Northern District Of California Dismisses Putative Class Action Against Digital Payments Company For Failure To Adequately Allege Scienter
09/24/2019On September 18, 2019, Judge Edward M. Chen of the United States District Court for the Northern District of California dismissed a putative class action against a digital payment services company and certain of its officers asserting claims under Section 10(b) of the Securities Exchange Act. Sgarlata v. PayPal Holdings, Inc., 17-CV-06956-EMC (N.D. Cal. Sept. 18, 2019). Plaintiffs alleged that the company made misrepresentations in a series of press releases regarding a data breach. The Court held that plaintiffs’ allegations were insufficient to raise a strong inference of scienter.
Plaintiffs alleged that the company failed to fully disclose the seriousness of a security breach related to a subsidiary. Plaintiffs asserted that defendants were aware of a breach that exposed the personal information of customers, bill-pay clients and employees. While the company initially issued a statement that it had suspended services at the subsidiary upon finding “security vulnerabilities,” it disclosed weeks later that 1.6 million users’ confidential information had potentially been compromised. Slip op. at 2-3.
The Court in a prior decision had determined that plaintiffs had adequately alleged falsity, as the initial announcement “could plausibly have created an impression that only a potential vulnerability and not an actual breach had been discovered, and certainly not one which threatened the privacy of 1.6 million users.” Id. at 8. The Court rejected defendants’ request to reconsider that prior ruling. While defendants argued that it was not enough for allegations to be “plausib[le]” based on the heightened pleading standard of the PSLRA, the Court held that the complaint satisfied the higher standard as well because it specifically alleged with detail why the initial announcement was misleading—because “current or potential investors understood the security vulnerability to be minor.” Id. at 9-10.
However, the Court held that plaintiffs’ scienter allegations, which were primarily based on the statements of confidential witnesses, were insufficient. For example, plaintiffs alleged that one confidential witness had been “informed” that “someone had accessed” customer names and addresses as part of the breach. Id. at 11. However, the Court emphasized that this statement failed to show “specifically who at [the company] informed” the witness of the breach and what the individual said. Id. at 12. Moreover, the Court observed that, as compared to the first amended complaint, the confidential witness’ statement in the second amended complaint was distinctly different “in degree of certainty and, by implication, the depth of the company’s knowledge regarding the breach,” and this discrepancy “raise[d] credibility concerns” about the statement. Id. Further, the Court noted that “nearly all” of the confidential witness statements relied on hearsay, which the Court noted made them less reliable in assessing a possible inference of scienter. Id. Therefore, the Court determined that such statements failed to show that the person who made the allegedly misleading statement knew it was false. Id. at 14. The Court also noted that the weakness of these inferences of scienter was underscored by the lack of “any obvious incentive to mislead.” Id. Plaintiffs did not make any allegation of motivation—like the sale of stock during the class period—which might show an individual defendant stood to profit from the alleged misrepresentation.
The Court also rejected plaintiffs’ attempt to bolster their scienter allegations by using a cybersecurity expert to opine on “what information was likely available to [the company] regarding the scope of a potential [data] compromise.” Id. at 15. The Court emphasized that, within the Ninth Circuit, courts can consider allegations from experts if they “satisfy the same standard applied to confidential informants.” Id. at 16 (citing Browning v. Amyris, Inc., 2014 WL 1285175, at *19 (N.D. Cal. Mar. 24, 2014)). Here, the Court found that the security expert was neither familiar with, nor had knowledge of, the specific security architecture of defendants’ network. To the contrary, the complaint referred to the expert’s conclusion as “the most reasonable assumption,” which the Court noted appeared to be “merely a guess about the structure of [the company’s] network.” Id. Moreover, unlike in other cases in which courts had considered expert opinions for purposes of assessing scienter allegations, the Court noted that here the expert did not speak with any employees or review any documents that in themselves were supportive of an inference of scienter. Id. at 16-17. The Court concluded that plaintiffs’ allegations with respect to the expert witness were similar to allegations “made on information and belief without disclosing the actual basis for its findings.” Id. at 17. Thus, even considered “holistically” with the complaint, the Court held that the expert witness’ opinions did not support an inference of scienter.