California Securities Litigation – 2023

In many ways, California securities litigation in 2023 was more of the same, with an emphasis on “more”. 

Difficult financing markets translated to a number of actions by disgruntled shareholders alleging false or misleading statements in connection with securities transactions and/or management breaches of fiduciary duty. At the same time, federal plaintiffs, increasingly alert to important distinctions between federal and state securities laws, often added state claims to their federal complaints to take advantage of those differences.

Meanwhile, California corporations have continued to face a wave of litigation regarding cybersecurity breaches, and California cryptocurrency companies continue to find themselves under the regulators’ scrutiny.

Recent changes to California law raise the prospect of even more securities litigation in the future. For instance, new California ESG disclosure rules, set to take effect in 2026, have the potential to spawn a new wave of disclosure suits, akin to those that the federal courts have been dealing with in recent years. Plus, the California courts’ recent adoption of Delaware’s Caremark doctrine may precipitate new cases asserting director nonfeasance.

In short, 2023 has been a busy year for securities litigators, and it is expected that the next few years will be busier still.

California courts adopt Delaware’s Caremark standard of liability for directors asleep at the wheel

California courts often look to Delaware case law concerning corporate governance, although it sometimes takes a while before they expressly endorse a particular Delaware doctrine. On 2 June 2023, the California Court of Appeal officially recognised Delaware’s Caremark doctrine.

Under In re Caremark Int’l Inc, 698 A.2d 959 (Del. Ch. 1996) (“Caremark”) and its progeny, directors may be found liable for breaches of fiduciary duty even if they did not affirmatively undertake a deleterious action, where they have failed utterly to implement any reporting or information system or controls or, having implemented such a system or controls, consciously failed to monitor or oversee its operations, thus preventing them from being adequately informed of risks or problems. The Delaware courts have held that plaintiffs bringing a Caremark claim must plead and prove that the directors acted in bad faith, typically defined as an intentional dereliction of duty or conscious wrongdoing.

In Kanter v Reed, the California Court of Appeal adopted the Caremark standard for directors of California corporations. The court held, however, that the shareholder derivative plaintiffs before it had not adequately alleged a substantial likelihood of director liability under Caremark, and thus, had failed to plead adequately that a litigation demand on the board would have been futile. The California Supreme Court denied the plaintiffs’ petition for review, meaning that the decision, and Caremark, are now binding law in the Golden State.

Bank failures and down rounds precipitate shareholder actions

The year 2023 was a difficult one for technology startups in Silicon Valley.  On top of the shockwaves generated by the collapse of Silicon Valley Bank and First Republic Bank, the year has seen “down round” financings in many technology sectors, in which a company raises money at a pre-money valuation that is less than the post-money valuation of its financing. 

It often happens that a difficult financing environment is accompanied by more aggressive actions by investors, who may feel – rightly or wrongly – that they have not received their money’s worth from securities transactions.  This can lead to an uptick in claims of both securities fraud and corporate mismanagement/malfeasance. 

In 2023, the California Superior Courts encompassing Silicon Valley (Santa Clara County and San Francisco County) saw new securities litigation filings against several prominent San Francisco Bay Area companies, including PayPal, Block, Stitch Fix, and Wells Fargo, for everything from breach of fiduciary duty, to securities fraud, to insider trading, and more. Given the continuing challenges in the financing market, the pace of securities filings is expected to increase in 2024.

Plaintiffs include state securities fraud claims in federal complaints

Historically, federal securities lawsuits have primarily involved only federal securities claims. But 2023 saw a pattern of California federal plaintiffs strategically including California state securities claims alongside their federal counterparts.

Both federal and state securities laws generally prevent, among other things, the use of false or misleading statements in connection with the purchase or sale of securities. However, the statutory schemes are not identical. For instance, unlike under federal Section 10(b) of the Securities Exchange Act and Rule 10b-5, a claim under California Corporations Code § 25501 does not require proof of reliance or scienter, but does retain the common law requirement of privity between the parties. The investor need only establish that the misrepresentation or failure to disclose was a “material fact. The seller’s intent or lack thereof, is irrelevant” (Bowden v Robinson, 67 Cal. App. 3d 705, 712 (1977)). The two jurisdictions’ secondary liability schemes have differences as well. For instance, Section 20(a) of the Securities Exchange Act extends liability to “[e]very person who, directly or indirectly, controls any person” who commits a primary securities fraud violation. California Corporations Code § 25504 similarly extends liability to “[e]very person who directly or indirectly controls a person” liable for a primary violation, but that’s just the beginning of the statute; Section 25504 goes on to hold “every partner in a firm so liable, every principal executive officer or director of a corporation so liable”, and more. 

These distinctions can make a difference as early as the pleadings stage.  Outside (non-employee) directors, for example, sometimes persuade federal courts to dismiss securities fraud claims against them even when claims against one or more primary violators survive dismissal. See, for example, In re Gupta Corporation Securities Litigation, 900 F. Supp. 1217, 1241 (ND Cal 1994) – “Two courts in this district have held that the mere fact that an outside director signed a group published document does not make the outside director liable for the contents of the document.” This is far more difficult under state law, where by definition, control person liability extends to “every... director of a corporation so liable.” (There are other differences between federal and state law, even as to controlling person liability; California law tends to focus more on a defendant’s power to control a primary violator, as opposed to their actual exercise of such control.)

Presumably cognisant of these differences, California federal plaintiffs have been increasingly pairing their federal securities claims with California claims.  For instance, a review of 2023 year-to-date PACER filings shows that approximately 20% of new actions filed in the Central District of California which assert federal securities claims, also included California state securities claims. In the absence of any change in the law, it is expected that even more plaintiffs will simultaneously plead federal and state securities claims in the future.

California continues to be a hotbed of litigation concerning cybersecurity breaches

On 26 July 2023, the Securities and Exchange Commission (SEC) issued final rules requiring disclosure of material cybersecurity events on Form 8-K within four business days after a determination of materiality, as well as disclosure of a company’s cybersecurity risk management, strategy and governance in a company’s periodic reports. 

As the beating heart of technology, it is not surprising that California continues to be the site of substantial cyber-related litigation. For example:

• Zoom Video Communications, Inc agreed to pay USD150 million to settle investors’ allegations that the company misled investors about its encryption capabilities in its public offering documents.
• The Ninth Circuit Court of Appeals affirmed in part, and reversed in part, allegations that Facebook and its officers made false and misleading statements concerning the risk of improper access to users’ data; Facebook’s internal investigation into the use of users’ data by Cambridge Analytica; and the control that users have over their data.  The court held that the plaintiffs adequately alleged that the company’s characterisation of the risk of third parties accessing user data as a potential risk was false and misleading, when the company knew the risk had materialised.
• A divided panel of the Ninth Circuit affirmed dismissal of a class action lawsuit under California’s Consumer Legal Remedies Act (CLRA) alleging that Apple Computer failed to disclose that its products were affected by security vulnerabilities which could only be remedied by installing software that reduced performance. The court held that plaintiffs failed to allege with particularity that Apple knew about the defects at the time of the purported misstatements.
• The Northern District of California granted in part, and denied in part, a motion to dismiss a securities class action lawsuit alleging that a data security company, Okta, and its officers made false and misleading statements concerning its own data breach. The court found that the plaintiffs failed to show that most of the misstatements were false or misleading when made, or were made with scienter, but held that the plaintiffs adequately alleged claims concerning statements made on earnings calls.

New climate disclosure laws may lead to new disclosure claims

On 7 October 2023, California Governor Gavin Newsom signed two bills into law, which collectively will require thousands of companies doing business in California to disclose greenhouse gas (GHG) emissions and climate-related financial information. These new rules are expected to lead to new litigation, similar to that which the federal courts have already seen concerning environmental, social and governance (ESG) disclosures.

SB 253, the California Climate Corporate Data Accountability Act (CCDAA), applies to both private and public companies with total annual revenues exceeding USD1 billion, and will require disclosures regarding several categories of GHG emissions, including those resulting indirectly from a company’s entire supply chain. SB 261, the Climate-Related Financial Risk Act (CRFRA), applies to companies with total annual revenues exceeding USD500 million, and will require, among other things, companies doing business in California to prepare and submit biennial climate-financial risk reports. The first disclosures under the two bills will be required in 2026.

It is anticipated that the new laws will spawn new lawsuits by both private plaintiffs and regulators. These actions may be divided into two categories.  First, plaintiffs will allege that the company misstated or omitted material facts concerning climate-related risks, including potential regulation. This has already been seen at the federal level. For example, the SEC charged Vale SA, a publicly-traded Brazil-based mining company, with making materially false and misleading statements about the safety of its dams prior to the 2019 collapse of a dam that killed 270 people. In March 2023, Vale agreed to settle the action by paying USD55.9 million in disgorgement, prejudgment interest and penalty.

In a private securities class action, plaintiffs accused Exxon Mobil Corp of misleading investors about the company’s proxy carbon costs – a toll that internalises the environmental, social and economic costs of emitting one metric tonne of carbon dioxide. Although the claim survived a motion to dismiss, the federal court denied a motion for class certification, holding that the defendants had rebutted the presumption of reliance through evidence showing that there was no statistically significant negative market reaction to the alleged corrective disclosure.

The second category of lawsuits entail allegations that a company materially exaggerated its commitment to environmental standards and policies, a policy sometimes called “greenwashing”. The SEC has issued a rule requiring investment firms that use environmental, social or governance (ESG) terminology – such as “green” or “sustainable” – to invest at least 80% of their assets in accordance with the investment focus suggested by the name. Relatedly, the SEC accused BNY Mellon Investment Advisers of misrepresenting that all of its investments had been subjected to an “ESG quality review”. Without admitting or denying the allegations, BNY Mellon agreed to pay a USD1.5 million penalty and take remedial actions. Similarly, in a case against the Oatley Group filed in the US District Court for the Southern District of New York, the plaintiff alleged, among other things, that the company misrepresented its sustainability practices. (The charges were subsequently omitted from an amended complaint.)

As the new California laws take effect, it is anticipated that shareholder plaintiffs will soon be filing similar actions in California courts challenging company ESG disclosures.

Note that in March 2022, the SEC proposed its own rule that would mandate climate disclosures in the financial reports of publicly traded companies in both their registration statements and periodic reports. After intense public comments and substantial opposition, the SEC delayed publication of a final rule. If and when the SEC ultimately issues a final rule, it will likely differ from the California requirements in several respects, including companies affected (the SEC rule will only apply to public companies; the CA laws will apply to both private and public companies) and disclosures required (the current proposed SEC rule does not, in all instances, require companies to disclose GHG emissions resulting indirectly from the company’s supply chain). The California rules might be challenged as superseded by the SEC rule, or as an unconstitutional burden on interstate commerce. Unless and until that happens, however, they will likely give investor plaintiffs fodder for new disclosure claims.

The SEC continues to go after California crypto-companies

Cryptocurrency companies have been a favourite target of the SEC in recent years, which makes California a fertile hunting ground. 

The typical SEC action alleges that the defendant company engaged in the distribution of digital assets, or tokens, that were securities, and that the offer and sale of the assets was therefore in violation of Sections 5(a) and (c) of the Securities Act of 1933. Those provisions require securities being offered for sale and/or sold to be registered with the SEC unless there is an applicable exemption. The SEC’s position is that the digital assets being sold are an investment contract, a form of security, under the US Supreme Court’s decision in SEC v WJ Howey, Co and various SEC pronouncements.

The relief sought by the SEC varies. In some cases, the SEC will demand that the company register the digital assets with the SEC. In other instances, the SEC will demand that the company take control of the tokens that have been distributed and/or halt the secondary trading of the tokens on all trading platforms. In still other cases, the SEC has alleged that the defendants engaged in fraudulent practices in violation of Section 17(a) of the Securities Act of 1934, and Section 10(b) of the Securities Exchange Act of 1934. The actions are sometimes accompanied by disgorgement and penalties as well.

One 2023 case that attracted a great deal of attention was the SEC’s action against San Francisco-based Ripple Labs, Inc and its senior officers, Bradley Garlinghouse and Christian A Larsen. The action, filed in the Southern District of New York, alleged that the defendants sold over 14.6 billion units of digital asset “XRP” in return for cash consideration worth over USD1.38 billion. The SEC asserted that XRP was a security that should have been registered with the SEC. On 13 July 2023, Judge Analisa Torres held that the corporation’s sales of XRP to institutional investors constituted investment contracts and violated Section 5 of the Securities Act. However, the court also held that the company’s programmatic sales of XRP to public buyers on digital asset exchanges did not constitute investment contracts, because they did not lead those buyers to have a reasonable expectation of profits to be derived from the entrepreneurial or managerial efforts of others. For the same reason, the sales of XRP by Garlinghouse and Larsen could not be considered investment contracts.

Other California-based crypto-companies that were the subject of SEC actions in 2023 include:

• A settled proceeding in which the SEC alleged that Impact Theory, a Los Angeles-based media and entertainment company, offered and sold crypto-asset securities in the form of non-fungible tokens (NFTs), raising USD29.9 million worth of ether (“ETH”). Without admitting or denying the allegations, the company agreed to disgorge USD5.12 million; prejudgment interest of USD483,195.90; and a civil monetary penalty of USD500,000. The company also agreed to destroy all the NFTs in its possession and to take measures to eliminate any royalties that Impact Theory might receive from secondary market transactions of the NFTs.
• A settled proceeding in which the SEC charged a former NBA basketball star, Paul Anthony Pierce, with making materially false and misleading statements in promoting a securities offering conducted by EtheriumMax, an online company with a website that had sold EMAX tokens. Without admitting or denying the allegations, Pierce agreed to disgorge USD244,116; prejudgment interest of USD15,449; and a penalty of USD1.15 million.
• In a settled proceeding, the SEC charged a San Francisco-based company and a British Virgin Islands company – Payward Ventures, Inc and Payward Trading, Ltd (both doing business as Kraken) – with failing to register the offer and sale of their crypto-asset staking-as-a-service programme, whereby investors transfer crypto-assets to the company for staking, in exchange for advertised annual investment returns of as much as 21%. Without admitting or denying the allegations, the companies consented to entry of a final judgment that enjoined them from violating Section 5 of the Securities Act and offering or selling securities through crypto-asset staking services or programmes.
• In a settled proceeding, the SEC alleged that the San Francisco-based company, Quantstamp, Inc., offered and sold crypto-assets that were in fact securities in order to fund development of an automated smart contract security auditing protocol. Without admitting or denying the allegations, Quantstamp agreed to cease and desist from further violations of Section 5 and to transfer its tokens in its possession or control to a Fund Administrator so that they could be destroyed or disabled, among other actions. The SEC Order also directed the company to pay disgorgement of USD1,979,201; prejudgment interest of USD494,314; and a penalty of USD1 million.

It appears that this trend will not slow down any time soon. Indeed, on 2 November 2023, PayPal Holding, Inc disclosed in its Quarterly Report on Form 10-Q that it had received an SEC enforcement subpoena related to its recently commenced stablecoin that pegs its value to the US dollar by holding US dollar deposits, short-term Treasury bills, and similar cash equivalents in reserve. PayPal also disclosed that it had received a civil investigative demand from the Consumer Financial Protection Bureau.