As if anyone needed yet another reminder of the invasive effect a cybersecurity event can have on a business, we need not to look any further than the putative securities fraud class action lawsuits filed against global logistics giant FedEx. On June 26, 2019, the first lawsuit against FedEx was filed in the Southern District of New York. The complaint generally alleges that FedEx violated federal securities laws when it made allegedly fraudulent disclosures concerning the extent of the impact caused by the NotPetya malware virus that struck FedEx’s recently expanded European division.
By way of brief background, approximately one year before the NotPetya attack, FedEx acquired TNT Express N.V. (TNT) for $4.8 billion, and was in the process of integrating TNT when the NotPetya virus struck. The complaint alleges that FedEx painted a rosy picture assuring investors that the negative impact from the attack on the integration and financial performance of TNT was minimal and that it was on track to meet its revenue targets. That is, until FedEx made a series of disclosures revealing the extent of the disruption caused by the attack. On June 2, 2019, days after the first securities lawsuit was filed, FedEx got hit with a second securities fraud lawsuit similarly alleging violation of federal securities laws based on disclosures made related to the fallout from NotPetya. Notably, the plaintiffs in both lawsuits are represented by prominent law firms in the securities-fraud class-action space, and both lawsuits exclusively seek relief under Sections 10(b) and 20(a) of the Securities Exchange Act, which are the anti-fraud and control-person liability statutory provisions of the statute.
NotPetya was a unique virus that wreaked havoc around Europe in June 2017 by irreversibly encrypting computers’ master boot records, which is the part of the machine that tells the computer where to find its own operating system. Essentially, once a computer was infected with the NotPetya virus, the computer’s contents became a useless compilation of scrambled data, requiring the reinstallation of entire computer infrastructures. This virus also caused significant losses of data and operational interruptions. Logistics companies suffered some of the most devastating and widely-publicized losses and operational interruptions. Indeed, NotPetya reportedly cost one of its highest-profile victims, global shipping goliath Maersk, more than $300 million just to rebuild its network and from business interruption losses.
Management liability lawsuits have not been widely seen following cyber events, and are not as intricately intertwined with the cyber-threat itself, particularly those cyber events like NotPetya that do not involve the disclosure of personal information. While management liability lawsuits may be low on a corporate priority list immediately following a cyber event, a corporation’s responses to these incidents could provide fodder for the plaintiffs’ bar. Whether it is a public company facing a securities fraud class action lawsuit for disclosures made after the incident, or a derivative lawsuit alleging corporate mismanagement related to the maintenance of adequate cybersecurity, these cyber events present real exposure to corporate management. For example, Yahoo learned this the hard way when it paid $80 million to settle a cyber-related securities fraud claim, then another $29 million to settle a related derivative suit arising from the same event. The lawsuit against FedEx should serve as a reminder that, despite the many headline-grabbing cyberattacks over the years, companies of all sizes remain vulnerable to these risks, which carry with them collateral implications for corporate boards and management concerning preventative cybersecurity and statements made in the wake of a cyberattack.