the Plaintiff must
create a strong inference – one that is “cogent and compelling” – that the
Defendants knew about the deficiencies in Equifax’s cybersecurity, or were
severely reckless in not knowing about it, when they made the allegedly false or
In re Ebix, Inc. Sec. Litig., 898 F. Supp. 2d 1325, 1344 (N.D. Ga.
2012) (quoting Mizzaro, 544 F.3d at 1249)).
290
291
Am. Compl. ¶¶ 267-84.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-66-
misleading statements.292 The Court concludes that the allegations in the
Amended Complaint establish a strong inference of scienter as to Equifax and
Smith. However, these facts, even when taken together, do not give rise to a
strong inference of scienter as to Gamble, Dodge, and Ploder.
1. Warnings About Data Security Deficiencies
First, the Defendants argues that alleged warnings of deficiencies in
Equifax’s cybersecurity fail to support a strong inference of scienter as to any of
the Individual Defendants.293 In the Amended Complaint, the Plaintiff alleges
that the “Defendants received numerous warnings . . . that Equifax’s
cybersecurity was inadequate to protect the sensitive personal information in
its custody” and that this contributes to a finding of scienter.294 Specifically, the
Plaintiff alleges that: (1) Deloitte and KPMG issued audit reports detailing
several problems with Equifax’s cybersecurity, but Equifax’s management did
not take these reports seriously;295 (2) Smith oversaw a March 2017
investigation by security consulting firm Mandiant, in which Mandiant warned
that
Equifax’s
cybersecurity
was
inadequate
and
contained
critical
weaknesses;296 (3) security researchers warned Equifax that cybersecurity
292
Mizzaro, 544 F.3d at 1247.
293
Defs.’ Mot. to Dismiss, at 35.
294
Am. Compl. ¶ 268.
295
Id. ¶¶ 71, 269.
296
Id. ¶ 268.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-67-
deficiencies existed, including an “immense cache of personal consumer
information” that was accessible through public-facing websites;297 (4) Equifax
received clear warnings about the Apache Struts vulnerability from both the
government and its own employees;298 (5) Equifax employees warned
“management” that the company’s cybersecurity was inadequate, but data
security was not a priority for management;299 and (6) Equifax prior breaches
that revealed cybersecurity vulnerabilities to the Defendants.300 According to the
Defendants, these allegations do not give rise to a strong inference of scienter
because the Plaintiff has failed to plead facts showing that these supposed
warnings were ever communicated to any of the Individual Defendants.301
The Court finds that these allegations provide sufficient circumstantial
evidence to conclude that Smith was aware of the warnings concerning the
deficiencies in Equifax’s cybersecurity. In the Amended Complaint, the Plaintiff
alleges that Equifax hired Mandiant in early 2017 to conduct a cybersecurity
audit after the W2Express breach in 2016.302 Specifically, the Plaintiff alleges
that “Equifax hired cybersecurity firm Mandiant to investigate weaknesses in
297
Id. ¶ 269.
298
Id. ¶ 271.
299
Id.
300
Id. ¶ 270.
301
Defs.’ Mot. to Dismiss, at 35-36.
302
Am. Compl. ¶ 13.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-68-
its data protection systems” and that “Smith was personally overseeing, and
closely monitoring the progress of, this investigation.”303 This allegation is based
upon a Bloomberg report published in the wake of the Data Breach. The
Plaintiff alleges that Mandiant “warned Equifax that its unpatched systems and
misconfigured security policies could indicate major problems.”304 However,
instead of heeding Mandiant’s advice, Equifax allegedly disputed the firm’s
findings and declined to engage in a broader review of Equifax’s data security.305
Based upon this, the Court concludes that the Plaintiff adequately alleges that
Smith knew, or was severely reckless as to the existence of, warnings of serious
deficiencies in Equifax’s cybersecurity after receiving Mandiant’s warnings in
early 2017.
The Defendants then argue that these allegations should not be given
weight because they are based upon articles in Bloomberg and Motherboard that
rely upon anonymous sources.306 In Mizzaro, the Eleventh Circuit addressed the
question of how to weigh allegations based upon confidential witness reports.307
303
Id. ¶ 91 (emphasis omitted).
304
Id. ¶ 92.
305
Id. ¶ 93.
306
Defs.’ Mot. to Dismiss, at 36-37.
See Mizzaro, 544 F.3d at 1239 (“One topic Tellabs did not address
is how courts should go about evaluating allegations based on statements made
by unidentified, confidential witnesses. The issue is important here because
statements by confidential witnesses form one of the main building blocks of the
amended complaint.”).
307
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-69-
There, the court noted that “[a]lthough a whistleblower who demands
confidentiality may be less credible than one who is willing to put his name
behind his accusations,” allegations based on such statements are not “heavily
discounted” in all cases.308 It explained that “the weight to be afforded to
allegations based on statements proffered by a confidential source depends on
the particularity of the allegations made in each case, and confidentiality is one
factor that courts may consider.”309 “Confidentiality, however, should not
eviscerate the weight given if the complaint otherwise fully describes the
foundation or basis of the confidential witness's knowledge, including the
position(s) held, the proximity to the offending conduct, and the relevant time
frame.”310
In the Amended Complaint, the Plaintiff bases some of its allegations
upon news articles citing anonymous sources. For example, the Plaintiff bases
some of its allegations on a Bloomberg article reported on September 29, 2017.311
That article explained that the Mandiant investigation was “described internally
as ‘a top-secret project’ and one that Smith was overseeing personally, according
to one person with direct knowledge of the matter.”312 The Plaintiff also
308
Id. at 1239.
309
Id. at 1240.
310
Id.
311
Am. Compl. ¶¶ 91-93.
312
Id. ¶ 91 (emphasis omitted).
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-70-
premised some of its allegations upon an article published in Motherboard on
October 26, 2017. Despite the fact that these news articles rely in part on
anonymous sources, the Court declines to completely discount the allegations
that rely upon them. This Court has previously noted that pleading
requirements under the PSLRA can easily be satisfied with references to
“internal memoranda” and “news articles.”313 News articles, which frequently
rely upon unnamed sources, constitute reliable bases for allegations. Therefore,
the Court does not discount the allegations based upon these two articles merely
because they cite anonymous sources. And, even if the Plaintiff did in fact rely
solely upon information derived from an anonymous source, and not information
from a news article, these allegations would still be entitled to weight. The
Bloomberg article cites two independent sources, with direct knowledge, who
corroborate each other’s assertions.314 Furthermore, the Motherboard article
provides statements from several former Equifax employees, providing both
their positions and tenure in the company.315 The Court therefore finds that the
allegations based upon these news articles are entitled to due consideration.
313
In re Theragenics Corp. Sec. Litig., 105 F. Supp. 2d 1342, 1355
(N.D. Ga. 2000).
314
Am. Compl. ¶¶ 91-94.
See, e.g., id. ¶ 77 (“Regarding those warnings, in an October 26,
2017 article entitled ‘Equifax Was Warned,’ Motherboard reported that
according to a former member of Equifax’s cybersecurity team who left the
Company in 2017, the Company had hired Deloitte to perform a security audit
in 2016.”); see also id. ¶¶ 78, 80-83.
315
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-71-
However, the Plaintiff's allegations of scienter fail as to the rest of the
Individual
Defendants.
The
Plaintiff
has
not
provided
sufficiently
“particularized averments of fraud or scienter” as to Gamble, Ploder, and Dodge
to give rise to a strong inference that they acted with knowledge or severe
recklessness.316 “Claims of securities fraud cannot rest on speculation and
conclusory allegations.”317 The Plaintiff has not adequately pleaded that Gamble,
Ploder or Dodge ever received any of these purported warnings as to the
shortcomings in Equifax’s data security. Instead, the Plaintiff relies upon
general allegations that Equifax “management” was warned but did not heed
experts’ advice.318 Such generalities do not establish a strong inference of
scienter. The Plaintiff has not alleged “which defendant knew what, how they
knew it, or when” with regard to these warnings.319
316
Garfield v. NDC Health Corp., 466 F.3d 1255, 1265 (11th Cir.
317
Id. (internal quotations omitted).
318
See, e.g., Am. Compl. ¶ 254 (“For example, as alleged above, a
2006).
former Equifax employee told Motherboard that Company management refused
to take seriously the conclusions of a 2016 Deloitte security audit that found
multiple serious deficiencies in the Company’s infrastructure, including poor
patching.”).
In re Theragenics Corp. Sec. Litig., 105 F. Supp. 2d 1342, 1361
(N.D. Ga. 2000) (quoting In re Comshare, Inc. Sec. Litig., No. 96-737-DT, 1997
319
WL 1091468, at *8 (E.D. Mich. Sept. 18, 1997)).
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-72-
The Plaintiff relies upon In re ChoicePoint, Inc. Securities Litigation320
to support its argument that these allegations sufficiently plead scienter.321
However, that case is distinguishable. In ChoicePoint, the plaintiffs alleged that
the defendants misrepresented the existence and severity of data security
problems within the company prior to a data breach.322 The court concluded that
the plaintiffs adequately alleged scienter. Specifically, the plaintiffs alleged that
the individual defendants “had access to internal information demonstrating the
falsity of the public statements and were confronted by employees,” that
employees specifically warned each of the individual defendants about the
company’s inadequate security procedures, and that some of the individual
defendants learned of the company’s data breach and subsequently sold millions
of dollars of their company stock. In contrast, the Plaintiff has not alleged that
Gamble, Dodge, and Ploder were specifically warned about the problems with
Equifax’s data security, and did not specifically allege that each of these
defendants had access to information contradicting their public statements.
Instead, the Plaintiff relies on general allegations that “management” was
warned. Such an allegation requires the Court to assume that Gamble, Dodge,
320
In re ChoicePoint, Inc. Sec. Litig., No. 1:05-CV-00686-JTC, 2006
WL 8429145 (N.D. Ga. Nov. 21, 2006).
321
Pl.’s Br. in Opp’n to Defs.’ Mot. to Dismiss, at 41.
322
In re ChoicePoint, at *1-2.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-73-
and Ploder were part of this group of “management” that received these
warnings. This assumption does not give rise to a strong inference of scienter.
The Plaintiff also argues that this stringent requirement for scienter
ignores recklessness as a way to establish scienter. According to the Plaintiff,
it is not required to provide “smoking gun” evidence of scienter, but instead can
establish recklessness through the Individual Defendants’ “access to a plethora
of information clearly and directly contradicting their public statements
regarding cybersecurity.”323 While it is true that the Plaintiff need not provide
a “smoking gun” of scienter, it also cannot rely on generalities and chains of
inferences. The Plaintiff must allege specific facts as to each defendant and each
challenged statement that give rise to a strong inference of scienter. To establish
a strong inference of recklessness, the Plaintiff must allege facts showing that
the risk of misleading investors was so obvious that the Defendants must have
been aware of it. The Plaintiff’s allegations fail to meet this standard.
The Defendants also argue that, even if these warnings and concerns had
been communicated to the Individual Defendants, the Plaintiff fails to plead
facts establishing that they agreed with any of these concerns or were severely
reckless in not believing them.324 Thus, with regard to Smith, even though he
personally oversaw the Mandiant audit, the Plaintiff does not allege that he
323
Pl.’s Br. in Opp’n to Defs.’ Mot. to Dismiss, at 42.
324
Defs.’ Mot. to Dismiss, at 38-39.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-74-
agreed with the firm’s conclusion that Equifax’s cybersecurity was deficient.
However, the Plaintiff need not allege that Smith agreed subjectively with
Mandiant’s concerns to establish scienter. In Omnicare, the Supreme Court
explained that an issuer’s statement that its conduct is lawful, when made
contrary to its lawyers’ advice, can give rise to a section 10(b) claim.325 Similarly,
Smith’s statements touting Equifax’s cybersecurity, despite his knowledge of
experts’ advice to the contrary, are actionable.
Next, the Defendants argue that the prior data breaches fail to establish
a strong inference of scienter because they did not put them on notice of
inadequacies in Equifax’s systems.326 In the Amended Complaint, the Plaintiff
alleges that the prior W2Express, LifeLock, and TALX breaches warned the
Defendants that Equifax’s cybersecurity was vulnerable.327 Thus, according to
the Plaintiff, the Defendants knew or were severely reckless as to the deficient
state of Equifax’s cyberdefenses. According to the Defendants, the Plaintiff has
not pleaded facts showing that these prior incidents were symptomatic of
broader cybersecurity problems, and thus cannot be used to show that the
Defendants were aware of the deficiencies in the data systems. The Defendants
argue that these breaches did not put them on warning because none of them
325
Omnicare, Inc. v. Laborers Dis. Council Const. Indus. Pension
Fund., 135 S. Ct. 1318, 1328-29 (2015).
326
Defs.’ Mot. to Dismiss, at 39-40.
327
Am. Compl. ¶¶ 73-75, 84-90.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-75-
“remotely resemble[d]” the attack in the Data Breach.328 According to the
Defendants, these prior breaches did not involve the same exact exploitation of
unpatched software vulnerabilities.
The Court agrees with the Plaintiff that these prior breaches were
symptomatic of a larger cybersecurity problem. The Amended Complaint details
how these prior incidents were the result of many of the same problems that
contributed to the Data Breach here. According to the Amended Complaint,
these previous breaches resulted from, or were exacerbated by, poor
authentication measures and inadequate network monitoring.329 In fact, after
one of these incidents, Equifax acknowledged that it would need to implement
additional monitoring and blocking measures to protect the data in its
328
Defs.’ Reply Br., at 1-2.
329
See Am. Compl. ¶ 69 (“The hackers gained unauthorized access to
data on Equifax’s computer systems by using publicly available information to
answer security questions and bypass authentication measures.”); id. ¶ 70
(“Because Equifax failed to implement adequate network monitoring safeguards,
hackers were able to repeatedly penetrate Equifax’s network for approximately
eight months before the Company finally detected the ‘suspicious inquiries’ in
January 2014.”); id. ¶¶ 73-74 (“Once again, Equifax’s inadequate network
monitoring practices compounded the magnitude of its failure to implement
proper authentication protocols: the W2Express hackers first penetrated the
Company’s networks in early 2015 and remained undetected inside Equifax’s
networks for approximately one year before they were discovered, just as
hackers had done during the cyberattack that occurred the previous year.”); id.
¶¶ 85-89 (noting that poor authentication measures and inadequate networking
caused and aggravated the TALX breach).
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-76-
custody.330 Thus, Equifax understood that these deficiencies contributed to prior
breaches. These prior breaches demonstrated the same, repeated network
failures, and contrary to the Defendants’ assertions, did depict fundamental
problems in Equifax’s cybersecurity.
Nonetheless, the Plaintiff has failed to allege that the Individual
Defendants, except for Smith, knew, or were severely reckless to the fact that,
these prior breaches were symptomatic of fundamental security problems.
Although the Plaintiff adequately alleges that these prior breaches involved
some of the same problems involved in the Data Breach, it has not alleged that
Gamble, Dodge, or Ploder had specific knowledge, or access to specific facts,
informing them that these prior breaches involved these specific issues. Absent
such allegations, the Plaintiff has failed to allege that the Individual Defendants
other than Smith knew that the prior breaches involved these authentication
and monitoring issues, or that they were severely reckless as to this fact.
Without knowing that these breaches were specifically caused by authentication
and network monitoring issues, these Defendants would not have been put on
notice that there were shortcomings in these areas of security. Without this
knowledge, these previous breaches do not serve as warnings of the many
330
Id. ¶ 70 (“In its March 2014 letter, Equifax assured the New
Hampshire Attorney General that the Company would implement ‘additional
monitoring and blocking measures’ to protect at-risk information.”).
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-77-
cybersecurity deficiencies that the Plaintiff alleges in the Amended Complaint,
and thus cannot establish scienter.
However, these prior breaches do help establish scienter as to Smith. As
explained above, Equifax hired Mandiant in early 2017 in response to the TALX
breach.331 Smith personally oversaw and closely monitored this investigation by
Mandiant.332 Mandiant then confirmed in its review that Equifax’s systems were
grossly inadequate, and warned that Equifax’s failure to patch vulnerabilities
could present problems. Thus, Smith was personally aware of Mandiant’s
investigation and the results of this investigation, and knew that this
investigation had been initiated due to the prior TALX breach. Thus, these
allegations are sufficient to infer that Smith knew, or was severely recklessly as
to the fact that, the TALX breach was the result of deficiencies in Equifax’s
cybersecurity. Therefore, the Court concludes that the TALX breach along with
Mandiant’s audit report contribute to a finding of scienter as to Smith.
According to the Amended Complaint, the Mandiant investigation was a “topsecret project” that Smith was “overseeing personally.”333 Smith, at least, had
access to facts showing that the cybersecurity was seriously deficient, which
331
Am. Compl. ¶ 91.
332
Id.
333
Am. Compl. ¶ 91.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-78-
would contribute to a conclusion that he was at least severely reckless in
making statements touting Equifax’s cybersecurity.
2. Knowledge of the Data Breach
Next, the Plaintiffs argue that Equifax Senior Management’s knowledge
of the Data Breach raises a strong inference of scienter.334 In the Amended
Complaint, the Plaintiff alleges that Senior Management, including the
Individual Defendants were “well aware” of the Data Breach by “late July 2017,”
but nonetheless failed to disclose the incident and continued to make false
statements concerning Equifax’s data security.335 Thus, according to the
Plaintiff, the Defendants knowingly or recklessly made false statements because
they knew of the Data Breach. The Defendants argue that these allegations
concerning the Defendants’ knowledge of the Data Breach fail to give rise to a
strong inference of scienter.336
First, the Defendants argue that each of the challenged statements
attributed to Gamble, Ploder, and Dodge, and all but one of the statements
attributed to Smith, are alleged to have been made on or before July 27, 2017.337
Thus, as to these statements, the Individual Defendants could not have known
or been severely reckless as to the risk of misleading investors since they did not
334
Pl.’s Br. in Opp’n to Defs.’ Mot. to Dismiss, at 47.
335
Am. Compl. ¶ 272.
336
Defs.’ Mot. to Dismiss, at 44.
337
Id. at 44.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-79-
know of the existence of the Data Breach. The Court agrees. The Plaintiff has
not shown that Gamble, Dodge, or Ploder made any of the challenged
statements after they allegedly became aware of the Data Breach in late July
2017.338 Thus, these Individual Defendants’ knowledge of the Data Breach does
not establish scienter as to any of their specific alleged violations.
However, these allegations do support a finding of scienter as to Smith.
On August 16, 2017, after discovery of the Data Breach, Smith made comments
regarding Equifax’s data security in a speech at the University of Georgia.339
The factual allegations in the Amended Complaint support a finding that Smith
made these statements with the requisite scienter. By this point, Mandiant had
already informed Smith that it was likely that a large amount of personally
identifiable information had been compromised in the Data Breach.340
Furthermore, Smith had personally overseen the previous Mandiant
investigation in March 2017, in which Mandiant concluded that Equifax’s
cybersecurity practices were grossly inadequate.341 Thus, Smith, despite
knowing that the sensitive data had been compromised in the Data Breach, and
despite personally overseeing this previous investigation by Mandiant,
338
At the earliest, according to the Complaint, the Defendants became
aware of the Data Breach on July 29, 2017. See, e.g., Am. Compl. ¶ 15.
339
Am. Compl. ¶ 334.
340
Id. ¶ 122.
341
Id. ¶¶ 91-92.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-80-
nonetheless stated that data security is “a huge priority for us” and that it was
his “number one worry.”342 These allegations are sufficient to raise a strong
inference that Smith made this statement with the requisite scienter.
The Defendants argue that, even assuming Smith was aware of the Data
Breach when he made this statement, “such knowledge would not reasonably
have suggested that it would be misleading to state that data security was a
‘huge priority’ and ‘his number one worry.’”343 However, these arguments do not
address whether Smith acted with the necessary scienter. Instead, they ask
whether the statements were false or misleading – which is a separate inquiry.
The Defendants conflate the two issues. As discussed above, these statements
were false or misleading because a reasonable investor would understand this
statement to convey that there was no significant security breach when it was
made. The Defendants also argue that scienter as to this statement is not
adequately alleged because the Plaintiff did not plead facts that Smith knew the
statements were false or misleading. However, as explained above, Smith made
these statements despite his knowledge of Mandiant’s warnings concerning
Equifax’s deficiencies. Such knowledge, even if Smith disagreed with it,
contributes to an inference of recklessness.
3. Core Business Operation
342
Id. ¶ 334.
343
Defs.’ Mot. to Dismiss, at 45.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-81-
The Plaintiffs next argue that the fact that the alleged violations
concerned one of the most critical risks facing Equifax contributes to a strong
inference of scienter.344 However, the fact that an alleged fraud concerned a
company’s core business does not itself establish a strong inference of scienter.
“[I]t is not automatically assumed that a corporate officer is familiar with
certain facts just because these facts are important to the company's business;
there must be other, individualized allegations that further suggest that the
officer had knowledge of the fact in question.”345 Instead, “a person's status as
a corporate officer, when considered alongside other allegations, can help
support an inference that that person is familiar with the company's most
important operations.”346
However, this argument fails to establish scienter.347 It is insufficient for
a plaintiff to make “conclusory allegations that the Defendants had access to the
'true facts' in order to demonstrate scienter, particularly where the complaint
fails to allege ‘which defendant knew what, how they knew it, or when.’”348 The
344
Pl.’s Br. in Opp’n to Defs.’ Mot. to Dismiss, at 48.
345
In re Heartland Payment Sys., Inc. Sec. Litig., Civ. No. 09-1043,
2009 WL 4798148, at *7 (D.N.J. Dec. 7, 2009).
346
Id.
See In re Coca-Cola Enters. Sec. Litig., 510 F. Supp. 2d 1187,
1200-01 (N.D. Ga. 2007) (“[T]he Plaintiffs have failed to plead facts sufficient to
demonstrate that the Defendants engaged in channel stuffing.”).
347
Id. at 1201 (quoting In re Theragenics Corp. Sec. Litig., 105 F.
Supp. 2d 1342, 1361 (N.D. Ga. 2000)).
348
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-82-
Plaintiff’s allegations that cybersecurity was critical to Equifax’s business
operations fail to establish scienter as to Dodge, Ploder, and Gamble. The
Plaintiff must plead specific facts establishing that the Individual Defendants
knew of, or were severely reckless as to, the existing deficiencies in Equifax’s
data systems. General allegations that cybersecurity is critical to Equifax’s
business may, in totality, contribute to a finding of scienter. However, absent
allegations that Gamble, Ploder, or Dodge had access to specific facts showing
these problems, this argument fails.
The Eleventh Circuit’s decision in Garfield v. NDC Health Corporation
is instructive.349 There, the plaintiff alleged that the defendants attended
monthly operations meetings where every aspect of the business was discussed
in detail, including “the aggressive channel stuffing and mounting problems
with accounts recevable (sic)” that were at the center of the plaintiff's fraud
allegations.350 The plaintiff also alleged that testimonial evidence by a former
senior executive would show that the defendants knew of these problems.351 The
court concluded that these allegations failed to establish scienter due to the
absence of “particularized averments of fraud or scienter.”352 The plaintiff's
broad claims lacked the requisite detail because “it failed to allege what was
349
Garfield v. NDC Health Corp., 466 F.3d 1255 (11th Cir. 2006).
350
Id. at 1264.
351
Id.
352
Id. at 1265.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-83-
said at the meeting, to whom it was said, or in what context.”353 The court
explained that “[a] general allegation that Individual Defendants promoted
channel stuffing at a series of meetings does not establish scienter.”354
Here, the Plaintiff fails to establish a strong inference of scienter based
upon Dodge, Ploder, and Gamble’s roles in the company. The Amended
Complaint fails to allege what warnings were given to each of these specific
Individual Defendants, when those warnings were conveyed to these Individual
Defendants, what was said in such warnings, and in what context those
warnings were made.355 Generally, the Plaintiff alleges that these Individual
Defendants, based upon their positions and their general duty to monitor the
operations of Equifax's networks and systems, must have known about the
deficient state of its cybersecurity. The Amended Complaint, however, fails to
provide specific factual allegations as to a "time, place or manner" in which any
of the Individual Defendants were specifically warned of these cybersecurity
deficiencies.356 Therefore, these allegations are insufficient to support an
inference of scienter.
353
Id.
354
Id.
355
In re Coca-Cola Enters. Sec. Litig., 510 F. Supp. 2d 1187, 1201
(N.D. Ga. 2007).
356
Id. (“The Amended Complaint fails to provide any specific
allegations regarding a time, place or manner in which any of the Individual
Defendants was specifically informed or indicated special knowledge as to CCE's
channel stuffing activities.”).
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-84-
The Plaintiff cites In re Ebix, Inc. Securities Litigation. There, the court
concluded that the factual allegations gave rise to a strong inference that the
defendants were at least severely reckless in their representations due to the
defendants’ “roles within the company (CEO and CFO), their active
participation in press releases, earnings calls, and SEC filings dealing with the
issues focused on in the [complaint], and the nature, duration and extent of the
fraud alleged.”357 However, Ebix is distinguishable from this case because there
the plaintiff alleged "specific communications to and from the Individual
Defendants regarding these issues."358 In contrast, the Plaintiff here has not
alleged any specific communications to or from any of the Individual Defendants
concerning the state of Equifax's cybersecurity. Without these types of specific
allegations, the Plaintiff fails to establish a strong inference that the Individual
Defendants were severely reckless in their representations concerning Equifax's
data security.
Thus, these general allegations that cybersecurity was a core business
operation do not support an inference that Dodge, Gamble, or Ploder knowingly
or recklessly misrepresented the state of Equifax's networks when they stated
that cybersecurity was one of Equifax's top priorities. These allegations do
contribute to a finding of scienter as to Smith, when taken into account with the
357
Ebix, 898 F. Supp. 2d at 1346-47.
358
Id. at 1347.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-85-
other, more specific allegations as to his knowledge of problems with Equifax’s
data security. However, on their own, these allegations do not establish a strong
inference of scienter.
4. Defendants’ Assurances
Next, the Plaintiff argues that the Defendants assured investors that they
were focused on cybersecurity and compliance with data security laws, and that
these assurances support an inference of scienter.359 The Plaintiff cites In re
Theragenics Corp. Securities Litigation in support of this argument.360 However,
the facts of that case are distinguishable. This Court in Theragenics did not hold
that the defendants’ assurances that they were monitoring their competitor’s
performance supported an inference of scienter. Instead, the plaintiffs there
alleged that the defendants did in fact continually monitor the performance of
their competitor, establishing that they knew their statements were false or
misleading. In contrast, the Plaintiff here has not shown that the Individual
Defendants, aside from Smith, were monitoring Equifax’s cybersecurity or had
access to specific information or warnings that would have established that they
knew or were severely reckless as to the falsity of the statements they made.
In essence, the Plaintiff argues that the Defendants stated that they were
closely monitoring Equifax’s cybersecurity, and that from this, one can infer that
359
Pl.’s Br. in Opp’n to Defs.’ Mot. to Dismiss, at 50.
360
In re Theragenics Corp. Sec. Litig., 137 F. Supp. 2d 1339, 1348
(N.D. Ga. 2001).
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-86-
they must have known about the problems with data security. However, the fact
that the Defendants stated that they were closely monitoring Equifax’s network
security does not establish that they knew of, or were severely reckless to the
existence of, these cybersecurity deficiencies. These allegations are too general.
Instead, the more plausible inference is that the Individual Defendants, besides
Smith, were negligent with regard to their management and monitoring of
cybersecurity. In the cases relied upon by the Plaintiff, the plaintiffs alleged that
the defendants were in fact monitoring the events underlying the false or
misleading statements, and thus knew or were severely reckless to the fact that
the statements made were false.361 Scienter was not established in those cases
merely because the defendants assured investors that they were monitoring
those underlying events, as the Plaintiff here alleges. This argument, which
requires additional inferential steps, is insufficient to establish scienter as to
Gamble, Ploder, and Dodge.
5. Egregiousness of Cybersecurity Deficiencies
361
See In re Immucor Inc. Sec. Litig., No. 1:05-CV-2276-WSD, 2006
WL 3000133, at *18 (N.D. Ga. Oct. 4, 2006) (“That Gallup never disclosed the
full scope of the Italian situation, even after it is apparent that he knew of its
scope and gravity, lends strength to the inference that Gallup intentionally or
recklessly withheld from investors a full and fair statement of the problems in
Italy and their possible consequences.”); In re Theragenics Corp. Sec. Litig., 137
F. Supp. 2d 1339, 1348 (N.D. Ga. 2001) (noting that the plaintiffs’ scienter claim
was based, in part, on their “claim that Theragenics closely and continually
monitored the performance of Amersham, its largest competitor”).
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-87-
The Defendants next contend that the Plaintiff’s allegations as to the
“egregiousness” of the shortcomings in Equifax’s data security fail to support a
strong inference of scienter.362 Instead, according to the Defendants, these
allegations merely constitute hindsight criticism as to the manner in which
Equifax managed cybersecurity.363 The Plaintiff argues that the magnitude,
scope, and duration of the deficiencies in Equifax’s cybersecurity systems were
such that they could not have escaped the notice of the Defendants and other
senior management, and that this supports an inference of scienter.364 And,
according to the Plaintiff, this is compounded by the fact that the Defendants
allegedly represented that they were “closely monitoring” Equifax’s data
security.365 The Court concludes, however, that the egregiousness of Equifax’s
cybersecurity problems, without more specific allegations, fails to establish
scienter. Once again, as discussed above, the Plaintiff has failed to establish
that Dodge, Gamble, or Ploder knew of or were severely reckless as to these
egregious deficiencies. The severity of these problems, if taken into account with
other specific factual allegations supporting scienter, could help establish an
inference of scienter. However, here those other allegations are absent. Without
those allegations, the Plaintiff has failed to establish an inference that is cogent
362
Defs.’ Mot. to Dismiss, at 46-47.
363
Id.
364
Pl.’s Br. in Opp’n to Defs.’ Mot. to Dismiss, at 51.
365
Id. at 51.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-88-
and compelling, and just as likely as other, more innocent explanations. Even
if these problems were severe and widespread, it is still more plausible to infer
that these Individual Defendants were negligent, rather than something more
insidious.
6. Stock Sales
Next, the Plaintiff argues that suspicious stock sales by Gamble and
Ploder support an inference of scienter. “[T]he timing of stock trades by insiders
also may be relevant to inferring scienter.”366 “Stock sales or purchases timed to
maximize returns on nonpublic information weigh in favor of inferring scienter;
the lack of similar sales weighs against inferring scienter.”367 “To demonstrate
the relevance of stock trades to the issue of scienter, a plaintiff ‘bear[s] the
burden of showing that sales by insiders were in fact unusual or suspicious in
amount and in timing.’”368
Here, the Court concludes that the stock sales fail to establish scienter.
First, the Plaintiff fails to allege that any of the other Individual Defendants,
including Smith, the CEO, engaged in insider trading. This alone undermines
any inference that these stock sales contribute to a finding of scienter.369 Second,
366
Mizarro v. Home Depot, Inc., 544 F.3d 1230, 1253 (11th Cir. 2008).
367
Id.
In re Coca-Cola Enters. Inc. Sec. Litig., 510 F. Supp. 2d 1187, 1202
(N.D. Ga. 2007) (quoting Druskin v. Answerthink, Inc., 299 F. Supp. 2d 1307,
368
1335 (S.D. Fla. 2004)).
369
Id.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-89-
the stock sales, which can constitute circumstantial evidence that Gamble and
Ploder knew that Equifax’s stock price was artificially inflated, cannot on their
own establish scienter as to these Defendants. However, as discussed above, the
Plaintiff has failed to provide more than general allegations that any of the
Individual Defendants, besides Smith, made misstatements with knowledge or
severe recklessness toward their falsity. This circumstantial evidence fails to
meet the stringent pleading requirements under the PSLRA that the allegations
give rise to a strong inference of scienter.
There is no doubt that these sales by Gamble and Ploder are suspicious,
especially given their timing. They contribute to an inference of scienter, but
they are not sufficient on their own to raise a strong inference of scienter with
regard to Gamble and Ploder as to the alleged violations.370 The stock sales could
have, when aggregated with other facts, contributed to a finding of a strong
inference of scienter. However, they cannot establish this strong inference on
their own.371 This is compounded by the fact that the other Individual
Defendants, including Smith, did not engage in similarly suspicious stock
370
In re Spectrum Brands, Inc. Sec. Litig., 461 F. Supp. 2d 1297, 1318
(N.D. Ga. 2006) (“The sales contribute to an inference of scienter as to Jones, but
are not alone sufficient to raise a strong inference that Jones acted with scienter
in committing the acts of securities fraud alleged.”).
In re Theragenics Corp. Sec. Litig., 105 F. Supp. 2d 1342, 1361
(N.D. Ga. 2000) (“[T]he Plaintiffs in this case cannot base scienter on stock sales
alone. The stock sales may constitute circumstantial evidence that Defendants
Jacobs and Smith knew Theragenics' stock price was artificially inflated and
may support a strong inference of scienter.”).
371
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-90-
sales.372 Thus, given the lack of other specific factual allegations establishing
scienter as to these Defendants, the suspicious stock sales by Gamble and Ploder
fail to give rise to a strong inference of scienter on their own.
7. Sudden Resignations of Equifax Officers
Next, the Plaintiff contends that the sudden departures of high-ranking
Equifax executives support an inference of scienter.373 On September 15, 2017,
about a week after public disclosure of the Data Breach, Chief Security Officer
Susan Mauldin and Chief Information Officer David Webb resigned from
Equifax.374 On September 26, 2017, Smith retired from Equifax, without
severance, effective immediately.375 The Equifax Board of Directors announced
that it had the power to retroactively classify Smith as having been fired for
cause, which includes intentional or reckless misconduct.376 According to the
Plaintiff, the circumstances surrounding these departures of senior executives
establish a strong inference that “there were profound failures in [Equifax’s]
data protection practices that were the result of reckless or intentional
misconduct.”377
372
Coca-Cola, 510 F. Supp. 2d at 1202.
373
Pl.’s Br. in Opp’n to Defs.’ Mot. to Dismiss, at 53-54.
374
Am. Compl. ¶ 280.
375
Id. ¶ 281.
376
Id.
377
Id. ¶ 282.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-91-
Some courts have concluded that the resignation of corporate officers, in
certain contexts, can support an inference of scienter.378 However, in those cases,
the context of the executives’ resignations was important. The fact that an
executive resigned, on its own, does not support an inference of scienter.
Instead, the circumstances of the resignation must suggest that intentional or
reckless misconduct had occurred. For example, in In re Home Loan Servicing
Solutions, Ltd. Securities Litigation, cited by the Plaintiff, the court concluded
that scienter was established as to a defendant who, among other things, was
“at the epicenter” of the business, who was “forced to resign,” and who
regulatory documents indicated was “engaged in improper transactions.”379
Similarly, in In re OSG Securities Litigation, the court concluded that the
resignations of two executives supported an inference of scienter when the
“circumstances and timing of the resignations” suggest that both defendants
were terminated in relation to the undisclosed tax issue underlying the fraud
claims.380 The court noted that “[a]lthough the decision to terminate the
378
See, e.g., In re Home Loan Servicing Sols., Ltd. Sec. Litig., No. 16-
cv-60165-WPD, 2016 WL 10592320, at *7 (S.D. Fla. June 6, 2016) (noting that
the fact that a corporate officer “was forced to resign” contributed to a finding
of scienter); In re OSG Sec. Litig., 12 F. Supp. 3d 622, 632 (S.D.N.Y. 2014) (“ The
circumstances and timing of the resignations suggest that both defendants were
‘terminated in relation to the undisclosed tax issue.’”).
379
In re Home Loan Servicing Sols., Ltd. Sec. Litig., 2016 WL
10592320, at *7.
380
In re OSG Sec. Litig., 12 F. Supp. 3d at 632.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-92-
defendants does not negate the possibility of mere negligence in mismanaging
the Section 956 issue, it more likely suggests a higher level of wrongdoing
approaching recklessness or even conscious malfeasance.”381
In contrast, the context of the resignations here does not suggest that
Gamble, Ploder, or Dodge knew of, or were severely reckless as to, the false or
misleading nature of their statements. The Plaintiff fails to explain how the
resignations of Smith, Mauldin, and Webb show that Gamble, Ploder, or Dodge
acted with the requisite state of mind. Nothing about the context of these
resignations would lead one to infer that Gamble, Ploder, or Dodge must have
known about the deficient state of Equifax’s cybersecurity. Without such
allegations, the resignations of Smith, Mauldin, and Webb fail to establish
scienter as to these Individual Defendants.
However, Smith’s resignation does contribute to a finding of scienter on
his part. Taking all of these allegations into account, the following facts support
a strong inference of scienter: Smith was warned by Mandiant, after a previous
breach, that Equifax’s cybersecurity was grossly inadequate; Smith, as CEO,
would have likely followed many of the developments in Equifax’s cybersecurity
since it was an important aspect of its business; Smith learned of the Data
Breach in late July 2017, but still continued to make statements touting the
company’s security; and after the public disclosure of the incident, Smith
381
Id. at 632-33.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-93-
resigned his roles in the company, while the Board of Directors announced it
may decide to retroactively terminate him “with cause.” These allegations, taken
together, give rise to a strong inference of scienter that Smith made these
misstatements with knowledge or severe recklessness as to their falsity.
But, the Court concludes overall that the Plaintiff has failed to allege
specific facts giving rise to a strong inference of scienter as to Gamble, Ploder,
or Dodge. Instead, as to these Defendants, the Plaintiff relies upon inferences
based upon their role in the company and the size of the fraud. These general
allegations do not suffice. “[I]t is not enough to make conclusory allegations that
the Defendants had access to the ‘true facts’ in order to demonstrate scienter,
particularly where the complaint fails to allege ‘which defendant knew what,
how they knew it, or when.’”382 “Nor does a vague assertion that a defendant
must have known about the fraud by virtue of his position of authority suffice
to prove a strong inference of scienter.”383 Without specific allegations that
Gamble, Ploder, and Dodge had access to information that made them aware of
the problems with Equifax’s data security, the Amended Complaint fails to give
rise to a strong inference of scienter as to these Individual Defendants. Thus,
In re Coca-Cola Enters. Inc. Sec. Litig., 510 F. Supp. 2d 1187, 1201
(N.D. Ga. 2007) (quoting In re Theragenics Corp. Sec. Litig., 105 F. Supp. 2d
1342, 1361 (N.D. Ga. 2000)).
382
383
Mass. 2004).
Orton v. Parametric Tech. Corp., 344 F. Supp. 2d 290, 306 (D.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-94-
the Plaintiff fails to adequately plead scienter under the stringent requirements
set forth in the PSLRA.384
8. Equifax’s State of Mind
Finally, the Defendants argue that the Plaintiff has failed to adequately
plead scienter as to Equifax.385 However, failure to adequately plead scienter as
to individual defendants does not automatically mean that scienter cannot be
established against a corporation.386 “Corporations, of course, have no state of
mind of their own. Instead, the scienter of their agents must be imputed to
them.”387 A plaintiff, in theory, can still create a strong inference that a
corporate defendant such as Equifax acted with the requisite scienter, even if
384
See In re Coca-Cola Enters. Inc. Sec. Litig., 510 F. Supp. 2d 1187,
1201 (N.D. Ga. 2007) (“Here, the Plaintiffs similarly fail to allege that any of the
Defendants had knowledge as to the channel stuffing. The essence of their
allegations is that because of the Defendants’ positions and their general duty
to monitor the information on Margin Minder, the Defendants must have known
about the channel stuffing. The Amended Complaint fails to provide any specific
allegations regarding a time, place or manner in which any of the Individual
Defendants was specifically informed or indicated special knowledge as to CCE's
channel stuffing activities. These pleadings are thus insufficient to demonstrate
an inference of scienter.”).
385
Defs.’ Mot. to Dismiss, at 53-54.
Mizzaro, 544 F.3d at 1254 (“Even though it failed to plead scienter
adequately for any of the individual defendants, the amended complaint could,
in theory, still create a strong inference that the corporate defendant, Home
Depot, Inc., acted with the requisite state of mind.”); see also Plymouth Cty. Ret.
Sys. v. Carter’s Inc., No. 1:08-cv-02940-JOF, 2011 WL 13124501, at *12 n.8
(N.D. Ga. Mar. 17, 2011).
386
387
Mizzaro, 544 F.3d at 1254.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-95-
it has failed to prove scienter as to the individual defendants.388 Even if the
Amended Complaint fails to raise a strong inference of scienter as to any of the
named Individual Defendants, the Plaintiff can survive dismissal if it “raise[s]
a strong inference that somebody responsible for the allegedly misleading
statements must have known about the fraud.”389 To do so, the Plaintiff must
allege facts in the Amended Complaint creating a strong inference that
unnamed Equifax officials “were both responsible for issuing the allegedly false
public statements and were aware of the alleged fraud.”390 It can do so through
allegations relating the state of mind of corporate officials “who make or issue
the statement (or order or approve it or its making or issuance, or who furnish
information or language for inclusion therein, or the like).”391
Here, the Plaintiff’s claims as to Equifax survive to the extent that the
claims against Smith survive dismissal. Furthermore, the Plaintiff has alleged
that Equifax’s employees warned “management” of the deficient state of the
company’s cybersecurity. While these allegations are insufficient to establish
scienter as to the named Defendants other than Smith, they are sufficient to
establish that some corporate officials at Equifax, who would have had a role in
388
Mizzaro, 544 F.3d at 1254.
389
Mizzaro, 544 F.3d at 1254 (emphasis in original).
390
Id. at 1254-55.
Id. at 1254 (quoting Southland Sec. Corp. v. INSpire Ins. Sols., Inc.,
365 F.3d 353, 366 (5th Cir. 2004)).
391
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-96-
crafting many of the statements made by the company, knew of the data
security problems in the company. This is especially true given the resignations
of Webb and Mauldin, two corporate executives whose responsibilities included
data security, and Smith, whose role as CEO would have encompassed data
security. The Plainitff alleges that Equifax employees warned “management” of
the problems with the company’s cybersecurity, and also alleges that Webb and
Mauldin resigned after the Data Breach. This supports an inference that some
corporate officials in Equifax knew, or were severely reckless, as to the
fraudulent conduct. Thus, the Court concludes that the Amended Complaint still
creates a strong inference that Equifax, the corporate defendant, acted with the
requisite state of mind.392
C. Loss Causation
Next, the Defendants argue that the Plaintiff has failed to adequately
allege loss causation.393 The Plaintiff must allege facts demonstrating that the
Defendants’ misrepresentations caused the losses for which the Plaintiff seeks
to recover.394 To prove loss causation in a section 10(b) claim, “a plaintiff must
offer ‘proof of a causal connection between the misrepresentation and the
392
Id.
393
Defs.’ Mot. to Dismiss, at 54.
394
See 15 U.S.C. § 78u-4(b)(4).
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-97-
investment’s subsequent decline in value.’”395 Essentially, the Plaintiff must
show that the Defendants’ fraud, and not some other factor, proximately caused
its alleged losses.396 The loss causation element does not require a plaintiff to
prove that a “fraudulent misrepresentation was the sole cause of a security’s loss
in value.”397 But, “the plaintiff must still demonstrate that the fraudulent
statement was a ‘substantial’ or ‘significant’ cause of the decline in price.”398 “By
ensuring that only losses actually attributable to a given misrepresentation are
cognizable, the loss causation requirement ensures that the federal securities
laws do not ‘becom[e] a system of investor insurance that reimburses investors
for any decline in the value of their investments.’”399 Section 10(b) is not a
“prophylaxis” against the normal risks associated with investment in the stock
market, but instead is designed solely to protect against fraud.400 The loss
causation element is only subject to Rule 8's notice pleading standard, requiring
Meyer v. Greene, 710 F.3d 1189, 1195 (11th Cir. 2013) (quoting
Robbins v. Koger Props., Inc., 116 F.3d 1441, 1448 (11th Cir. 1997)).
395
396
Cir. 2011).
397
FindWhat Inv’r Grp. v. FindWhat.com, 658 F.3d 1282, 1309 (11th
Meyer, 710 F.3d at 1196 (citing Hubbard v. BankAtlantic Bancorp,
Inc., 688 F.3d 713, 726 (11th Cir. 2012)).
398
Id. (citing Hubbard, 688 F.3d at 726).
399
Meyer, 710 F.3d at 1196 (quoting Robbins v. Koger Props., Inc., 116
F.3d 1441, 1447 (11th Cir. 1997)).
400
Id.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-98-
a “short and plain” statement, and not the heightened pleading standards of the
PSLRA.401
In the Amended Complaint, the Plaintiff alleges that “the market for
Equifax’s securities was efficient” and that “the market for Equifax stock
promptly digest current information regarding Equifax from all publicly
available sources and reflected such information in Equifax’s stock price.”402
Thus, according to the Plaintiff, it is entitled to a presumption of reliance. The
Plaintiff’s claims therefore rely upon the fraud-on-the-market theory of
causation, derived from the efficient market hypothesis.403 This hypothesis
provides “that ‘in an open and developed securities market, the price of a
company's stock is determined by the available material information regarding
the company and its business.’”404 “Because millions of shares change hands
daily, and a critical mass of market makers study the available information and
influence the stock price through trades and recommendations, an efficient
capital market rapidly and efficiently digests all available information and
translates that information into the processed form of a market price.”405 “Just
401
Id.
402
Am. Compl. ¶¶ 363-64.
403
FindWhat Inv. Grp., 658 F.3d at 1309-10.
404
Id. at 1310 (quoting Basic Inc. v. Levinson, 485 U.S. 224, 241
(1988)).
405
Id. (internal quotations and citations omitted).
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-99-
as an efficient market translates all available truthful information into the stock
price, the market processes the publicly disseminated falsehood and prices it
into the stock as well.”406 “The market price of the stock will then include an
artificial ‘inflationary’ value—the amount that the market mistakenly attributes
to the stock based on the fraudulent misinformation.”407
This presumption is also relevant for loss causation. “While reliance
focuses on the front-end causation question of whether the defendant’s fraud
induced or influenced the plaintiff’s stock purchase, loss causation provides the
‘bridge between reliance and actual damages.’”408 In a fraud-on-the-market case,
the loss causation element requires the plaintiff to show “that the fraud-induced
inflation that was baked into the plaintiff’s purchase price was subsequently
removed from the stock’s price, thereby causing losses to the plaintiff.”409
Plaintiffs often demonstrate loss causation in fraud-on-the-market cases
circumstantially, by:
406
Id.
407
Id.
FindWhat Inv. Grp., 658 F.3d at 1311 (quoting In re Cooper Cos.
Sec. Litig., 254 F.R.D. 628, 638 (C.D. Cal. 2009)); see also In re Williams Sec.
Litig., 558 F.3d 1130, 1137 (10th Cir. 2009) (“Loss causation is easiest to show
408
when a corrective disclosure reveals the fraud to the public and the price
subsequently drops—assuming, of course, that the plaintiff could isolate the
effects from any other intervening causes that could have contributed to the
decline.”).
409
Id.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-100-
(1) identifying a “corrective disclosure” (a release of information
that reveals to the market the pertinent truth that was previously
concealed or obscured by the company's fraud); (2) showing that
the stock price dropped soon after the corrective disclosure; and (3)
eliminating other possible explanations for this price drop, so that
the factfinder can infer that it is more probable than not that it
was the corrective disclosure—as opposed to other possible
depressive factors—that caused at least a “substantial” amount of
the price drop.410
Overall, “loss causation analysis in a fraud-on-the-market case focuses on the
following question: even if the plaintiffs paid an inflated price for the stock as
a result of the fraud (i.e., even if the plaintiffs relied), did the relevant truth
eventually come out and thereby cause the plaintiffs to suffer losses?”411
The Defendants argue that the announcements to the public of the Data
Breach on and following September 7, 2017 did not “reveal” that the prior
statements concerning Equifax’s data security were false, and thus were not a
corrective disclosure.412 Specifically, the Defendant contends that: (1) the initial
announcement of the incident on September 7, 2017 did not reveal that prior
statements referencing Equifax’s commitment to data security, efforts to protect
data, and compliance with laws and regulations were false; (2) the revelations
on September 11, 2017 that Equifax lacked an effective data breach crisis
management plan did not show that any of the challenged statements were false
410
Id. at 1311-12 (footnote omitted).
411
Id. (citing Dura Pharm., Inc. v. Broudo, 544 U.S. 336, 347 (2005)).
412
Defs.’ Mot. to Dismiss, at 55.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-101-
or misleading; (3) the revelations on September 12, 2017 that 11.5 million
customers signed up for the identity protection plan offered by Equifax does not
reveal the falsity of any prior statements; and (4) revelations on September 13
and 14, 2017 that the Apache Struts vulnerability caused the Data Breach did
not reveal that any of the challenged statements were false or misleading.413
However, as noted above, a disclosure need not precisely mirror an earlier
misrepresentation, but instead must relate to the misrepresentation and not
other negative information about the company.414 Furthermore, a corrective
disclosure can come from any source, and can take any form from which the
market would absorb the information and accordingly react.415 The Court
concludes that the Plaintiff has adequately alleged loss causation. “Rule 8 is
satisfied if plaintiff provides ‘a short and plain statement adequate to give
defendants some indication of the loss and the causal connection that the
plaintiff has in mind.’”416 The Plaintiff alleges that the initial disclosure of the
Data Breach, along with subsequent disclosures that Equifax’s poor
cybersecurity played a part in the incident, that Congress would be conducting
413
Id. at 56-57.
414
Meyer, 710 F.3d at 1197.
415
FindWhat Investor Grp. v. FindWhat.com, 658 F.3d 1282, 1312
n.28 (11th Cir. 2011).
In re Ebix, Inc. Sec. Litig., 898 F. Supp. 2d 1325, 1347 (N.D. Ga.
2012) (quoting In re Coca-Cola Enters. Inc. Sec. Litig., 510 F. Supp. 2d 1187,
416
1203-04 (N.D. Ga. 2007)).
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-102-
a probe into Equifax’s general cybersecurity practices, that millions of
consumers were affected, and that a failure to implement a patch that had been
available since March 2017 caused the Data breach, all combined to disclose the
truth to investors. This, along with the wide variety of news reporting on the
incident detailing Equifax’s cybersecurity problems, slowly revealed the truth
about the prior misstatements. This adequately puts the Defendants on notice
as to the causal connection between the Defendants’ misrepresentations and the
class’s losses.
The Plaintiff also argues that a corrective disclosure “may occur through
the materialization of an event within the ‘zone of risk’ concealed by defendant’s
misstatements.”417 Under this theory, “[i]f the significance of the truth is such
as to cause a reasonable investor to consider seriously a zone of risk that would
be perceived as remote or highly unlikely by one believing the fraud, and the
loss ultimately suffered is within that zone, then a misrepresentation or
omission as to that information may be deemed a foreseeable or proximate cause
of the loss.”418 The Eleventh Circuit “has never decided whether the
materialization-of-concealed-risk theory may be used to prove loss causation in
417
Pl.’s Br. in Opp’n to Defs.’ Mot. to Dismiss, at 58.
Lentell v. Merrill Lynch & Co., 396 F.3d 161, 173 (2d Cir. 2005)
(quoting Castellano v. Young & Rubicam, Inc., 257 F.3d 171, 188 (2d Cir. 2001)).
418
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-103-
a fraud-on-the-market case.”419 The Court declines to adopt this theory here.
First, the Plaintiff failed to plead this theory of loss causation in the Amended
Complaint. Second, the Plaintiff has failed to explain how the “materialization”
of the Data Breach itself corrected prior misstatements touting the strength of
Equifax’s cybersecurity. Third, the Court need not adopt this theory since the
Plaintiff has adequately alleged loss causation through corrective disclosures.
D. In Connection With
Next, the Defendants contend that the statements made by Smith in a
speech at the University of Georgia were not made in connection with the
purchase or sale of a security.420 To state a claim under section 10(b), the
Sapssov v. Health Mgmt. Assocs., Inc., 608 F. App’x 855, 861 n.7
(11th Cir. 2015) (quoting Hubbard v. BankAtlantic Bancorp, Inc., 688 F.3d 713,
419
726 n.25 (11th Cir. 2012)).
420
Defs.’ Mot. to Dismiss, at 45 n.18. At oral argument, counsel for the
Defendants devoted a significant portion of his time arguing that the challenged
statements published on Equifax’s website were not made “in connection” with
the sale or purchase of a security. See Transcript of Oral Argument, at 20-23
[Doc. 83]. However, this argument was not raised in the Defendants’ papers.
Instead, the Defendants only assert in their papers that Smith’s statements at
the University of Georgia were not made in connection with the purchase or sale
of a security. See Defs.’ Mot. to Dismiss, at 45 n.18; Defs.’ Reply Br., at 21 n.12.
The Defendants’ failure to raise this argument in their briefs means that the
argument has been abandoned. See Access Now, Inc. v. Sw. Airlines Co., 385
F.3d 1324, 1330 (11th Cir. 2004) (“[A] legal claim or argument that has not been
briefed before the court is deemed abandoned and its merits will not be
addressed.”). And, even if the Defendants had raised this argument, the Court
would not be persuaded. As discussed below, even statements made in technical
jargon in a sophisticated medical journal can be considered “in connection with”
the purchase or sale of a security, since analysts search for such information in
evaluating stocks. See In re Carter-Wallace, Inc. Sec. Litig., 150 F.3d 153, 156
(2d Cir. 1998). Here, the Court cannot say that, as a matter of law, statements
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-104-
plaintiff must show that the false or misleading statement was made in
connection with the purchase or sale of a security.421 In using this phrase,
“Congress . . . ‘intended only that the device employed, whatever it might be, be
of a sort that would cause reasonable investors to rely thereon, and, in
connection therewith, so relying, cause them to purchase or sell a corporation's
securities.’”422 “Moreover, when . . . a claim is based on the fraud-on-the-market
theory, a ‘straightforward cause and effect’ test is applied, under which it is
sufficient that ‘statements which manipulate the market are connected to
resultant stock trading.’”423
Here, the Plaintiff has adequately shown that Smith’s statement was
made in connection with the purchase or sale of a security. “As the Supreme
Court has noted, ‘market professionals generally consider most publicly
announced material statements about companies, thereby affecting stock
made on a company’s website are not made in connection with a securities
transaction, even if those statements are not found prominently on the front
page of the company’s website. Market analysts, who find such information
relevant, are able to locate and digest such information in evaluating a
company’s stock. See id. Therefore, the Court declines to dismiss these website
statements for this reason.
421
In re Carter-Wallace, Inc. Sec. Litig., 150 F.3d 153, 155-56 (2d Cir.
422
Id. (quoting SEC v. Tex. Gulf Sulphur Co., 401 F.2d 833, 860 (2d
1998).
Cir. 1968)).
Id. (quoting In re Ames Dep’t Stores Inc. Stock Litig., 991 F.2d 953,
966 (2d Cir. 1993)).
423
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-105-
market prices.’”424 In In re Carter-Wallace, Inc. Securities Litigation, the court
noted that “[t]echnical advertisements in sophisticated medical journals
detailing the attributes of a new drug could be highly relevant to analysts
evaluating the stock of the company marketing the drug,” and thus it could not
conclude that such statements, as a matter of law, were not made in connection
with a securities transaction.425 Similarly, statements made by Equifax’s CEO
concerning a core business operation could be highly relevant to analysts
evaluating Equifax’s stock. The fact that Smith made this statement at a
presentation at a college, and not in some other setting, does not change this
conclusion. This is further bolstered by the Plaintiff’s allegation that this
presentation was uploaded to the popular website YouTube.com.426 The Court
cannot say that this statement, which would be relevant to analysts studying
Equifax’s securities, was not made in connection with a securities transaction.
This is especially true given the fact that the Plaintiff relies upon the fraud-onthe-market theory. Therefore, the Court finds the Defendants’ argument
unpersuasive.
E. Section 20(a) Claims
424
Id. (quoting Basic Inc. v. Levinson, 485 U.S. 224, 247 n.24 (1988)).
425
Id.
426
Am. Compl. ¶ 334.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-106-
Finally, the Defendants argue that the Plaintiff’s section 20(a) claims fail
to state a claim for which relief can be granted.427 Section 20(a) of the Exchange
Act extends liability for violations of Rule 10b–5 to controlling persons in the
company.428 “To show control person liability under Section 20(a), a plaintiff
must allege that: (1) the company violated § 10(b); (2) the defendant had the
power to control the general affairs of the company; and (3) the defendant had
the power to control the specific corporate policy that resulted in the primary
violation.”429
The Defendants first argue that the Plaintiff’s failure to plead any
primary violation of section 10(b) by Equifax requires dismissal of the section
20(a) claims.430 However, as discussed above, the Plaintiff has adequately
pleaded some of its section 10(b) claims as to Equifax. The Defendants next
argue that the Plaintiff fails to adequately plead that the Individual Defendants
control “specific corporate policy” that resulted in the alleged primary violations
of section 10(b).431 Specifically, the Defendants argue that the Plaintiff has not
alleged that any of the Individual Defendants had control over the content and
427
Defs.’ Mot. to Dismiss, at 59.
428
15 U.S.C. § 78t(a).
In re Spectrum Brands, Inc. Sec. Litig., 461 F. Supp. 2d 1297, 1307
(N.D. Ga. 2006) (citing Theoharous v. Fong, 256 F.3d 1219, 1227 (11th Cir.
2001)).
429
430
Defs.’ Mot. to Dismiss, at 59.
431
Id.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-107-
dissemination of the unattributed statements made on Equifax’s website during
the class period, or any of the statements made by different Individual
Defendants, or that they controlled the cybersecurity matters misrepresented.432
Furthermore, the Defendants argue that the Plaintiff has not alleged that
Gamble, Ploder, or Dodge controlled Equifax’s “general affairs.”433
The Court agrees that the Plaintiff has failed to allege that Gamble,
Ploder, or Dodge exercised control over the specific cybersecurity policies that
resulted in the alleged violations, or that they exercised control over any of the
unattributed statements made or statements made by other Individual
Defendants. Thus, the Plaintiff’s section 20(a) claims should be dismissed as to
these Individual Defendants. The Court concludes, however, that the Plaintiff
has adequately alleged a section 20(a) claim as to Smith. Smith, as CEO, had
the power to control the “general affairs” of Equifax. Smith also had the power
to control the specific corporate policy that resulted in the section 10(b)
violations. Smith had both the power to control Equifax’s cybersecurity policy
and the statements made by Equifax and the other Individual Defendants as to
these cybersecurity policies. Thus, the Plaintiff has sufficiently stated a claim
for control liability as to Smith.
432
Id. at 59-60.
433
Id. at 60.
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-108-
IV. Conclusion
For the reasons stated above, the Defendants’ Joint Motion to Dismiss
[Doc. 62] is GRANTED in part and DENIED in part. It is GRANTED as to the
Defendants Gamble, Ploder, and Dodge. It is DENIED as to the Defendants
Equifax and Smith.
SO ORDERED, this 28 day of January, 2019.
/s/Thomas W. Thrash
THOMAS W. THRASH, JR.
United States District Judge
T:\ORDERS\17\In re Equifax Inc. Securities Litigation\mtdtwt.wpd
-109-
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?