(Article from Securities Law Alert, April 2022)
For more information, please visit the Securities Law Alert Resource Center
On April 21, 2022, the Fourth Circuit affirmed a district court’s dismissal of a putative securities fraud class action against a hotel chain company and certain of its officers and directors alleging that the company’s failure to disclose vulnerabilities in the IT systems of another hotel chain with which it merged rendered various of its public statements false or misleading in violation of Section 10(b). In re Marriott Int’l, 2022 WL 1178526 (4th Cir. 2022) (Heytens, J.). The court held that plaintiff failed to adequately allege that any of the company’s statements were false or misleading when made.
In 2016, the company merged with another hotel chain and subsumed all of its operations, including its computer systems, reservation software and databases. In 2018, the company learned of a substantial data breach related to the subsumed guest reservation database. Subsequently, plaintiff commenced an action alleging that the company’s failure to disclose severe vulnerabilities in the subsumed IT systems rendered 73 different public statements false or misleading. The district court granted the company’s motion to dismiss with prejudice, concluding that plaintiff did not adequately allege a false or misleading statement or omission, a strong inference of scienter or loss causation. Plaintiff appealed, narrowing its challenge to 18 statements.
On appeal, the Fourth Circuit pointed out that “[n]ot all material omissions are actionable.” Citing Phillips v. LCI Int’l, 190 F.3d 609 (4th Cir. 1999), the court explained that “an omission is actionable only if—absent the fact omitted—a reasonable investor, exercising due care, would gather a false impression from a statement, which would influence an investment decision.”
Plaintiff’s first set of challenged statements concerned the importance of data protection to the company’s business. Plaintiff challenged the company’s public statements that “the integrity and protection of customer, employee, and company data is critical to us as we use such data for business decisions and to maintain operational efficiency.” Plaintiff claimed that by failing to disclose the “vulnerable state” of the subsumed IT systems, the company’s statements created a misleading impression that the company was securing and protecting the acquired customer data.
The Fourth Circuit disagreed, noting that plaintiff’s “whole theory of the case turns on those statements being true—i.e., that data integrity is critically important to [the company] and its investors.” The court explained that “[r]eiterating this basic truth is neither misleading nor creates the false impression [plaintiff] suggests.” The court agreed with the district court that the company’s statements on the importance of data protection “made no characterization at all with respect to the quality of its cybersecurity, only that [the company] considered it important.” The Fourth Circuit also stated that a reasonable reader could not have understood the company to be overrepresenting its data protection because the same SEC submission that contained the challenged statements also disclosed key risks. For example, the company repeatedly warned that its systems may not satisfy the “information, security, and privacy requirements” imposed by laws and regulations and warned of information system breaches.
The court also determined that plaintiff’s arguments concerning privacy statements[1] on company websites failed for similar reasons. The court held that plaintiff’s allegations, even if true, did not demonstrate that the challenged privacy statements were false or misleading. The court pointed out that plaintiff conceded that the company devoted resources and sought to strengthen the security of the subsumed systems. The court also stated that no reasonable investor could have been misled by the privacy statements as they were accompanied by sweeping caveats.
[1] For example, one company website stated that the company “seeks to use reasonable organizational, technical and administrative measures to protect” personal data, but noted that “no data transmission or storage system can be guaranteed to be 100% secure.”