The Rhode to ruin? Why stock-drop lawsuits threaten cybersecurity

The Rhode to ruin? Why stock-drop lawsuits threaten cybersecurity

A lawsuit against Google’s parent Alphabet threatens broader data security. Regulators should provide clarity on breach disclosure timelines; financial services institutions and suppliers should welcome it.

Alex Davies ([email protected])

Rhode to Ruin

Act first, announce later

In late 2018, Google disclosed that its Google+ social network contained a vulnerability that could have leaked data on 52.5 million users. No data was stolen, so no users faced any harm. Yet Google identified the vulnerability six months earlier, and chose not to disclose its existence even after it had successfully patched the hole.

Like many firms that fall victim to cyber breaches, Google’s parent company, Alphabet, now faces a lawsuit. Alphabet’s predicament is somewhat different to that faced by other firms, however: the plaintiffs do not seek damages stemming from any actual breach (for there was none) but from drops in Alphabet’s stock. The Employees’ Retirement System of Rhode Island, leading a class action lawsuit comprising owners of Alphabet shares, alleges that its portfolio suffered losses after Google disclosed the vulnerability, because the delay in disclosures led to perceptions of a cover-up.

In the absence of clear regulations governing timelines for discovered vulnerabilities, actions like this – so-called ‘stock-drop’ lawsuits – are predicated upon allegations of market abuse. In essence, the plaintiffs allege, Google did not make public that it had found a vulnerability – had they possessed this knowledge, investors would have materially altered their behavior.

Legal and security complications

Without rules clearly laying out disclosure requirements for vulnerabilities that have not resulted in stolen data, lawsuits like this threaten to set unclear disclosure timelines for financial institutions. Those FIs with publicly traded stock are particularly vulnerable, although the threat could affect privately held corporations with venture capital or private equity ownership.

Disclosure timelines for vulnerabilities will effectively be set by case law. Those firms seeking to reduce their legal exposure will face the complicated task of deciphering court holdings and opinions instead of interpreting carefully considered regulation.

Such lawsuits may also weaken security. Firms may be compelled to disclose vulnerabilities before proper remediation. Fixing a vulnerability takes time. Yet in order to preclude a lawsuit from a plaintiff with precedent on their side, firms will race to announce the discovery of a weakness in their systems without completing the due diligence to properly secure them.

Clear guidance required

Even if Alphabet loses, the final outcome of the lawsuit is not assured. Any appeal would be heard by the Ninth Circuit, a federal appellate court that has historically proved skeptical of plaintiffs’ arguments in stock-drop lawsuits. In a lawsuit brought by the Oregon Public Employees Retirement Fund against Apollo Group Incorporated, the court held that stock drop plaintiffs are subject to strict pleading requirements – success by the Rhode Island pension fund at appeal is far from certain.

But what can firms and regulators do to block the avenue of legal challenges on the way to constructing disclosure timelines? Regulators should formalize disclosure requirements and issue clear guidance on timelines. These are currently vague and vary across jurisdictions. Furthermore, the rules often require actual data loss, rather than merely the discovery of a vulnerability. Regulated firms should work with regulators to develop timelines, and welcome the protection they offer from legal challenge.

Even with guidance from regulators on vulnerability disclosure timelines, firms should inform investors about the internal procedures they will follow should a vulnerability be discovered. Though some may argue that publicly issuing this information gives potential litigants another avenue of attack if the firm does not follow its stated disclosure process, it provides a clear yardstick by which to judge a firm’s response to any vulnerability discovered in its systems.

Without clearer rules around security incidents like the one Google faced, non-expert judges will write rules that leave us all less secure.

Further reading

Cyber Risk Quantification Solutions, 2019: Market and Vendor Landscape

Model Validation Solutions, 2019: Overview and Market Landscape

AI in RegTech: a quiet upheaval

Points of View are short articles in which members of the Chartis team express their opinions on relevant topics in the risk technology marketplace. Chartis is a trading name of Infopro Digital Services Limited, whose branded publications consist of the opinions of its research analysts and should not be construed as advice.

If you have any comments or queries on Chartis Points of View, you can email the individual author, or email Chartis at [email protected].