Western District Of Texas Largely Denies Motion To Dismiss Putative Class Action Against Information Technology Company
On March 30, 2022, Judge Robert Pitman of the Western District of Texas denied the majority of a motion to dismiss a putative class action asserting claims under the Securities Exchange Act of 1934 against an information technology company, certain of its executives, and private equity firms that owned the company’s securities. In re SolarWinds Corp. Sec. Litig., No. 1:21-CV-138-RP (W.D. Tex. Mar. 30, 2022). Plaintiffs alleged that company statements regarding its cybersecurity policies and practices were revealed to be false and misleading upon the disclosure of a security breach. The Court held that plaintiffs adequately alleged falsity, scienter, and loss causation, except as to the company’s CEO, the allegations as to whom the Court granted plaintiffs leave to replead.
The Court held that plaintiffs adequately alleged that the company’s CEO and Vice President of Security Architecture made misstatements based on the fact that they allegedly reviewed and approved a “security statement” on the company’s website that was alleged to falsely describe the company’s cybersecurity policies and practices. Slip Op. at 14-15, 21. Moreover, the Court determined that statements indicating that the company was focusing on cybersecurity “hygiene” could plausibly be found to be misleading in context based on “differences between the image projected by the speaker and the reality on the ground.” Id. at 16. And the Court further held that the company’s disclosures about the risk of cybersecurity attacks did not protect it because plaintiffs did not merely point to the fact that a security breach took place but, rather, “alleged separate facts that the cybersecurity measures at the company were not as they were portrayed.” Id. at 17.
The Court also held that plaintiffs’ allegations as to the Vice President of Security Architecture supported a strong inference of scienter on his part because he had touted the company’s security measures while holding himself out as a “responsible and knowledgeable authority regarding [the company’s] cybersecurity measures.” Id. at 10. Allegations that the Vice President had allowed a separate server vulnerability, unrelated to the breach at issue, also supported a finding of scienter, the Court held, and statements of former employees regarding the lack of proper cybersecurity protocols were also considered relevant, even though those employees had not directly worked on the company’s security protocols or interfaced with its security team. Id. at 11-12. The Court noted that several challenged statements related to employee practices at the company broadly, and that a trier of fact could infer that the Vice President of Security Architecture “may have been aware” of whether the company’s security policies were being followed. Id. at 12-13.
With respect to the company’s CEO, however, the Court agreed that plaintiffs failed to adequately allege scienter because plaintiffs had pled “no facts to suggest that [the CEO] held himself out as an authority on [the company’s] cybersecurity measures.” Id. at 22. Moreover, while plaintiffs pointed to the CEO’s sale of more than 39% of his company shares shortly before the security breach was publicly disclosed as evidence of scienter, the Court determined that the CEO had provided a plausible competing inference—that he had previously announced his departure from the company and sold his shares pursuant to a 10b5-1 plan put in place before the company became aware of the security breach. Id. at 23.
With respect to loss causation, defendants contended that stock price drops following disclosure of a security breach could not be tied to any specific practices of the company. Id. at 18-19. The Court held, however, that the alleged corrective disclosures “at the very least circumstantially suggest that the security breach was more likely than not caused by the company’s allegedly deficient security.” Id. at 19.
The Court also held that plaintiffs adequately alleged control person liability against two private equity firms that each allegedly controlled 40% of the company. Id. at 25-26. The private equity firms argued that neither was a majority shareholder and their stakes should not be combined to infer majority control, but the Court determined that a “relaxed” and “lenient” pleading standard applied to evaluating control person allegations. Id. at 26. Plaintiffs had adequately alleged, the Court held, that the private equity firms “acted in unison, buying and taking the [c]ompany private together” and then “taking the [c]ompany public together again,” “retaining equal amounts of shares of the [c]ompany,” and then selling shares after the company’s IPO “together, on the same day, and in nearly identical amounts.” Id.