Public companies face a variety of legal challenges following major cyber events: consumer class actions, inquiries from regulators, congressional inquiries and, increasingly, federal securities class actions. In consumer class actions arising from data breaches, the potential damages sustained by people whose information was compromised are usually small, if there are any damages at all. But federal securities class actions can expose public companies that experience cyber events to very significant claims for damages from plaintiff shareholders – damages that are driven, in rough terms, by the size of the stock-price decline following the public disclosure.

Until recently, such price declines were rare, and the viability of shareholder suits resulting from a company’s cyber breach was uncertain – but that may be changing. Recent securities fraud class actions brought against several major companies, and in particular, the January 2019 decision in In re Equifax Securities Litigation, which allowed most of plaintiffs’ claims to survive a motion to dismiss, are cause to give these cases a closer look.

This article analyzes the Equifax decision and uses lessons from that case to examine strategies for minimizing risk of securities fraud class actions arising from data breaches.