Case 1:19-md-02915-AJT-JFA Document 319 Filed 02/18/20 Page 1 of 38 PageID# 2391
`
`
`
`UNITED STATES DISTRICT COURT
`EASTERN DISTRICT OF VIRGINIA
`ALEXANDRIA DIVISION
`
`
`
`
`MDL No. 1:19-md-2915 (AJT/JFA)
`
`
`
`
`
`
`
`Case No. 1:19-cv-1472 (AJT)
`
`IN RE CAPITAL ONE CUSTOMER
`DATA SECURITY BREACH LITIGATION
`
`This Document Relates ONLY to the following
`Case:
`
`MARCUS MINSKY, Individually and on Behalf
`of All Others Similarly Situated,
`
`
`
`
`
`CAPITAL ONE FINANCIAL
`CORPORATION, RICHARD FAIRBANK,
`ROBERT ALEXANDER, and MICHAEL
`JOHNSON,
`
`
`
`Plaintiff,
`
`v.
`
` Defendants.
`
`
`
`MEMORANDUM OF LAW IN SUPPORT OF DEFENDANTS’
`MOTION TO DISMISS THE AMENDED CLASS ACTION COMPLAINT
`
`
`
`
`
`
`
`
`
`
`

`

`Case 1:19-md-02915-AJT-JFA Document 319 Filed 02/18/20 Page 2 of 38 PageID# 2392
`
`
`
`TABLE OF CONTENTS
`
`I. INTRODUCTION ...................................................................................................................... 1
`
`II. SUMMARY OF PLAINTIFF’S ALLEGATIONS .................................................................... 2
`
`A.
`
`B.
`
`C.
`
`The Parties .............................................................................................................. 2
`
`Capital One’s Well-Publicized “Information-Based” Business Strategy ............... 3
`
`The Criminal Cyber-Theft Of Certain Capital One Data In
`The Cyber Incident ................................................................................................. 4
`
`D.
`
`Plaintiff’s Claims and Allegations .......................................................................... 5
`
`III. LEGAL STANDARDS ............................................................................................................ 6
`
`IV. ARGUMENT ............................................................................................................................ 7
`
`A.
`
`Plaintiff Fails To Plead That The Challenged Statements Were
`False, Misleading, Or Otherwise Actionable Under Section 10(b). ....................... 7
`
`1.
`
`2.
`
`3.
`
`4.
`
`5.
`
`The Legal Obligations/Industry Practices Statements ................................ 7
`
`The Risk Factor Statements ...................................................................... 16
`
`The Digital Transformation Statements .................................................... 18
`
`The Priority Statements............................................................................. 19
`
`Defendants’ Consumer-Facing And Technical Statements
`Were Not Made “In Connection With” The Purchase Or Sale Of
`Securities. .................................................................................................. 22
`
`B.
`
`Plaintiff’s Allegations Fail To Raise A Strong Inference Of Scienter.................. 23
`
`1.
`
`2.
`
`3.
`
`Plaintiff’s Allegations About Defendants’ Positions And
`Alleged Access To Internal Information Are Insufficient. ....................... 24
`
`The “Former Employee” (“FE”) Allegations Fail To Support
`A Strong Inference Of Scienter................................................................. 26
`
`Plaintiff’s Other Allegations Fail To Raise The Required
`Strong Inference. ....................................................................................... 29
`
`V. CONCLUSION ........................................................................................................................ 30
`
`
`
`
`
`
`
`
`
`

`

`Case 1:19-md-02915-AJT-JFA Document 319 Filed 02/18/20 Page 3 of 38 PageID# 2393
`
`TABLE OF AUTHORITIES
`
`
`
`
`
`Page(s)
`
`Cases
`
`In re 2007 Novastar Fin. Inc., Sec. Litig.,
`579 F.3d 878 (8th Cir. 2009) ...................................................................................................16
`
`Allen v. Administrative Review Bd.,
`514 F.3d 468 (5th Cir. 2008) ...................................................................................................18
`
`In re Alphabet, Inc. Sec. Litig.,
`No. 4:18-cv-06245 (N.D. Cal. Feb. 5, 2020) .....................................................................21, 22
`
`In re Cable & Wireless, PLC,
`321 F. Supp. 749 (E.D. Va. 2004) ...........................................................................................13
`
`In re Citigroup, Inc. Sec. Litig.,
`330 F. Supp. 2d 367 (S.D.N.Y. 2004)........................................................................................9
`
`City of Pontiac Gen. Employees’ Ret. Sys. v. Stryker Corp.,
`865 F. Supp. 2d 811 (W.D. Mich. 2012) .................................................................................27
`
`In re Computer Sciences Corp. Sec. Litig.,
`890 F. Supp. 2d 650 (E.D. Va. 2012) ......................................................................................30
`
`Doyun Kim v. Advanced Micro Devices, Inc.,
`No. 5:18-cv-00321-EJD, 2019 WL 2232545 (N.D. Cal. May 23, 2019) ................................17
`
`In re DRDGOLD Ltd. Sec. Litig.,
`472 F. Supp. 2d 562 (S.D.N.Y. 2007)......................................................................................28
`
`Druskin v. Answerthink, Inc.,
`299 F. Supp. 2d 1307 (S.D. Fla. 2004) ....................................................................................29
`
`Dura Pharms., Inc. v. Broudo,
`544 U.S. 336 (2005) ...................................................................................................................6
`
`In re First Union Corp. Sec. Litig.,
`128 F. Supp. 2d 871 (W.D.N.C. 2001) ....................................................................................11
`
`In re Genworth Fin. Inc. Sec. Litig.,
`103 F. Supp. 3d 759 (E.D. Va. 2015) ......................................................................................24
`
`In re Heartland Payment Systems, Inc. Sec. Litig.,
`Civ. No. 09-1043, 2009 WL 4798148 (D.N.J. Dec. 7, 2009) ........................................9, 10, 21
`
`ii
`
`
`

`

`Case 1:19-md-02915-AJT-JFA Document 319 Filed 02/18/20 Page 4 of 38 PageID# 2394
`
`
`
`Howard v. Arconic Inc.,
`395 F. Supp. 3d 516 (W.D. Pa. 2019) ................................................................................22, 23
`
`Inst’l Invs. Grp. v. Avaya, Inc.,
`564 F.3d 242 (3d Cir. 2009).....................................................................................................27
`
`In re Intel Corp. Sec. Litig.,
`No. 18-cv-00507-YGR, 2019 WL 1427660 (N.D. Cal. Mar. 29, 2019)............................16, 23
`
`Juntti v. Prudential-Bache Sec., Inc.,
`993 F.2d 228 (4th Cir. 1993) ...................................................................................................30
`
`Kiken v. Lumber Liquidators Holdings, Inc.,
`155 F. Supp. 3d 593 (E.D. Va. 2015) ......................................................................................29
`
`Lerner v. Northwest Biotherapeutics,
`273 F. Supp. 3d 573 (D. Md. 2017) .........................................................................................26
`
`In re LifeLock, Inc. Sec. Litig.,
`690 F. App’x 947 (9th Cir. 2017) ............................................................................................23
`
`Longman v. Food Lion, Inc.,
`197 F.3d 675 (4th Cir. 1999) .............................................................................................13, 21
`
`Maguire Fin., LP v. PowerSecure Int’l, Inc.,
`876 F.3d 541 (4th Cir. 2017) ...............................................................................................6, 24
`
`Matrix Capital Management Fund, LP v. BearingPoint, Inc.,
`576 F.3d 172 (4th Cir. 2009) ...................................................................................................30
`
`In re Neustar Sec.,
`83 F. Supp. 3d 671 (E.D. Va. 2015) ........................................................................................21
`
`Nolte v. Capital One Fin. Corp.,
`390 F.3d 311 (4th Cir. 2004) .............................................................................................19, 20
`
`Oklahoma Firefighters Pension & Ret. Sys. v. K12, Inc.,
`66 F. Supp. 3d 711 (E.D. Va. 2014) ....................................................................................9, 14
`
`Ong v. Chipotle Mexican Grill, Inc.,
`294 F. Supp. 3d 199 (S.D.N.Y. 2018)................................................................................19, 22
`
`In re PEC Sols. Sec. Litig.,
`2004 WL 1854202 (E.D. Va. May 25, 2004) ..........................................................................12
`
`Phillips v. Triad Guar. Inc.,
`No. 1:09-CV-71, 2015 WL 1457980 (M.D.N.C. Mar. 30, 2015) ......................................16, 29
`
`iii
`
`
`

`

`Case 1:19-md-02915-AJT-JFA Document 319 Filed 02/18/20 Page 5 of 38 PageID# 2395
`
`
`
`Pipefitters Local No. 636 Defined Ben. Plan v. Tekelec,
`No. 5:11-CV-4-D, 2013 WL 1192004 (E.D.N.C. March 22, 2013) ..................................27, 30
`
`S.E.C. v. Pirate Inv’r LLC,
`580 F.3d 233 (4th Cir. 2009) .............................................................................................22, 23
`
`Schwab v. E*Trade Fin. Corp.,
`285 F. Supp. 3d 745 (S.D.N.Y. 2018)......................................................................................26
`
`SEC v. Rana Research, Inc.,
`8 F.3d 1358 (9th Cir. 1993) .....................................................................................................23
`
`SEC v. Tex. Gulf Sulphur Co.,
`401 F.2d 833 (2d Cir. 1968).....................................................................................................22
`
`Singh v. Cigna Corp.,
`918 F.3d 57 (2d Cir. 2019)...........................................................................................14, 21, 22
`
`Smith v. Circuit City Stores, Inc.,
`286 F. Supp. 2d 707 (E.D. Va. 2003) ......................................................................................26
`
`In re Target Corp. Sec. Litig.,
`275 F. Supp. 3d 1063 (D. Minn. 2017) ....................................................................................10
`
`Teachers’ Ret. Sys. of La. v. Hunter,
`477 F.3d 162 (4th Cir. 2007) .......................................................................................24, 27, 30
`
`Teamsters Local 210 Affiliated Tr. Fund v. Neustar, Inc.,
`No. 1:17-cv-1145-AJT-JFA, 2019 WL 693276 (E.D. Va. Feb. 19, 2019) ..............................14
`
`Teamsters Local 445 Freight Div. Pension Fund v. Dynex Capital Inc.,
`531 F.3d 190 (2d Cir. 2008).....................................................................................................25
`
`Tellabs, Inc. v. Makor Issues & Rights, Ltd.,
`551 U.S. 308 (2007) ...................................................................................................................7
`
`In re Under Armour Sec. Litig.,
`342 F. Supp. 3d 658 (D. Md. 2018) .........................................................................................28
`
`Veal v. LendingClub Corp.,
`No. 18-cv-02599-BLF, 2019 WL 5698072 (N.D. Cal. Nov. 4, 2019) ....................................17
`
`Weil v. Dominion Resources, Inc.,
`875 F. Supp. 331 (E.D. Va. 1994) ...........................................................................................21
`
`Yates v. Mun. Mortgage & Equity, LLC,
`744 F.3d 874 (4th Cir. 2014) .......................................................................................24, 29, 30
`
`iv
`
`
`

`

`Case 1:19-md-02915-AJT-JFA Document 319 Filed 02/18/20 Page 6 of 38 PageID# 2396
`
`
`
`Statutes
`
`15 U.S.C. § 78t(a) ............................................................................................................................5
`
`15 U.S.C. § 78j(b) ......................................................................................................................5, 22
`
`15 U.S.C. § 78u-4(b) .............................................................................................................. passim
`
`Mont. Code Ann. § 30-14-1704 .....................................................................................................17
`
`Other Authorities
`
`17 C.F.R. § 240.10b-5 ......................................................................................................................5
`
`Fed. R. Civ. P. 9(b) ..........................................................................................................................6
`
`v
`
`
`

`

`Case 1:19-md-02915-AJT-JFA Document 319 Filed 02/18/20 Page 7 of 38 PageID# 2397
`
`
`
`I. INTRODUCTION
`
`On July 29, 2019, Capital One Financial Corporation (“Capital One” or the “Company”)
`
`announced that it had been targeted in a criminal cyber-attack in which a hacker stole personal
`
`information of approximately 106 million Capital One credit card customers and applicants (the
`
`“Cyber Incident”). The suspected perpetrator is in custody and, to date, there is no indication that
`
`the information has been disseminated or used to commit fraud or identity theft. The day after
`
`Capital One announced the Cyber Incident, the Company’s stock price fell by less than 5%, but
`
`has since more than fully recovered, and is up nearly 13% since the July 30, 2019 close.
`
`Plaintiff’s Complaint seeks to manufacture claims that the Company and three executives
`
`violated federal law by making statements that are alleged to have misled investors. But as shown
`
`below, the Complaint falls far short of satisfying the exacting pleading standards imposed by the
`
`Private Securities Litigation Reform Act of 1995 (the “PSLRA”) and therefore must be dismissed.
`
`The crux of Plaintiff’s claims is that certain statements touching on matters of data security or
`
`Capital One’s “digital transformation” were misleading because the Company “sacrificed
`
`cybersecurity” to optimize execution on its “information-based strategy.” But hindsight-driven,
`
`conclusory allegations that Capital One should have had “better” data security do not plead a claim
`
`that the challenged statements were false or misleading at all, let alone at the time they were made.
`
`Further, many of the statements challenged in the Complaint are not investor-facing and
`
`do not even address data security. Plaintiff attacks general compliance policies that fail even to
`
`mention cybersecurity, while those that do—including those describing cybersecurity as
`
`“incredibly important,” “critical,” or a “top priority”—are immaterial “puffery” upon which no
`
`reasonable investor would base a decision to purchase stock. Plaintiff also attacks cardholder
`
`
`
`

`

`Case 1:19-md-02915-AJT-JFA Document 319 Filed 02/18/20 Page 8 of 38 PageID# 2398
`
`
`
`privacy notices that were not directed to Capital One investors and are therefore not actionable
`
`because they were not made “in connection with” a purchase of securities.
`
`Separately dooming his claims, Plaintiff also fails to plead particular facts that raise the
`
`required strong inference that Defendants acted with scienter, i.e., intent to deceive or severe
`
`recklessness. Instead, Plaintiff relies on conclusory, boilerplate allegations that courts have
`
`rejected time and again. These allegations fail to specifically tie the Individual Defendants (or any
`
`Capital One representative accused of making a false statement) to awareness of information
`
`conflicting with the challenged statements or even suggesting that those statements might mislead
`
`reasonable investors. Plaintiff’s failure to plead facts connecting the speakers to knowledge of
`
`such contradictory information dooms Plaintiff’s “fraud” claims and requires dismissal
`
`independently of the Complaint’s other pleading deficiencies.
`
`For all of these reasons, Plaintiff’s Complaint fails to state a claim for violation of Section
`
`10(b) of the Securities Exchange Act of 1934, and Plaintiff’s failure to plead a Section 10(b) claim
`
`means that Plaintiff likewise has not stated a claim under Section 20(a). As such, the Complaint
`
`must be dismissed in its entirety.
`
`II. SUMMARY OF PLAINTIFF’S ALLEGATIONS
`
`A.
`
`The Parties
`
`Capital One is a Virginia-based financial services company whose common stock trades
`
`on the New York Stock Exchange. Amended Complaint (“AC”) ¶¶ 23, 26. Defendant Richard
`
`Fairbank is Capital One’s Founder and Chief Executive Officer. Id. ¶ 27. Defendant Robert
`
`Alexander is Capital One’s Chief Information Officer (“CIO”). Id. ¶ 28. Defendant Michael
`
`Johnson served as Capital One’s Chief Information Security Officer (“CISO”) from March 2017
`
`until November 2019. Id. ¶ 29. The plaintiff who commenced this action, Marcus Minsky, held
`
`2
`
`

`

`Case 1:19-md-02915-AJT-JFA Document 319 Filed 02/18/20 Page 9 of 38 PageID# 2399
`
`
`
`fewer than five shares of Capital One common stock.1 Mr. Minsky’s lawyers subsequently
`
`replaced him with Plaintiff Edward Shamoon—the only lead plaintiff applicant in this case—who
`
`claims to have purchased 250 shares of Capital One common stock on September 6, 2018 for
`
`$98.25/share, which he continues to hold. See Dkts. 216-3 & 216-4. Mr. Shamoon seeks
`
`recompense for a temporary “paper loss” on his investment, but as of the market close on the date
`
`of this filing, Capital One’s shares were trading 5% above the price at which Mr. Shamoon bought.
`
`B.
`
`Capital One’s Well-Publicized “Information-Based” Business Strategy
`
`
`
`As alleged throughout the Complaint, Capital One has for decades publicly and candidly
`
`discussed its pursuit of an “information-based strategy” leveraging extensive analysis of consumer
`
`data to identify desirable customers, effectively market products and services, make more
`
`informed credit decisions, offer superior customer service, and grow its profitability. See, e.g., AC
`
`¶¶ 7, 37–42, 114. As Plaintiff alleges, as far back as 1996, in Capital One’s first publicly filed
`
`annual report on SEC Form 10-K, the Company stated:
`
`The Company’s IBS [i.e., Information Based Strategy] is designed to allow
`the Company to differentiate among customers based on credit risk, usage
`and other characteristics and to match customer characteristics with
`appropriate product offerings. . . . By using sophisticated statistical
`modeling techniques, the Company is able to segment its potential customer
`lists based upon the integrated use of credit scores, demographics, customer
`behavioral characteristics and other criteria.. . . . The Company applies IBS
`to all areas of its business . . . .
`
`Id. ¶ 37 (emphasis added).
`
`Plaintiff alleges that Capital One’s information-based strategy depended on amassing large
`
`stores of data, including consumer data, to be analyzed in driving decisions about marketing,
`
`product and service development, extension of credit, and customer service. See, e.g., id. ¶ 115
`
`(“Machine learning requires data . . . . [T]he more data Capital One makes available to its machine
`
`
`1 See Case 1:19-cv-01472-AJT-JFA, Document 1-1.
`
`3
`
`

`

`Case 1:19-md-02915-AJT-JFA Document 319 Filed 02/18/20 Page 10 of 38 PageID# 2400
`
`
`
`learning programs, the more accurate – and therefore useful – those programs will be.”). Plaintiff
`
`acknowledges that Capital One repeatedly discussed this aspect of its strategy in public statements.
`
`See id. ¶¶ 41–42, 72, 77, 79, 92.
`
`C.
`
`The Criminal Cyber-Theft Of Certain Capital One Data In The Cyber Incident
`
`
`
`Plaintiff alleges that, in March and April 2019, hacker Paige Thompson obtained
`
`unauthorized access to a Capital One server containing a significant store of consumer data. Id.
`
`¶¶ 171-74. Plaintiff alleges that Capital One had a “Web Application Firewall (“WAF”)” in place,
`
`which was intended to shield its servers from such “malicious attacks.” Id. ¶ 151. Plaintiff further
`
`alleges that “[a] WAF uses programmed rules to distinguish between legitimate access requests,
`
`which it permits, and illegitimate access requests, which it denies” (id.¶ 152) and that “[i]f a
`
`request is legitimate, then the WAF automatically assigns the requester a role” and related access
`
`credentials. Id. ¶ 153. Plaintiff acknowledges that “[i]f properly implemented, a WAF should
`
`deny access to all entrants except those who have already been approved. But Capital One’s WAF
`
`was misconfigured, allowing access to malicious outsiders under certain circumstances.” Id.
`
`¶ 154. Plaintiff also acknowledges that the consumer data on Capital One’s server was encrypted
`
`and that Capital One had taken the further security measure of “tokeniz[ing]” the vast bulk of the
`
`most sensitive data (social security numbers and bank account numbers). Id. ¶ 175-76. Plaintiff
`
`alleges that upon gaining access to Capital One’s servers, “Thompson was assigned credentials
`
`that automatically decrypted all the data available.” Id. ¶ 175.
`
`Plaintiff alleges that, “[o]n April 21[, 2019], Thompson exfiltrated the data to outside of
`
`Capital One’s firewall.” Id. ¶ 179. But Plaintiff alleges that Thompson “had no plans to monetize”
`
`the data she stole and implicitly acknowledges that, to date, neither Capital One nor law
`
`enforcement have uncovered any evidence that the data was used for fraud, sold, or otherwise
`
`4
`
`

`

`Case 1:19-md-02915-AJT-JFA Document 319 Filed 02/18/20 Page 11 of 38 PageID# 2401
`
`
`
`disseminated. Id. ¶¶ 186-88. Capital One issued a press release publicly reporting the Cyber
`
`Incident on July 29, 2019, shortly after learning that it had occurred. Id. ¶¶ 11, 189.
`
`D.
`
`Plaintiff’s Claims and Allegations
`
`
`
`The Complaint asserts claims under Sections 10(b) and 20(a) of the Securities Exchange
`
`Act of 1934, 15 U.S.C. §§ 78j(b), 78t(a), and SEC Rule 10b-5, 17 C.F.R. § 240.10b-5. Plaintiff
`
`alleges these claims on behalf of a putative class of investors who purchased or otherwise acquired
`
`Capital One common stock between July 23, 2015 and July 29, 2019. AC ¶ 1. The Complaint
`
`groups the statements into six categories (see headings A. through F. of Section VIII, “Defendants’
`
`False and Misleading Statements,” beginning at AC p. 46). Defendants will use the Complaint’s
`
`groupings except as noted below. For the Court’s convenience, Defendants attach as Exhibit 1
`
`hereto a chart listing each of the 28 statements Plaintiff challenges.
`
`Plaintiff’s first category (the “Legal Obligations/Industry Practices” statements) challenges
`
`statements that Plaintiff characterizes as addressing Capital One’s compliance with legal,
`
`regulatory, and industry-based standards for protecting customer data (AC ¶¶ 208, 210; Ex. 1,
`
`Stmts. 1-2). In addressing this category of statements, Defendants will also address the last two
`
`statement categories which also relate to compliance with industry practices (AC Sections VIII.E.
`
`& VIII.F., relating to encryption and data access/retention respectively) (AC ¶¶ 249-53, 255-56;
`
`Ex. 1, Stmts. 22–28). The second category Plaintiff challenges (the “Risk Factor Statements”)
`
`consists of risk factor statements in Capital One’s 2015-2018 Forms 10-K (AC ¶ 218; Ex. 1, Stmt.
`
`3). Although Plaintiff does not specify any particular language in the Risk Factor Statements
`
`alleged to have misled investors, his theory appears to be that the statements “warned identically
`
`of cybersecurity risks” and thus were not sufficiently “tailored to Capital One.” Id. The third
`
`category (the “Digital Transformation Statements”) consists of statements that the Company’s
`
`“digital transformation” would have a positive impact on, among other areas of its business,
`
`5
`
`

`

`Case 1:19-md-02915-AJT-JFA Document 319 Filed 02/18/20 Page 12 of 38 PageID# 2402
`
`
`
`“regulatory compliance,” “risk management,” and “cybersecurity.” AC ¶¶ 223, 225-29; Ex. 1,
`
`Stmts. 4–9. Plaintiff’s fourth category of statements (the “Priority Statements”) describe Capital
`
`One’s cybersecurity efforts as a “top priority”—or as “critical” or “incredibly important.” AC ¶¶
`
`210, 232-38, 241-45; Ex. 1, Stmts. 10–21.
`
`
`
`Plaintiff generally alleges that the above categories of statements were false and misleading
`
`because Capital One “sacrifice[ed] cybersecurity” to optimize execution on the Company’s
`
`information-based strategy by creating “large data pools” and “granting widespread [internal]
`
`access” to the data. Id. ¶¶ 211, 222, 230, 239, 246, 254; see also id. ¶¶ 2, 118, 258. Plaintiff also
`
`alleges that the challenged statements were false or misleading because Capital One failed to
`
`adequately encrypt data and monitor system requests for access to data and that, as a result of the
`
`foregoing, the Company “violat[ed] a host of industry practices and ethical standards.” Id. ¶¶ 211,
`
`222, 230, 239, 246, 254, 258.
`
`III. LEGAL STANDARDS
`
`To state a claim under Section 10(b) and SEC Rule 10b-5, Plaintiff must allege and
`
`ultimately prove six elements: (1) a material misrepresentation or omission of material fact; (2)
`
`scienter; (3) a connection with the purchase or sale of a security; (4) reliance; (5) economic loss;
`
`and (6) loss causation. See Dura Pharms., Inc. v. Broudo, 544 U.S. 336, 341-42 (2005). Plaintiff’s
`
`claims are subject to the heightened pleading standards of Rule 9(b) and the PSLRA. Rule 9(b)
`
`provides that in “alleging fraud or mistake, a party must state with particularity the circumstances
`
`constituting fraud or mistake.” FED. R. CIV. P. 9(b). In enacting the PSLRA, Congress determined
`
`it was necessary to raise the bar even higher than Rule 9(b) for securities class actions. See
`
`Maguire Fin., LP v. PowerSecure Int’l, Inc., 876 F.3d 541, 546 (4th Cir. 2017). The PSLRA
`
`requires that Plaintiff “specify each statement alleged to have been misleading, the reason or
`
`6
`
`

`

`Case 1:19-md-02915-AJT-JFA Document 319 Filed 02/18/20 Page 13 of 38 PageID# 2403
`
`
`
`reasons why the statement is misleading, and, if an allegation regarding the statement or omission
`
`is made on information and belief, … state with particularity all facts on which that belief is
`
`formed.” 15 U.S.C. § 78u-4(b)(1). The PSLRA also requires Plaintiff to “state with particularity
`
`facts giving rise to a strong inference that the defendant acted with the required state of mind.” Id.
`
`§ 78u-4(b)(2)(A). The “required state of mind” is scienter, defined to mean “a mental state
`
`embracing intent to deceive, manipulate, or defraud.” Tellabs, Inc. v. Makor Issues & Rights, Ltd.,
`
`551 U.S. 308, 319 (2007) (internal quotation marks and citation omitted). A “strong inference” of
`
`scienter is one that is “more than merely plausible or reasonable—it must be cogent and at least as
`
`compelling as any opposing inference of nonfraudulent intent.” Id. at 314.
`
`IV. ARGUMENT
`
`A.
`
`Plaintiff Fails To Plead That The Challenged Statements Were False, Misleading,
`Or Otherwise Actionable Under Section 10(b).
`
`Plaintiff asserts extremely serious claims of federal securities fraud against Capital One
`
`and the Individual Defendants—claims subject to rigorous, heightened pleading standards. Yet in
`
`support of these weighty claims, Plaintiff merely attacks statements that (1) do not relate directly
`
`(or sometimes at all) to cybersecurity, (2) accurately disclose the very security risks at issue; (3)
`
`constitute non-actionable puffery or opinion/belief statements not adequately pled to have been
`
`false; and/or (4) were made in customer-facing privacy policies or by non-Defendants at various
`
`conferences. As discussed in detail in the sections that follow, these statements—either analyzed
`
`individually or in the aggregate—are not adequately pled to have been misleading to reasonable
`
`investors, much less false, and therefore, fall woefully short of Plaintiff’s high pleading hurdle.
`
`1.
`
`The Legal Obligations/Industry Practices Statements
`
`
`
`The Legal Obligations/Industry Practices Statements concern (i) “compliance risk
`
`management” (Ex. 1, Stmt. 1); and (ii) statements to consumers (not investors) that the Company
`
`7
`
`

`

`Case 1:19-md-02915-AJT-JFA Document 319 Filed 02/18/20 Page 14 of 38 PageID# 2404
`
`
`
`will protect their information “with controls based upon internationally recognized security
`
`standards, regulations, and industry-based best practices” (id. Stmt. 2). Plaintiff also challenges
`
`statements about data encryption (id., Stmts. 22-26) and data access/retention (id., Stmts. 27-28).
`
`a) Plaintiff Fails To Plead Facts Establishing The Statements Were False Or
`Misleading.
`
`
`
`Plaintiff asserts the same conclusory explanation as to why all of these statements were
`
`purportedly false or misleading—that Capital One “creat[ed] dangerously large data pools,
`
`grant[ed] widespread access…, fail[ed] to monitor data requests,” did not effectively “encrypt data
`
`on its server,” and its “retention period and data scope did not comply with the customer’s [sic]
`
`reasonable expectations.” AC ¶¶ 211, 254, 258. Plaintiff repeats this refrain throughout the
`
`Complaint but fails to plead facts supporting a claim that the statements Plaintiff challenges misled
`
`investors for the reasons asserted (or at all).
`
`In fact, Plaintiff’s own allegations confirm that Capital One repeatedly emphasized in
`
`public statements that the Company was collecting consumer data to further its information-based
`
`strategy and was analyzing and using that data “across all the segments” of its business. Id. ¶ 41;
`
`see also id. ¶ 72 (“Capital One executives consistently referred to … [Capital One’s] use of
`
`machine learning employed on vast sets of customer data ….”); ¶ 77 (discussing “this data
`
`foundation … we’ve been putting into place”); ¶ 92 (discussing the “big opportunity… to
`
`ultimately increasingly leverage the big data that is out there”). These allegations directly negate
`
`Plaintiff’s conclusory and unsupported assertion that Defendants misled investors about Capital
`
`One’s creation of “data pools” and “widespread access” to the data within the Company.
`
`Plaintiff similarly fails to plead any factual support for the assertion that Capital One’s data
`
`retention practices failed to “comply with … customer[s’] reasonable expectations.” Not only
`
`does Plaintiff fail to plead any factual basis establishing what customers “expect[ed],” Plaintiff’s
`
`8
`
`

`

`Case 1:19-md-02915-AJT-JFA Document 319 Filed 02/18/20 Page 15 of 38 PageID# 2405
`
`
`
`conclusory allegation on this point is flatly at odds with the numerous public statements Plaintiff
`
`acknowledges Capital One made about its use of consumer data to further its information-based
`
`strategy. Further, even if Plaintiff had pled facts supporting an alleged failure to adhere to
`
`customer expectations (he has not), that cannot be equated to knowingly defrauding investors,
`
`which is what Plaintiff must plead here. See In re Citigroup, Inc. Sec. Litig., 330 F. Supp. 2d 367,
`
`380 & n.5 (S.D.N.Y. 2004) (differentiating between an “intent to defraud [Defendant’s]
`
`shareholders” and intent to “hide matters from the shareholders of [Defendant’s] clients”).
`
`
`
`Plaintiff’s allegations that Capital One “fail[ed] to monitor data requests” fare no better.
`
`Here again, Plaintiff is undone by his own allegations pleading that “Capital One suffered upwards
`
`of 20 cyberattacks per month,” which were reported up the chain of command to Defendant
`
`Johnson at regularly held meetings. AC ¶¶ 149, 150. Such attacks would not have been detected
`
`if Capital One was not monitoring data requests. Plaintiff is thus left with the hindsight and
`
`conclusory allegation that “a competent network should have been able to detect when the hacker
`
`exfiltrated large amounts of data from Capital One’s server.” Id. ¶ 147. This too fails to plead
`
`falsity, because a court cannot infer that Capital One’s monitoring practices were inadequate from
`
`the fact that that Company was victimized in a cyber-attack. See In re Heartland Payment Systems,
`
`Inc. Sec. Litig., Civ. No. 09-1043, 2009 WL 4798148, at *5 (D.N.J. Dec. 7, 2009); see also
`
`Oklahoma Firefighters Pension & Ret. Sys. v. K12, Inc., 66 F. Supp. 3d 711, 717 (E.D. Va. 2014)
`
`(Trenga, J.) (statements admitting that “in hindsight, [the company] realized that its marketing
`
`activities were not done in the most effective manner” did not render prior statements regarding
`
`company’s focus on marketing false when made).
`
`
`
`Plaintiff’s allegations that the data encryption Capital One employed effectively amounted
`
`to “no encryption at all” also fail to support fraud claims. Plaintiff’s allegations acknowledge that
`
`9
`
`

`

`Case 1:19-md-02915-AJT-JFA Document 319 Filed 02/18/20 Page 16 of 38 PageID# 2406
`
`
`
`Capital One did encrypt data and took the further step of tokenizing social security and bank
`
`ac