United States Supreme Court hears case concerning potentially false or misleading data breach investor disclosures 

Last week, the United States Supreme Court heard a case concerning publicly traded organizations' duties to report data breaches to investors. A bank that invested in a well-known social media company filed a lawsuit claiming that the social media company violated federal securities law because it issued false or misleading disclosures to investors about its data's security posture. The parties dispute whether required investor risk disclosures are false or misleading when they do not disclose that a risk has materialized in the past (here, an improper collection of  user information by a third-party consulting firm), even if that past event presents no known risk of ongoing or future business harm. The social media company asserts it was only responsible for disclosing future data security risks, not prior incidents. At oral argument, a majority of the justices appeared skeptical of the social media company’s position.

The Court's forthcoming ruling may expand publicly traded companies' obligations to report data security incidents to their investors.

Publicly traded companies should continue to monitor this and other potentially precedential data privacy litigation. Publicly traded companies are also advised to monitor other state and federal data security incident notification laws for new consumer and regulatory reporting requirements. 

Attorneys from McDonald Hopkins’ national data privacy and cybersecurity team are available to counsel publicly traded companies on state, federal, and international data security incident reporting requirements.