Public companies can face significant securities litigation risk over defective algorithms, data errors and software glitches. As securities class action filings continue to increase across the board, plaintiffs lawyers have attacked numerous companies over stock price declines that occur after software problems are revealed. Recent court decisions denying dismissal in securities class actions against Fitbit and OSI Systems illustrate the risks that technology companies face when there is a gap between their public disclosures and the actual status of their software, including undisclosed defects in software algorithms. Short sellers have also targeted companies with negative investigatory “reports” over alleged software problems and data errors, which can trigger securities lawsuits and U.S. Securities and Exchange Commission investigations if the stock price falls after the short-seller report. Even companies that follow best practices in software development can face securities liability for unexpected problems if they do not also follow best practices from a disclosure standpoint. Fortunately, companies can mitigate the risk of shareholder litigation by enhancing their cautionary disclosures, carefully scrutinizing their affirmative statements (including in analyst call Q&A) to avoid overstating the capabilities or development status of new software, and developing a robust crisis management plan to ensure appropriate disclosures in the immediate aftermath of a software problem.
By design, securities fraud claims are difficult for plaintiffs to plead and prove, and the mere fact that a company experiences unexpected software or technology problems is generally insufficient to establish liability. As one court aptly noted,
In re Siebel Systems Inc. Securities Litigation, No. C 04-0983, 2005 WL 3555718, at *4 (N.D. Cal. Dec. 28, 2005) (dismissing securities complaint despite allegations that new software product “was a disaster”). Companies have frequently succeeded in obtaining dismissal in other “software glitch” or “defective algorithm” cases where the disclosures adequately warned investors about potential problems or where plaintiffs failed to supply adequate evidence that executives knew of the problems before they were publicly disclosed.
Nonetheless, technology companies can increase their securities litigation risk by overpromising their software capabilities, understating or concealing known problems, or continuing to repeat positive statements about the technology without accounting for changed circumstances.
The Fitbit Litigation
The 2016 opinion denying dismissal in the Fitbit securities litigation illustrates the liability risks when a company touts the accuracy of an algorithmic software device that turns out to be less accurate than hoped. See Robb v. Fitbit Inc., 216 F. Supp. 3d 1017 (N.D. Cal. 2016). During the year before its initial public offering, Fitbit introduced a new proprietary heart rate tracking function called PurePulse for the company’s smartwatch fitness wristbands. Id. at 1026. The company marketed the new technology using the slogan, “Every Beat Counts,” and issued a press release stating that PurePulse “applies Fitbit’s finely tuned algorithms to deliver heart rate tracking 24/7” and uses “[s]uperior heart rate tracking technology” to “offer continuous, automatic heart rate tracking all day, all night and during workouts so you never miss a beat.” Id.
The IPO prospectus stated that “[w]e dedicate significant resources to developing proprietary sensors, algorithms, and software measurements to ensure that our products have highly accurate measurements” and “feature proprietary and advanced sensor technologies and algorithms as well as high accuracy and long battery life.” Id. at 1027. The IPO prospectus also stated that the devices containing the PurePulse technology were “the primary drivers of our revenue growth in the first quarter of 2015” and were thus a critical component to the company’s business success. Id. at 1022-23. The company later issued a secondary offering prospectus claiming that “Fitbit’s proprietary PurePulse heart rate technology has been updated to provide users with an even better heart rate tracking experience during and after high intensity workouts like boot camp and Zumba.” Id. at 1028. The stock price later fell after a series of public disclosures suggesting that PurePulse had significant accuracy problems, including a class action by Fitbit customers and the announcement of unfavorable study results by a local television station, which included a heart error rate that the station described as “bordering on dangerous.” Id. at 1023. Shareholder class action litigation soon followed.
In denying the defendants’ motion to dismiss, the district court found that certain statements by Fitbit that the devices could “automatically and continuously track their heart rate during everyday activity and exercise” were actionable misstatements of fact in light of the significant accuracy problems that were later revealed. As often occurs in securities litigation, the plaintiffs relied heavily on allegations by anonymous former employees or contractors, including a data scientist hired on a contract basis to develop quality-assurance analytics for Fitbit devices and a contract fitness tester who logged the heart rate results from testers who exercised while wearing Fitbit devices. Id. at 1032. Both “confidential witnesses” alleged that they reported significant accuracy problems to Fitbit’s chief operating officer by June or July 2015. See id. The company, however, continued to make public disclosures that PurePulse provided “highly accurate measurements.” Id. at 1027. The district held that the “confidential witness” allegations — along with the admitted importance of PurePulse to Fitbit’s revenue growth — sufficiently demonstrated management’s awareness of the alleged accuracy problems to support a strong inference that Fitbit’s continued public disclosures regarding the “accuracy” of PurePulse were intentionally or recklessly false. See id. at 1032-33.
The court also rejected Fitbit’s argument that the cautionary disclosures in Fitbit’s IPO prospectus adequately warned investors about the possibility of accuracy issues, noting that the cautionary language only acknowledged “past” claims about the inaccuracy of Fitbit devices and merely stated that “[i]f our products fail to provide accurate measurements … we may become the subject of negative publicity” and litigation, and that “our brand, operating results, and business could be harmed.” Id. at 1035 (emphasis in original). As the court reasoned, the cautionary language “does not disclose that there were presently, at the time of the IPO, indications that Fitbit’s heart rate monitoring technology was inaccurate, as the Amended Complaint alleges.” Id. The cautionary language thus did not cleanse the alleged falsity of Fitbit’s affirmative statements regarding the accuracy of PurePulse. See id.
The OSI Decision
Another district court reached a similar outcome in a class action against OSI Systems over alleged problems with the development of software algorithms for full-body-image airport security scanners. See Roberti v. OSI Systems Inc., No. CV 13-9174-MWF (VBKx), 2015 WL 1985562 (C.D. Cal. Feb. 27, 2015). The company publicly stated that the technology was “undergoing its final testing as we speak,” that the company expected that the government “will be looking at potential orders within the next few months,” and that “we’ve completed our side” of the software development. Id. at *7. As in the Fitbit litigation, however, the plaintiffs presented allegations from various anonymous former employees who claimed that “the algorithm [for the software] was behind” by about a year, that the company “cherry-picked” the machines it sent to the government for testing so that more problematic machines were concealed, and that problems with the software development were documented in the company’s internal defect tracking database, which was allegedly accessible to all OSI management. Id. at *2. The government eventually sent OSI’s subsidiary a show cause letter alleging that the subsidiary had not timely disclosed the problems encountered in the development process, to which the subsidiary responded by conceding that it “became aware of an issue related to software under development months ago and promptly notified the [Transportation Security Administration].” Id. at *3. Two months later, the TSA canceled its contract with OSI’s subsidiary. Id. The court denied dismissal, holding that the “confidential witness” allegations and TSA correspondence raised a strong inference that OSI’s public disclosures about “final testing” and having “completed [its] side of the software development” were knowingly or recklessly misleading.
Takeaways and Best Practices
The Fitbit and OSI cases provide important lessons for companies that face risks from software development problems or defective algorithms. Companies can mitigate their securities litigation risk by keeping the following principles in mind:
- Companies should include robust cautionary disclosures in Form 10-K filings and offering documents regarding the potential for errors or defects in software programs (including both existing and future programs) and the difficulties inherent in the development process for new software. Companies, however, should not expect that generalized warnings about potential problems will insulate them from liability when they know of actual problems that already pose material risks to investors.
- Companies should be particularly careful when making definitive positive statements about the accuracy or functionality of software products (for example, when stating that a product is “highly accurate” or when assuring that a specific product development timeline will be achieved). As a practical matter, the more definitive a company’s affirmative statements are, the greater duty a company has to modify its disclosures when problems arise. By contrast, companies that provide more qualifications or caveats when making affirmative statements have greater margin for error and flexibility to address subsequent problems.
- Companies should implement adequate disclosure controls and channels of communication to ensure that significant software problems are promptly communicated to senior management and disclosure counsel, so that the company has adequate time to assess the impact of such problems on its public disclosures.
- When material problems arise, companies should review past statements regarding software capabilities or the timeline for product development to determine whether they were rendered false or misleading in light of the problems that are discovered. Companies frequently get in trouble for repeating affirmative statements contained in prior press releases or disclosures that may no longer be accurate in light of subsequent developments.
- Companies should be particularly mindful of disclosures made in analyst calls (especially Q&A), statements to the press and informal investor presentations, as many companies do not apply the same rigor to these types of less formal disclosures as they do to SEC filings.
- Companies should assume that employees involved in software development may voluntarily disclose details about software problems to plaintiffs lawyers and regulators, including details about management’s knowledge of alleged problems. Companies should also assume that sophisticated short sellers are scrutinizing their disclosures and will pounce without warning if they find a vulnerability.
- Companies should develop a robust crisis management plan in the event software errors arise, including plans for ensuring that the disclosures regarding such events accurately reflect the information available to management, avoid unfounded speculation, do not unduly minimize the problem, and do not overpromise with respect to future remediation or investigation efforts.
Gerard G. Pecht is a partner in Norton Rose Fulbright’s Houston office. He is also global head of the firm’s dispute resolution and litigation practice group and head of the regulation, investigations, securities and compliance (RISC) practice group.
Peter A. Stokes is a partner in Norton Rose’s Austin office and is a member of the RISC practice group.
 See, e.g., Ho v. Flotek Industries Inc., No. 4:15-CV-3327, 2017 WL 1240111 (S.D. Tex. Mar. 29, 2017) (granting dismissal where allegations failed to show advance knowledge by company’s executives regarding “mistakes in [the] algorithm” for the company’s software); Shemian v. Research In Motion Ltd., No. 11 Civ. 4068, 2013 WL 1285779, at *2 (S.D.N.Y. Mar. 29, 2013) (allegations that the defendants “miscalculated and poorly executed on the development of new [software] products” insufficient to show fraud absent allegations that executives knew of problems at the time of the company’s disclosures); Wozniak v. Align Technology Inc., 850 F. Supp. 2d 1029, 1040-41 (N.D. Cal. 2012) (granting dismissal where company disclosed “the jury is still out” on the beta test of software that the plaintiffs alleged was difficult to use). See, e.g., Ho v. Flotek Industries Inc., No. 4:15-CV-3327, 2017 WL 1240111 (S.D. Tex. Mar. 29, 2017) (granting dismissal where allegations failed to show advance knowledge by the company’s executives regarding “mistakes in [the] algorithm” for the company’s software); Shemian v. Research In Motion Ltd., No. 11 Civ. 4068, 2013 WL 1285779, at *2 (S.D.N.Y. Mar. 29, 2013) (allegations that the defendants “miscalculated and poorly executed on the development of new [software] products” insufficient to show fraud absent allegations that executives knew of problems at the time of the company’s disclosures); Wozniak v. Align Technology, Inc., 850 F. Supp. 2d 1029, 1040-41 (N.D. Cal. 2012) (granting dismissal where company disclosed “the jury is still out” on the beta test of software that the plaintiffs alleged was difficult to use).