On March 30, 2022, Judge Robert Pitman of the Western District
of Texas denied the majority of a motion to dismiss a putative
class action asserting claims under the Securities Exchange Act of
1934 against an information technology company, certain of its
executives, and private equity firms that owned the company's
securities. In re SolarWinds Corp. Sec. Litig.,
No. 1:21-CV-138-RP (W.D. Tex. Mar. 30, 2022). Plaintiffs
alleged that company statements regarding its cybersecurity
policies and practices were revealed to be false and misleading
upon the disclosure of a security breach. The Court held that
plaintiffs adequately alleged falsity, scienter, and loss
causation, except as to the company's CEO, the allegations as
to whom the Court granted plaintiffs leave to replead.
The Court held that plaintiffs adequately alleged that the
company's CEO and Vice President of Security Architecture made
misstatements based on the fact that they allegedly reviewed and
approved a "security statement" on the company's
website that was alleged to falsely describe the company's
cybersecurity policies and practices. Slip Op. at 14-15,
21. Moreover, the Court determined that statements indicating
that the company was focusing on cybersecurity "hygiene"
could plausibly be found to be misleading in context based on
"differences between the image projected by the speaker and
the reality on the
ground." Id. at 16. And
the Court further held that the company's disclosures about the
risk of cybersecurity attacks did not protect it because plaintiffs
did not merely point to the fact that a security breach took place
but, rather, "alleged separate facts that the cybersecurity
measures at the company were not as they were
portrayed." Id. at 17.
The Court also held that plaintiffs' allegations as to the Vice
President of Security Architecture supported a strong inference of
scienter on his part because he had touted the company's
security measures while holding himself out as a "responsible
and knowledgeable authority regarding [the company's]
cybersecurity measures." Id. at
10. Allegations that the Vice President had allowed a
separate server vulnerability, unrelated to the breach at issue,
also supported a finding of scienter, the Court held, and
statements of former employees regarding the lack of proper
cybersecurity protocols were also considered relevant, even though
those employees had not directly worked on the company's
security protocols or interfaced with its security
team. Id. at 11-12. The Court noted
that several challenged statements related to employee practices at
the company broadly, and that a trier of fact could infer that the
Vice President of Security Architecture "may have been
aware" of whether the company's security policies were
being followed. Id. at 12-13.
With respect to the company's CEO, however, the Court agreed
that plaintiffs failed to adequately allege scienter because
plaintiffs had pled "no facts to suggest that [the CEO] held
himself out as an authority on [the company's] cybersecurity
measures." Id. at 22.
Moreover, while plaintiffs pointed to the CEO's sale of more
than 39% of his company shares shortly before the security breach
was publicly disclosed as evidence of scienter, the Court
determined that the CEO had provided a plausible competing
inference—that he had previously announced his departure from
the company and sold his shares pursuant to a 10b5-1 plan put in
place before the company became aware of the security
breach. Id. at 23.
With respect to loss causation, defendants contended that stock
price drops following disclosure of a security breach could not be
tied to any specific practices of the
company. Id. at 18-19. The Court
held, however, that the alleged corrective disclosures "at the
very least circumstantially suggest that the security breach was
more likely than not caused by the company's allegedly
deficient security." Id. at 19.
The Court also held that plaintiffs adequately alleged control
person liability against two private equity firms that each
allegedly controlled 40% of the
company. Id. at 25-26. The private
equity firms argued that neither was a majority shareholder and
their stakes should not be combined to infer majority control, but
the Court determined that a "relaxed" and
"lenient" pleading standard applied to evaluating control
person allegations. Id. at 26.
Plaintiffs had adequately alleged, the Court held, that the private
equity firms "acted in unison, buying and taking the [c]ompany
private together" and then "taking the [c]ompany public
together again," "retaining equal amounts of shares of
the [c]ompany," and then selling shares after the
company's IPO "together, on the same day, and in nearly
identical amounts." Id.
In re SolarWinds Corp. Sec. Litig.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.