Opinion
1:21-CV-138-RP
2022-03-30
IN RE SOLARWINDS CORPORATION SECURITIES LITIGATION
ORDER
ROBERT PITMAN, UNITED STATES DISTRICT JUDGE
Before the Court is a consolidated motion to dismiss by Defendants Tim Brown ("Brown") and SolarWinds Corporation ("SolarWinds"), (Dkt. 41); a motion to dismiss by Defendants Silver Lake Group, LLC and Silver Lake Technology Management, LLC (collectively, "Silver Lake"), (Dkt. 42); a motion to dismiss by Defendant Kevin B. Thompson ("Thompson"), (Dkt. 44); and a motion to dismiss by Defendant Thoma Bravo, LP ("Thoma Bravo"), (Dkt. 45). Plaintiffs, members of a putative class, filed a consolidated response in opposition, (Dkt. 55), and Brown and SolarWinds filed a reply, (Dkt. 59), as did Silver Lake, (Dkt. 61), Thompson, (Dkt. 62), and Thoma Bravo, (Dkt. 63). The Court has considered the parties’ briefing and enters the following order.
In their motion to dismiss, Brown and SolarWinds include a footnote requesting the Court take judicial notice of multiple documents filed by Defendants in support of their motion. The Court notes that "[w]hen faced with a Rule 12(b)(6) motion to dismiss a § 10(b) action, courts must, as with any motion to dismiss for failure to plead a claim on which relief can be granted, accept all factual allegations in the complaint as true." Lormand v. US Unwired, Inc. , 565 F.3d 228, 232 (5th Cir. 2009). As the documents proffered by Brown and SolarWinds include assertions that compete with Plaintiffs’ allegations, the Court declines to take judicial notice of them at this stage. The Court may address these documents if appropriately raised at a later point in the proceedings.
I. BACKGROUND
This case concerns a cybersecurity breach that occurred at SolarWinds, a publicly traded company that, during the class period, provided information technology software to a host of private and government actors. The parties do not appear to dispute that the Russian Foreign Intelligence Service injected a malicious code into SolarWinds "Orion" software, which was discovered in late 2020. (Compl, Dkt. 26, at 61; Dkt. 41, at 8). When the infected code was downloaded onto a customer's server, it could be used to compromise the server. (Id. ). As a result of the breach, SolarWinds’ stock value plummeted leading to the present class-action complaint against SolarWinds. (Compl., Dkt. 26, at 65). The Lead Plaintiff in this action is the New York City District Council of Carpenters Pension Fund. (Id. at 4). Hereinafter, the Court will refer to the class-action plaintiffs as "Plaintiffs." On February 9, 2021, Plaintiffs filed their initial complaint in this Court, seeking recovery under the Exchange Act on behalf of the Carpenters Pension Fund "and all persons and entities, except Defendants and their affiliates, and who purchased or otherwise acquired the securities of [SolarWinds] between October 18, 2018, and December 17, 2020 [ ] (the "Class Period") and were damaged" as a result of the breach and SolarWinds stock's resultant loss of value. (Dkt. 1; Compl., Dkt. 26, at 4). Plaintiffs later filed a consolidated complaint, (Id. ), and have now alleged causes of action against SolarWinds, Thompson (SolarWinds Chief Executive Officer during the class period), J. Barton Kalsu (SolarWinds’ Executive Vice President, Chief Financial Officer, and Treasurer during the class period), Tim Brown (SolarWinds’ Vice President of Security Architecture during the class period), and Silver Lake and Thoma Bravo (private equity firms each owning approximately 40% of SolarWinds’ securities during the class period).
According to Plaintiff's complaint, SolarWinds customers—which included the U.S. Pentagon, State Department, Office of the President, FBI, Secret Service, and National Security Administration—utilized SolarWinds’ information technology software. (Id. ). Given its customers’ highly sensitive data and need for significant cybersecurity measures, SolarWinds "falsely and misleadingly" told investors that SolarWinds had a robust cybersecurity system and adhered to specific cybersecurity practices set forth in a "Security Statement" on its website. (Id. ). The Security Statement represented that SolarWinds had a security team, had an information security policy, provided security training to its employees, followed a password policy, and segmented its network, among other things. (Id. at 5). A photo and video of Brown was featured prominently near the Security Statement, and Brown likewise regularly wrote articles and appeared in interviews and on podcasts touting SolarWinds’ focus on "heavy-duty hygiene" and directing customers and investors to the Security Statement. (Id. at 5, 18–19). SolarWinds’ commendations of its cybersecurity measures "helped the Company build up its customer base," "as it gained 300,000 customers worldwide and more than $230 million in federal government contracts" during the class period. (Id. at 5).
However, SolarWinds purported security measures were "woefully deficient and not as represented." (Id. at 6). Indications that SolarWinds’ cybersecurity efforts were not as they seemed include a presentation given by Ian Thornton-Trump ("Thornton-Trump"), SolarWinds former Global Cybersecurity Strategist, before the class period began. (Id. ). Thornton-Trump's presentation was given to the Company's top executives including individuals who reported directly to Thompson. (Id. ; id. at 34). Thornton-Trumps presentation addressed SolarWinds’ deficient cybersecurity practices. (Id. at 6). Thompson's direct-reports noted that Thompson would not be willing to invest in the cybersecurity improvements proposed by Thornton-Trump; when the company refused to implement Thornton-Trump's changes, he resigned in protest. (Id. ).
During the class period, on November 11, 2019, a cybersecurity researcher notified SolarWinds in writing that the password for its Update Server—the server from which customers downloaded software updates for the Company's products—had been publicly available on the website GitHub for around one-and-a-half years. (Id. at 6–7, 52). The password was "solarwinds 123." (Id. at 7). It had been set by an intern and remained unchanged since it was posted on GitHub. (Id. at 7, 46). Brown and SolarWinds changed the password within an hour of receiving the email, but did not disclose the password leak, nor its significance: that any hacker could have used the password to upload malicious files to the server SolarWinds customers used to download updates. (Id. ; id. at 74). Ten former employees of the company also stated that SolarWinds did not employ the cybersecurity measures it purported to employ. The employees stated the company did not have a security team, no security information policy, no password policy, no security training, and no segmenting of its networks to limit user access to parts of the SolarWinds network related to their job functions. (Id. at 7–8).
One week before the breach was revealed and SolarWinds’ stock price dropped, Thompson sold over $20 million in SolarWinds stock and Silver Lake and Thoma Bravo sold $261 million in shares. (Id. at 29–30). After the breach, which was widely reported on by major media outlets, was discovered in late 2020, SolarWinds’ share price plummeted 34%. (Id. at 8). Customers abandoned the company's software, and the homeland security adviser to President Donald Trump stated that "[t]he magnitude of this ongoing attack is hard to overstate." (Id. at 67). The stock price has not recovered, and analysists have continued to reduce its price targets. (Id. ). The Department of Justice, the Securities and Exchange Commission ("SEC"), and various state Attorneys General are investigating SolarWinds’ alleged misconduct. (Id. at 71). SolarWinds’ new CEO, Sudhakar Ramakrishna ("Ramakrishna"), plans to institute several reforms to improve SolarWinds’ cybersecurity efforts. (Id. at 68).
Brown, SolarWinds, Thompson, Silver Lake, and Thoma Bravo heavily dispute Plaintiffs’ allegations, and each filed a motion to dismiss pursuant to Federal Rule of Civil Procedure 12(b)(6), alleging that Plaintiffs have failed to state a claim upon which relief can be granted. (See generally Dkt. 41, 42, 44, 45). Defendants Brown and SolarWinds filed their motion to dismiss on August 2, 2021, asserting that Plaintiffs failed to sufficiently plead that they engaged in material, misleading statements or omissions, failed to demonstrate a strong inference that they acted with scienter, and failed to allege that the material, misleading statements or omissions caused Plaintiffs’ losses. (See Dkt. 41). Thompson similarly seeks dismissal on the ground that Plaintiffs failed to allege that he made any material, false or misleading statements, or that he possessed the mental state required under the Exchange Act. (Dkt. 44). Thompson, Silver Lake, and Thoma Bravo each aver that Plaintiffs have failed to properly assert a control-person claim under Section 20(a) of the Exchange Act). (Dkts. 42, 44, 45). The Court will address each motion in turn.
II. LEGAL STANDARD
Pursuant to Rule 12(b)(6), a court may dismiss a complaint for "failure to state a claim upon which relief can be granted." Fed. R. Civ. P. 12(b)(6). In deciding a 12(b)(6) motion, a "court accepts ‘all well-pleaded facts as true, viewing them in the light most favorable to the plaintiff.’ " In re Katrina Canal Breaches Litig. , 495 F.3d 191, 205 (5th Cir. 2007) (quoting Martin K. Eby Constr. Co. v. Dallas Area Rapid Transit , 369 F.3d 464, 467 (5th Cir. 2004) ). "To survive a Rule 12(b)(6) motion to dismiss, a complaint ‘does not need detailed factual allegations,’ but must provide the plaintiff's grounds for entitlement to relief—including factual allegations that when assumed to be true ‘raise a right to relief above the speculative level.’ " Cuvillier v. Taylor , 503 F.3d 397, 401 (5th Cir. 2007) (citing Bell Atl. Corp. v. Twombly , 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ). That is, "a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’ " Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (quoting Twombly , 550 U.S. at 570, 127 S.Ct. 1955 ).
A claim has facial plausibility "when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. "The tenet that a court must accept as true all of the allegations contained in a complaint is inapplicable to legal conclusions. Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice." Id. A court ruling on a 12(b)(6) motion may rely on the complaint, its proper attachments, "documents incorporated into the complaint by reference, and matters of which a court may take judicial notice." Dorsey v. Portfolio Equities, Inc. , 540 F.3d 333, 338 (5th Cir. 2008) (citations and internal quotation marks omitted). A court may also consider documents that a defendant attaches to a motion to dismiss "if they are referred to in the plaintiff's complaint and are central to her claim." Causey v. Sewell Cadillac-Chevrolet, Inc. , 394 F.3d 285, 288 (5th Cir. 2004). But because the court reviews only the well-pleaded facts in the complaint, it may not consider new factual allegations made outside the complaint. Dorsey , 540 F.3d at 338. "[A] motion to dismiss under 12(b)(6) ‘is viewed with disfavor and is rarely granted.’ " Turner v. Pleasant , 663 F.3d 770, 775 (5th Cir. 2011) (quoting Harrington v. State Farm Fire & Cas. Co. , 563 F.3d 141, 147 (5th Cir. 2009) ).
III. DISCUSSION
As there are four motions to dismiss, the Court begins its analysis with the motion by Brown and SolarWinds, (Dkt. 41), followed by Thompson, (Dkt. 44), and then Silver Lake and Thoma Bravo, (Dkts. 42, 45).
A. Brown and SolarWinds’ Rule 12(b)(6) Motion
Plaintiffs bring their claims against Brown and SolarWinds pursuant to Section 10(b) of the Exchange Act and Rule 10b-5 promulgated thereunder. Section 10(b) of the Exchange Act states:
It shall be unlawful for any person, directly or indirectly, by the use of any means or instrumentality of interstate commerce or of the mails, or of any facility of any national securities exchange ...
(b) To use or employ, in connection with the purchase or sale of any security registered on a national securities exchange or any security not so registered, or any securities-based swap agreement 1 any manipulative or deceptive device or contrivance in contravention of such rules and regulations as the Commission may prescribe as necessary or appropriate in the public interest or for the protection of investors ...
15 U.S.C. § 78j(b). Rule 10b-5 states:
It shall be unlawful for any person, directly or indirectly, by the use of any means or instrumentality of interstate commerce, or of the mails or of any facility of any national securities exchange,
(a) To employ any device, scheme, or artifice to defraud,
(b) To make any untrue statement of a material fact or to omit to state a material fact necessary in order to make the statements made, in the light of the circumstances under which they were made, not misleading, or
(c) To engage in any act, practice, or course of business which operates or would operate as a fraud or deceit upon any person, in connection with the purchase or sale of any security.
To state a viable securities fraud claim under Section 10(b) and Rule 10b-5, Plaintiffs must allege that: (1) Defendants made a misrepresentation or omission relating to the purchase or sale of a security; (2) such representation or omission related to a material fact; (3) the representation or omission was made with scienter; (4) Plaintiffs acted in reliance on Defendants’ representation or omission; and (5) the representation or omission proximately caused Plaintiffs’ losses. Alaska Elec. Pension Fund v. Flotek Indus., Inc. , 915 F.3d 975, 981 (5th Cir. 2019). Defendants Brown and SolarWinds argue that Plaintiffs failed adequately plead that Defendants acted with scienter, that they made a misrepresentation or omission of a material fact, and that they proximately caused Plaintiffs’ losses. (Dkt. 41, at 8).
"Statements attributed to individual executive officers are also treated as having been made by" SolarWinds, "as all of them appear from the face of the Complaint to have been made pursuant to their positions of authority within the company." See Southland Sec. Corp. v. INSpire Ins. Sols., Inc. , 365 F.3d 353, 365–66 (5th Cir. 2004).
In addition to the pleading requirements set forth by Federal Rule of Civil Procedure 9(b), "[s]ecurities fraud claims" are "also subject to the pleading requirements imposed by" the Private Securities Litigation Reform Act ("the Reform Act"). Owens v. Jastrow , 789 F.3d 529, 535 (5th Cir. 2015). "At a minimum, the [Reform Act's] pleading standard incorporates the ‘who, what, when, where, and how’ requirements" of Federal Rule of Civil Procedure 9(b). ABC Arbitrage Plaintiffs Grp. v. Tchuruk , 291 F.3d 336, 349–50 (5th Cir. 2002). Specifically, "[i]n order to meet these additional requirements of the PSLRA, a plaintiff must, therefore: (1) specify each statement alleged to have been misleading; (2) identify the speaker; (3) state when and where the statement was made; (4) plead with particularity the contents of the false representation; (5) plead with particularity what the person making the misrepresentation obtained thereby; and (6) explain the reason or reasons why the statement is misleading, i.e. , why the statement is fraudulent." In re BP p.l.c. Sec. Litig. , 843 F. Supp. 2d 712, 746 (S.D. Tex. 2012) (citing ABC Arbitrage Plaintiffs Group , 291 F.3d at 350 (5th Cir. 2002) ).
1. Scienter
The Private Securities Litigation Reform Act (PSLRA) specifically requires that a complaint in a securities case support allegations of scienter with "facts giving rise to a strong inference that the defendant acted with the required state of mind." 15 U.S.C. § 78u-4(b)(2)(A). " ‘Scienter’ is ‘a mental state embracing intent to deceive, manipulate, or defraud.’ " Goldstein v. MCI WorldCom , 340 F.3d 238, 245 (5th Cir. 2003). For purposes of 10(b) liability, a defendant must have acted with, at minimum, severe recklessness. Warren v. Reserve Fund, Inc. , 728 F.2d 741, 745 (5th Cir. 1984). To evaluate scienter in a securities-fraud case, a court must (1) take the well-pleaded allegations as true; (2) evaluate the facts collectively, including facts contained in "documents incorporated in the complaint by reference and matters subject to judicial notice," "to determine whether a strong inference of scienter has been pled"; and (3) "take into account plausible inferences opposing as well as supporting a strong inference of scienter." Alaska Elec. Pension Fund , 915 F.3d at 982. To withstand a motion to dismiss, "an inference of scienter must be more than merely plausible or reasonable—it must be cogent and at least as compelling as any opposing inference of nonfraudulent intent." Id. (citing Tellabs, Inc. v. Makor Issues & Rights, Ltd. , 551 U.S. 308, 314, 127 S.Ct. 2499, 168 L.Ed.2d 179 (2007) ). Scienter must be alleged with respect to "the individual corporate official or officials who make or issue the statement (or order or approve it or its making or issuance, or who furnish information or language for inclusion therein, or the like) rather than generally to the collective knowledge of all the corporation's officers and employees acquired in the course of their employment." Alaska Elec. Pension Fund , 915 F.3d at 982 (quotation marks omitted).
Brown and SolarWinds make four primary arguments in support of their claim that Plaintiffs failed to effectively plead scienter. First, they argue that Thornton-Trump's presentation on the security practices does not offer evidence of Scienter. Specifically, they argue: (1) Thornton-Trump's presentation was made eighteen months before the class period began; (2) that the presentation was given to non-party employees, with no facts demonstrating that the information from the presentation was conveyed to Thompson or Brown; (3) that Thornton-Trump did not work on the software that was affected in the cybersecurity attack; and (4) that Plaintiffs fail to allege that Thornton-Trump's presentation even addressed the six statements being challenged by Plaintiffs as evidence of scienter. (Dkt. 41, at 9–10, 24–27).
Second, Brown and SolarWinds argue that the ten anonymous former employees whose statements Plaintiffs rely on did not work closely with SolarWinds’ security infrastructure, that Plaintiffs fail to allege that any of the former employees communicated their concerns about the company's security to any the defendants, and that anonymous, vague statements are not sufficient to support an inference of scienter. (Id. at 10, 27–30).
Third, Brown and SolarWinds assert that the company's server that was the site of the "solarwinds123" password incident was completely unrelated to the server that was compromised during the cybersecurity breach. (Id. at 30). They further argue that Brown was under no obligation to disclose the breach and that Plaintiffs fail to assert that any ongoing vulnerability from the password incident was not fully addressed after the password was changed. (Id. at 31). Brown and SolarWinds also state that the challenged statements were made well before SolarWinds was first notified about the password breach, and thus knowledge of the password breach was not contemporaneous with the statements. (Id. at 31–32). Finally, they argue that "solarwinds123" incident was a discrete violation of SolarWinds password policy, not evidence that there was no password policy or that SolarWinds broadly failed to enforce its password policy. (Id. at 32).
Finally, Brown and SolarWinds assert that stock sales by some Defendants does not raise an inference of scienter. They argue that Thompson sold his stock for legitimate reasons apart from the security breach, while the sale of stock by Silver Lake and Thoma Bravo has no bearing on the scienter analysis. (Id. at 10–11, 33–35). Lastly, they argue that allegations that SolarWinds skimped on paying for cybersecurity and announced improvements to their cybersecurity systems after the attack do not bear on the mindset of Defendants at the time of the breach. (Id. at 35–36).
As the arguments surrounding the stock sales primarily affect defendants Thompson, Silver Lake, and Thoma Bravo, the Court will address these arguments when looking at their motions to dismiss. See infra Part III(B)–(C).
The Court finds that Plaintiffs sufficiently plead that Defendant Brown acted with, at least, severe recklessness when he touted the security measures implemented at SolarWinds. Plaintiffs plead that Brown held himself out as a responsible and knowledgeable authority regarding SolarWinds’ cybersecurity measures. (Compl., Dkt. 26, at 11, 16–19, 22–23, 59, 76, 87–88). Plaintiffs assert Brown's title was Vice President of Security Architecture, he often appeared in interview endorsing SolarWinds’ cybersecurity efforts, he was the face (literally) of the Security Statement page on the company's website, and he addressed cybersecurity issues when they arose. (See generally id. ). In BP , the court found a strong inference of scienter as to the defendant CEO because his "own actions as the spokesperson and champion for BP's reform efforts weigh[ed] strongly in favor of the inference that [he] paid special attention to BP's process safety efforts or, at the least, was reckless in not doing so while continuing to publicly tout improvements." 843 F. Supp. 2d 712, 783 (S.D. Tex. 2012). The same applies here, as Brown's alleged statements bear a striking similarity to the defendant CEO in BP : while the CEO in BP made at least eighteen different statements regarding BP's safety standards and stated he intended to "focus on safety like a laser," id. , Plaintiffs here point to at least at least a dozen statements attributed to Brown, who noted on a company podcast that he was "focused on ... heavy-duty hygiene." (Compl., Dkt. 26, at 87).
Brown and SolarWinds argue against the applicability of BP to the present case, stating that BP failed to implement safety procedures recommended by regulators, received safety citations, and prepared an internal analysis warning of safety issues. (Dkt. 41, at 8–9). While SolarWinds cybersecurity efforts undoubtedly operate on a smaller scale than the massive regulatory framework surrounding oil companies like BP, the Court finds that Plaintiffs’ allegations that Brown became aware of the years-long "solarwinds123" password breach and was not requiring security training, segmenting its employee networks, or implementing a password policy while he was touting the cybersecurity protocols at SolarWinds is sufficient for an inference of scienter.
Further, Brown and SolarWinds arguments regarding the "solarwinds123" password breach do not provide a strong, plausible inference opposing scienter. The Court disagrees with the argument that scienter is precluded because the server that was compromised through the password breach was not the same server that was compromised in the breach at issue here. Plaintiffs need not plead that the password incident directly caused the later breach—instead, they need merely demonstrate that Defendants were knowledgeable or at least reckless with their statements regarding SolarWinds’ security, that Plaintiffs relied on Defendants’ commendations of SolarWinds’ security, and that Plaintiffs’ reliance on these representations caused their loss. See Alaska Elec. Pension Fund , 915 F.3d at 981. Put another way, the misleading representations and the reliance on them must cause the loss. The allegations of underlying security issues (such as the "solarwinds123" password breach) need not suggest that these security issues directly caused the loss; instead, their purpose is to demonstrate that the executives were at least reckless in not realizing that something was dangerously amiss. An egregious refusal to investigate may give rise to an inference of recklessness. Plotkin v. IP Axess Inc. , 407 F.3d 690, 700 (5th Cir. 2005). Further, statements attributed to Brown through the Security Statement on the website —which stated that the Company "distributes security alerts," requires employees to have "account, data, and physical security," and implements "password best practices"—continued to be presented on the webpage after Brown and SolarWinds learned of the years-long password breach, and Brown continued to direct investors and customers to the Security Statement. (Dkt. 26, at 19); see also Lormand , 565 F.3d at 259 (finding misstatements actionable where Defendants proceeded to issue positive statements throughout the class period without acknowledging material information). Although Brown and SolarWinds offer the opposing inference that the "solarwinds123" password breach was a "discrete violations of SolarWinds’ password practices," (Dkt. 41, at 32), the Court finds that the alleged severity of the breach coupled with Plaintiffs’ allegations that a password policy did not exist leads to an inference in favor of the Plaintiffs.
See infra Part III(A)(2) (finding that Brown "made" the statements alleged in the Security Statement).
Next, the statements of ten former employees rebutting Brown and SolarWinds’ representations regarding cybersecurity aids the inference of scienter. The complaint states that the former employees included a sales engineer, a security specialist, a backup and disaster recovery specialist, a director of global recruiting, an HR contractor, a security account manager, and a marketing associate. While Brown and SolarWinds assert that these employees did not directly work with SolarWinds’ security protocols, nor interface directly with the security team, the Court notes that several of the statements at issue in the complaint applied to employees of the company broadly. For example, Plaintiffs allege that the Security Statement they take issue with stated that SolarWinds employees were required to sign the company's information security policy, develop passwords consistent with the company's password policy, and receive cybersecurity training. (Compl., Dkt. 26, at 49–54). Plaintiffs assert that the former employees stated they were not aware of an information security policy or a password policy, and they did not receive cybersecurity training. (Id. ). As Brown, the Vice President of Security Architecture, allegedly often touted the company's security policy and directed investors and customers to the Security Statement—where an image and video of Brown were displayed, and the page stated the company required an information security policy, a password policy, and trainings, among others—a trier of fact could infer that Brown may have been aware of whether employees were indeed broadly required to sign an information security policy, comply with the password policy, and attend trainings. Compare In re Netsolve, Inc. Sec. Litig. , 185 F. Supp. 2d 684, 697 (W.D. Tex. 2001) (finding allegations of scienter adequate where undisclosed problems should have been apparent to company executives) with Goldstein , 340 F.3d at 251 (declining to hold executives accountable purely because of their position in the company when no allegations were made that the executives had any role in offering the misleading statements). Finally, Plaintiffs acknowledge that Thornton-Trump's presentation on the cybersecurity deficiencies at SolarWinds and, ultimately, his resignation, happened before the class period began. The Court finds that Plaintiffs’ allegations regarding Thornton-Trump's presentation are not, when viewed alone, particularly strong allegations of Defendants’ mental state at the time the alleged misrepresentations were made. However, Thornton-Trump's statements, when looked at in light of the above-mentioned allegations that the cybersecurity measures at SolarWinds were not as strong as Brown repeatedly represented during the class period, support the Court's conclusion that Plaintiffs have plausibly asserted the element of scienter. Taking the foregoing, well-pleaded allegations as true and evaluating the facts collectively, the Court finds that Plaintiffs have met their pleading obligations at this stage and declines to grant Brown and SolarWinds’ motion to dismiss on the grounds that Plaintiffs failed to adequately plead scienter.
Brown and SolarWinds argue the Court "must discount allegations from confidential sources generally." (Dkt. 41, at 29) (citing Indiana Elec. Workers’ Pension Tr. Fund IBEW v. Shaw Grp., Inc. , 537 F.3d 527, 535 (5th Cir. 2008) ). However, Plaintiffs have described the former employees with sufficient particularity to support that they would possess the information pleaded, as required by Fifth Circuit law. See Rougier v. Applied Optoelectronics, Inc. , 2019 WL 6111516, at *11 (S.D. Tex. Mar. 27, 2019).
2. Material misrepresentations or omissions
Brown and SolarWinds further move to dismiss the complaint on the grounds that Plaintiffs failed to sufficiently plead that Defendants engaged in material misrepresentations or omissions. (Dkt. 41, at 11, 38–44); see also Alaska Elec. Pension Fund , 915 F.3d at 981. Brown and SolarWinds state that the complaint fails to attribute the SolarWinds website Security Statement to any individual defendant as required by Section 10(b) and Rule 10b-5 thereunder. (Dkt. 41, at 11, 44). They also argue that the statements Plaintiffs have identified were puffery and would not have misled investors, especially given that SolarWinds warned investors that cybersecurity attacks were likely. (Id. at 11–12, 43–44). Finally, Brown and SolarWinds assert that Plaintiffs’ allegations that SolarWinds lacked a security team are self-defeating, as Plaintiffs likewise state that Thornton-Trump was SolarWinds’ "global security strategist" and Brown was the Vice President of Security Architecture, suggesting the presence of a security team. (Id. at 12, 39–40).
To be held liable for a misstatement or omission under Section 10(b) and Rule 10b-5, the defendant must be the "maker" of the statement, i.e. , "the person or entity with ultimate authority over the statement, including its content and whether and how to communicate it." Janus Cap. Grp., Inc. v. First Derivative Traders , 564 U.S. 135, 142, 131 S.Ct. 2296, 180 L.Ed.2d 166 (2011). Allegations of a material misrepresentation or omission must "specify the statements contended to be fraudulent, identify the speaker, state when and where the statements were made, and explain why the statements were fraudulent." Barrie v. Intervoice-Brite, Inc. , 397 F.3d 249, 256 (5th Cir. 2005) (internal citations and quotations omitted). Plaintiffs have met this standard. While Defendants are correct that company executives are not responsible for every minor statement made in corporate communication, see Magruder v. Halliburton Co. , 359 F. Supp. 3d 452, 462–63 (N.D. Tex. 2018), the complaint plainly asserts that both Brown and Thompson had a direct roll in authorizing the Security Statement on SolarWinds’ website. (See Compl., Dkt. 26, at 18) ("The Security Statement was reviewed and approved by Defendants Brown and Thompson ... [and] the Security Statement[ ] prominently included [a] picture of Defendant Brown welcoming investors and customers to the ‘Security Center[.]’ "); Janus , 564 U.S. at 142, 131 S.Ct. 2296 (Corporate executives who have "ultimate authority over the statement" may be liable regardless of whether they wrote the statement). Plaintiffs have alleged that Brown and Thompson "made" these statements sufficient to survive a motion to dismiss.
Further, while corporate "cheerleading" and puffery are not actionable under securities law, Police & Fire Ret. Sys. of City of Detroit v. Plains All Am. Pipeline, L.P. , 777 F. App'x 726, 730 (5th Cir. 2019) (internal quotation marks and citations omitted), only statements that "contain no concrete factual or material misrepresentation" may be deemed "puffery." Lormand , 565 F.3d at 249 n.14. Defendants point out that "a sincere statement of pure opinion is not an ‘untrue statement of material fact,’ regardless of whether an investor can ultimately prove the belief wrong." Omnicare Inc. v. Laborers Dist. Council Constr. Indus. Pension Fund , 575 U.S. 175, 186, 135 S.Ct. 1318, 191 L.Ed.2d 253 (2015). The alleged misstatements from the Security Statement include assertions that SolarWinds had "a security team [that] focuses on information security, global security auditing and compliance, as well as defining the security controls ..."; the Company "maintains a written Information Security Policy" that employees must acknowledge they have read and understood; "[e]mployees are provided with security training" when they are hired; employees adhered to a password policy; and SolarWinds segmented its networks using "Role Based Access controls," among others. (Compl., Dkt. 26, at 81–85). These are not "subjective opinions" or corporate puffery—they are specific statements of fact. See, e.g., In re Equifax Inc. Sec. Litig. , 357 F. Supp. 3d 1189, 1231 (N.D. Ga. 2019) (holding that statements that the company maintained "a highly sophisticated data information network that includes advanced security, protections and redundancies" were not subjective opinions, while statements such as "I think we are in a very good position now" were opinions).
Defendants’ other alleged misstatements are more difficult to classify. Plaintiffs cite to Brown's statement that one of his focuses is "heavy-duty hygiene," and that SolarWinds was working on "making sure that there is good basic hygiene ...." (Compl., Dkt. 28, at 87–88). For one, "it is well-established that generalized positive statements about a company's progress are not a basis for liability." Nathenson v. Zonagen Inc. , 267 F.3d 400, 419 (5th Cir. 2001). However, when there are differences between the image projected by the speaker and the reality on the ground, especially when an utterance is repeated, the alleged statement can be considered misleading. BP , 843 F. Supp. 2d at 758 (citing Reese v. BP Exploration , 643 F.3d 681, 691 (9th Cir. 2011) ). Brown's repeated statements that the company was focusing on cybersecurity "hygiene," especially when coupled with the surrounding statements, such as how SolarWinds was "putting identity solutions in place," "look[ing] at every log [to] understand when somebody logs in, ... when somebody is trying to gain access to an administrative account" can be considered misleading. (Compl., Dkt. 26, at 87–88). For example, these statements are more akin to statements the Equifax court found to be objective statements ("Equifax employs strong data security and confidentiality standards") than to those the Equifax court found to be opinions ("I think we are in a very good position now."). Equifax , 357 F. Supp. 3d at 1231.
Third, Defendants’ disclosures to customers and investors about the risk of cybersecurity attacks does not force the conclusion that their alleged statements were not false or misleading. Brown and SolarWinds cite statements in their SEC filings where the disclosed SolarWinds "could suffer a loss of revenue and increased costs, exposure to significant liability" if it experiences cyberattacks. (Dkt. 41, at 39). As an example, Defendants cite In re Heartland Payment Systems, Inc. Securities Litigation , where the United States District Court for the District of New Jersey found that Defendant's warning of a security breach made clear that Defendant's statements touting its security measures should not be interpreted to mean that Defendant's security system was invulnerable. No. CIV. 09-1043, 2009 WL 4798148, at *5 (D.N.J. Dec. 7, 2009). However, the logic applied in Heartland does not apply here—in Heartland , the Court was addressing Plaintiff's claims that because the Defendant had suffered a security breach, Defendant must have been lying about the emphasis it placed on maintaining a high level of security. Id. The same is not true here. Plaintiffs are not claiming Defendants’ statements commending their cybersecurity measures must have been false because the attack at issue occurred. Instead, they have alleged separate facts that the cybersecurity measures at the company were not as they were portrayed, such as the "solarwinds123" password incident, the statements of former employees, and Thornton-Trump's presentation. See supra Part III(A)(1).
Finally, Brown and SolarWinds assert that the Security Statement's declaration that the company had a security team was not a misrepresentation, as Thornton-Trump's title was global security strategist, Brown's title was Vice President of Security Architecture, and Brown made a comment included in the complaint referencing his "team." (Dkt. 41, at 12, 40). However, two workers with different titles employed at two different times by the company does not necessarily mean there was a "team." The strength of Defendants’ assertions is about on par with the strength of Plaintiffs’ plausible allegations that former employees stated no such team existed. (Compl., Dkt. 26, at 41–42). The Court is required to accept Plaintiffs’ plausible allegations as true at this stage and finds that this is a factual dispute not appropriate for resolution in a motion to dismiss. For the foregoing reasons, the Court finds that Plaintiffs have adequately alleged misleading material statements.
3. Loss causation
Lastly, Brown and SolarWinds ask the Court to find Plaintiffs have not adequately alleged that the material misstatements or omissions and Plaintiffs’ reliance on them caused Plaintiffs’ loss. (Dkt. 41, at 45). The Fifth Circuit has stated that Plaintiffs must show that "Defendants’ misrepresentations (or omissions) proximately caused the Plaintiffs’ economic loss." Pub. Emps. Ret. Sys. of Mississippi, Puerto Rico Tchrs. Ret. Sys. v. Amedisys, Inc. , 769 F.3d 313, 320–21 (5th Cir. 2014). "To establish proximate causation, a plaintiff must allege that when the ‘relevant truth’ about the fraud began to leak out or otherwise make its way into the marketplace, it caused the price of the stock to depreciate and, thereby, proximately caused the plaintiff's economic harm." Id. (citing Lormand , 565 F.3d at 255 ). Loss causation "can be demonstrated circumstantially by ‘(1) identifying a ‘corrective disclosure’ (a release of information that reveals to the market the pertinent truth that was previously concealed or obscured by the company's fraud); (2) showing that the stock price dropped soon after the corrective disclosure; and (3) eliminating other possible explanations for this price drop, so that the factfinder can infer that it is more probable than not that it was the corrective disclosure—as opposed to other possible depressive factors—that caused at least a ‘substantial’ amount of price drop.’ " Id. (citations omitted). A series of partial corrective disclosures combined with the last two elements may also suffice. Id. at 326. Plaintiffs allege multiple corrective disclosures. First, they note that on December 13, 2020, Reuters reported that SolarWinds was believed to be the source of a hack into U.S. Treasure and Commerce Departments through SolarWinds’ Update Server, and the CISA released an emergency directive to disconnect from SolarWinds’ Orion products, tying the emergency measures to "the Company's deficient cybersecurity practices." (Compl., Dkt. 26, at 89–90). Plaintiffs further allege that on December 14, 2020, SolarWinds disclosed the hack to shareholders announcing cybercriminals "inserted a vulnerability within its Orion monitoring products," that the breach occurred between March and June 2020 and that as many as 18,000 customers had been affected, including multiple U.S. agencies. (Id. at 89–91). As a result of these pronouncements, SolarWinds’ stock tumbled 17%, followed by an additional 8% and 19%. (Id. at 90–92). Plaintiffs allege that "[i]t was foreseeable that Defendants’ materially false and misleading statements and omissions ... would artificially inflate the price of SolarWinds securities and that [the disclosures of the company's cybersecurity failures] would cause the price of SolarWinds’ securities to decline." (Id. at 93).
Brown and SolarWinds claim that "[w]hile these reports may have given an unfavorable impression of SolarWinds’ security protocols, they do not reveal the falsity of any challenged statement. Plaintiff also fails to explain how these disclosures corrected any challenged statement, other than stating that it revealed the truth ‘about the nature and extent of SolarWinds’ security deficiencies.’ " (Dkt. 41, at 47). Plaintiffs aver that loss causation can be demonstrated by circumstantial evidence, and a plaintiff must merely "allege the truth that emerged was ‘related to’ or ‘relevant to’ the defendants’ fraud and earlier misstatements." Amedisys , 769 F.3d at 321. "The test for relevant truth simply means that the truth disclosed must make the existence of the actionable fraud more probable than it would be without that alleged fact, taken as true." Id. Plaintiffs have alleged that SolarWinds’ security measures were deficient in multiple areas, despite Defendants’ statements to the contrary. The "corrective disclosures" at the very least circumstantially suggest that the security breach was more likely than not caused by the company's allegedly deficient security. (See, e.g. , Compl., Dkt. 26, at 91) ("Reuters reported that the Company was previously warned that the password to access the internal server to the Update Server, "solarwinds123," was both incomprehensibly deficient from a security perspective and also publicly available on the internet. Reuters further reported that ... the Company left the malware that was the source of the attack available for download on its Update Server for several days."). The Court finds that Plaintiffs have sufficiently alleged that it is more probable than not that these sorts of corrective disclosures caused the virtually simultaneous drops in the prices of SolarWinds’ securities. Based on the foregoing analysis, the Court will deny Brown and SolarWinds’ motion to dismiss, (Dkt. 41).
B. Thompson's Rule 12(b)(6) Motion
Defendant Thompson filed a separate motion to dismiss to address the allegations in the complaint that reference him specifically. (Dkt. 44, at 7). He asserts that the complaint does not attribute a single false or misleading statement or omission to him, does not allege any particularized facts sufficient to raise a strong inference that Thompson acted with scienter, and does not contain any well-pleaded factual allegations to support a claim against Thompson under Section 20(a) of the Exchange Act. (Dkt. 44, at 6–7). 1. Section 20(a) of the Exchange Act
The Court begins where Thompson ends—with his assertion that the complaint does not support a claim against him pursuant to Section 20(a) of the Exchange Act. Section 20(a) states:
Every person who, directly or indirectly, controls any person liable under any provision of this chapter or of any rule or regulation thereunder shall also be liable jointly and severally with and to the same extent as such controlled person to any person to whom such controlled person is liable, unless the controlling person acted in good faith and did not directly or indirectly induce the act or acts constituting the violation or cause of action.
15 U.S.C. § 78t(a). This argument may be quickly disposed of. Claims for control-person liability under Section 20(a) are "secondary only and cannot exist in the absence of a primary violation." Alaska Elec. Pension Fund , 915 F.3d at 986 (quotations omitted). Thus, if a court finds the pleadings under Section 10(b) and Rule 10b-5 inadequate to state a claim, a claim of control person liability must be dismissed. See, e.g., Indiana Elec. Workers’ Pension Tr. Fund IBEW , 537 F.3d at 545. Thompson's sole objection to control-person liability is that Plaintiffs have not sufficiently plead their claims under Section 10(b) and Rule 10b-5 thereunder, but the Court has already found that Plaintiffs have done so. See supra Part III(A). Therefore, this basis for dismissing the complaint's claims against Thompson is denied.
2. Material misrepresentations or omissions
Thompson also avers that the complaint fails to assert he is the "maker" of any allegedly actionable statement. (Dkt. 44, at 11) (citing Janus , 564 U.S. at 142, 131 S.Ct. 2296 ). As stated above, the "maker" of a statement is "the person or entity with ultimate authority over the statement, including its content and whether and how to communicate it." Janus , 564 U.S. at 142, 131 S.Ct. 2296 ; see also supra Part III(A)(2). Corporate executives may not be held accountable merely because of their position in the company when no allegations are made that the executive had a role in the misleading statement. Goldstein , 340 F.3d at 251. "However, corporate documents that have no stated author or statements within documents not attributed to any individual may be charged to one or more corporate officers provided specific factual allegations link the individual to the statement at issue." Southland , 365 F.3d at 365.
Of the challenged misrepresentations or omissions alleged in the complaint, (see Compl., Dkt. 26, at 81–88), Plaintiffs appear focus on Thompson's role in adopting the company's Security Statement. (See id. ; id. at 18 ("The Security Statement was reviewed and approved by Defendants Brown and Thompson ..."); Dkt. 55, at 17, 48). While Thompson cites Southland in support of his argument that he is not a maker of the security statement, the Court finds that Southland suggests that Plaintiffs have properly alleged him to be a "maker." To satisfy the standard, Plaintiffs needed to provide "specific factual allegations" linking Thompson to the statement. Southland , 365 F.3d at 365. Plaintiffs allege that "[t]he Security Statement was reviewed and approved by Defendants Brown and Thompson," (Compl., Dkt. 26, at 18)—they do not rely solely on Thompson's status as an executive officer to suggest he authorized the statement as Thompson suggests. (See Dkt. 44, at 14–15) (citing Plaisance v. Schiller , No. CV H-17-3741, 2019 WL 1205628, at *2 (S.D. Tex. Mar. 14, 2019) ) (dismissing "attempt to hold Griffin responsible for unattributed corporate statements in the press releases based solely on his title as CFO") ( Colbert v. Rio Tinto PLC , No. 17CIV8169ATDCF, 2019 WL 10960490, at *6 (S.D.N.Y. July 29, 2019) (observing that "Plaintiff cites no authority" for the proposition the corporate title alone equates to attribution)). And unlike Southland , where "none of the statements in the Prospectus cited by the plaintiffs [were] attributed to any of the individual defendants," Southland , 365 F.3d at 375, Plaintiffs attributed the Security Statement to Brown and Thompson.
Thompson argues that the Security Statement was not materially false or misleading. However, the Court has already found that Plaintiffs properly alleged the Security Statement contained material misrepresentations. See supra Part III(A)(2). Therefore, the Court's focus here is whether Plaintiffs alleged Thompson was a "maker" of the statement. The Court will likewise address whether Plaintiffs plead Thompson had the requisite state of mind when it addresses Thompson's scienter-related arguments. See infra Part III(B)(3).
3. Scienter
Finally, Thompson asserts Plaintiffs have failed to plead facts supporting a strong inference that he acted with scienter. (Dkt. 44, at 15–24). Specifically, he argues that Plaintiffs do not plead any facts to demonstrate: (1) Thompson's knowledge or intent while the Security Statement was published; and (2) that the timing of his stock sales supports a finding of scienter. The Court agrees. Unlike Brown, Plaintiffs plead no facts to suggest that Thompson held himself out as an authority on SolarWinds’ cybersecurity measures, other than to broadly allege he focused on cost savings at the expense of cybersecurity. (Compl., Dkt. 26, at 8, 38–39, 56–59, 73, 74, 77). The only specific allegation surrounding Thompson's cost-cutting strategy is that he moved SolarWinds’ engineering offices to Eastern Europe, a place "notorious for cybercrime," but does not allege Thompson was aware of this fact or aware of any potential or real threats that materialized as a result of this move. See, e.g., Municipal Employees’ Retirement System of Michigan v. Pier 1 Imports, Inc. , 935 F.3d 424, 433 (5th Cir. 2019) (vague allegation "that there were amorphous ‘inventory problems’ " but that did "not explain what those problems were" did not support an inference of scienter). These allegations do not create a strong inference that Thompson knew the specific statements made in the Security Statement were false. Indeed, the complaint states "Thompson never said anything about focusing on internal cybersecurity measures" after Thornton-Trump left the company and a former employee "could not recall a time when Defendant Thompson spoke about internal cybersecurity as a priority." (Id. at 44).
Further, unlike Brown, the complaint does not allege Thompson regularly spoke about the cybersecurity measures at SolarWinds in interviews, nor does it allege that Thompson directed investors and customers to the Security Statement. Most notably, unlike Brown, the complaint does not allege that Thompson directed people to the Security Statement even after cybersecurity failures, such as the "solarwinds123" password breach, were revealed. (Compare id. at 20 (noting that Thompson directed customers to the company's "security products" after the "solarwinds123" password breach) with id. at 19 (noting that Brown specifically touted and directed investors and customers to the Security Statement even after the years-long password breach)).
Additionally, regarding Thompson's stock sales, Thompson has provided the Court with a "plausible inference[ ] opposing ... a strong inference of scienter." See Alaska Elec. Pension Fund , 915 F.3d at 982. Plaintiff alleges Thompson's sale of 39.16% of his SolarWinds shares, the majority during the period between when SolarWinds was advised about the breach and when the breach was publicly announced—is suspicious and should be taken as evidence he knew SolarWinds’ cybersecurity measures were severely lacking. (Dkt. 55, at 68) (citing Compl., Dkt. 26, at 78–80); Cent. Laborers’ Pension Fund v. Integrated Elec. Servs. Inc. , 497 F.3d 546, 552–53 (5th Cir. 2007) ("Insider trading can be a strong indicator of scienter if the trading occurs at suspicious times or in suspicious amounts."). However, Thompson offers the competing assertion that Thompson sold these shares shortly ahead of his previously announced departure from the company and executed according to a 10b5-1 plan that was put in place in August 2020, before SolarWinds was purportedly given notice of the breach. (Dkt. 55, at 15–16). Bach v. Amedisys, Inc. , No. CV 10-00395-BAJ-RLB, 2016 WL 4443177, at *12 (M.D. La. Aug. 19, 2016) (finding COO's sale of "most" of his stock holdings five weeks prior to his resignation did not raise an inference of scienter, especially because "insider training cannot create a strong inference of scienter ... [but can only] ‘meaningfully enhance’ other scienter allegations").
Plaintiffs also assert the fact that SolarWinds’ new CEO, Ramakrishna, identified security issues within months of joining SolarWinds is evidence that Thompson was, at the very least, reckless in not noticing the same cybersecurity issues. (Dkt. 55, at 70–71) (citing Compl., Dkt. 26, at 58). However, again, there is an equally plausible, if not more plausible, competing inference. While Plaintiffs do not state when Ramakrishna joined SolarWinds, given the timing of Thompson's departure, the Court presumes Ramakrishna began his role at SolarWinds around the time of the breach at issue or shortly thereafter. The complaint demonstrates that the breach was widely reported on and, presumably, Ramakrishna was aware of the breach when he began his role as CEO. Therefore, the Court finds it more plausible that Ramakrishna's focus on identifying cybersecurity issues at the start of his tenure was because of his knowledge about the breach, not because the cybersecurity issues were so glaring.
Finally, Plaintiff focuses heavily on Thornton Trump's presentation as evidence of Thompson's scienter. But, as the Court has already stated, "Plaintiffs’ allegations regarding Thornton-Trump's presentation are not, when viewed alone, particularly strong allegations of Defendants’ mental state at the time the alleged misrepresentations were made." See supra Part III(A)(1). Because the other allegations of scienter against Thompson are lacking—unlike the allegations against Brown—the Court finds Plaintiffs’ assertions that Thompson must have known about Thornton-Trump's presentation do not weigh heavily in favor of a strong inference of scienter. For the foregoing reasons, the Court finds that Plaintiffs have failed to effectively plead scienter as to Thompson and thus the Court must grant Thompson's motion to dismiss, (Dkt. 44). However, the Court will grant Plaintiffs leave to amend. See infra Part III(D).
C. Silver Lake and Thoma Bravo's Motions to Dismiss
Plaintiffs allege that Silver Lake and Thoma Bravo, two private equity firms, owned over 80% of SolarWinds’ stock (40% each), permitting them to seat three directors each on SolarWinds’ board of directors. (Compl., Dkt. 26, at 11–12). They assert Silver Lake and Thoma Bravo "sacrificed cybersecurity to generate short-term profits" for themselves as principal owners of SolarWinds. As such, Plaintiffs claim Silver Lake and Thoma Bravo violated Section 20(a) of the Exchange Act because they were controlling persons of the company who had direct involvement in the day-to-day operations of SolarWinds and had the power to control the "materially false and misleading public statements about SolarWinds during the Class Period." (Id. at 99–102). Both Silver Lake and Thoma Bravo filed motions to dismiss the complaint. (Dkts. 42, 45). In their motions, both Silver Lake and Thoma Bravo argue that Section 20(a) requires and primary violation of the Exchange Act, which Plaintiffs have failed to allege. (Dkt. 42, at 4–5; Dkt. 45, at 21); In re ArthroCare Corp. Secs. Litig. , 726 F. Supp. 2d 696, 729 (W.D. Tex. 2010) (noting that to state a Section 20(a) control-person claim, the plaintiff must allege (1) a primary violation by a controlled person; and (2) direct or indirect control of the primary violator by the defendant). The Court has already found that Plaintiffs have alleged a primary violation of the Exchange Act pursuant to Section 10(b) and Rule 10b-5 thereunder. See supra Part III(A), (B)(1). Therefore, the Court turns to the second issue and the crux of both motions—whether Plaintiffs have properly alleged Silver Lake and Thoma Bravo have direct or indirect control of the primary violator.
Silver Lake and Thoma Bravo's arguments can be summarized: First, they both argue that Plaintiffs impermissibly implied that both entities, as minority investors in SolarWinds, acted in concert with one another to become a quasi-majority shareholder and assert control over SolarWinds, while failing to ever explicitly allege that the two entities did indeed act in concert. (Dkt. 42, at 6–7; Dkt. 45, at 12–14). Second, Silver Lake and Thoma Bravo both argue that Plaintiffs have failed to allege that the private equity firms exercised any actual control over SolarWinds’ operations. (Dkt. 42, at 7–10; Dkt. 45, at 14–21).
Silver Lake takes issue with Plaintiffs addressing Silver Lake Group, LLC, and Silver Lake Technology Management, LLC, as a single entity. (Dkt. 42, at 5–6). However, as Plaintiffs point out, Silver Lake itself stated that "three funds managed by SLTM collectively owned approximately 40% of SolarWinds’ outstanding stock during the class period," (id. at 3), but fails to allege any specific facts to demonstrate that the Silver Lake entities named in the complaint are not owners of these shares.
Courts in the Fifth Circuit apply a "relaxed" and "lenient" pleading standard for evaluating whether a plaintiff has sufficiently alleged a claim for control person liability. Id. A plaintiff is "not required to plead facts showing that the defendant acted in bad faith." One Longhorn Land I, L.P. v. Defendant FF Arabian, LLC , No. 4:15CV203-RC-CMC, 2015 WL 7432360, at *2 (E.D. Tex. Nov. 23, 2015) (citing in re Enron Corp. Sec., Derivative & ERISA Litig. , 258 F. Supp. 2d 576, 598 (S.D. Tex. 2003) ). In the Fifth Circuit, plaintiffs need not allege that the controlling person actually participated in the underlying primary violation to state a claim for control person liability. See G.A. Thompson & Co. v. Partridge , 636 F.2d 945, 958 (5th Cir. 1981) (rejecting as a requirement for a prima facie case an allegation that the controlling person actually participated in the underlying primary violation). Nevertheless, a plaintiff needs to allege some facts beyond a defendant's position or title that show the defendant had actual power or control over the controlled person. Dennis v. Gen. Imaging, Inc. , 918 F.2d 496, 509–10 (5th Cir. 1990).
The Court finds that Plaintiffs have sufficiently alleged Silver Lake and Thoma Bravo acted in concert to control SolarWinds. Texas district courts have held that bare allegations that shareholders acted jointly without allegations of how the shareholders worked together, either separately or jointly, are not sufficient. In re Kosmos Energy Ltd. Sec. Litig. , 955 F. Supp. 2d 658, 676 (N.D. Tex. 2013). However, here, Plaintiffs have specified the activities Silver Lake and Thoma Bravo allegedly engaged in together to exert control over SolarWinds. (See Dkt. 55, at 79) (noting that Silver Lake and Thoma Bravo "acted in unison, buying and taking the Company private together in 2016—each paying $1.3 billion for their respective halves," "taking the Company public together again in 2018," "retaining equal amounts of shares of the Company," and selling "their SolarWinds shares after the 2018 IPO ... together, on the same day, and in nearly identical amounts") (citing Compl., Dkt. 26, at 10–12, 79). These allegations that Silver Lake and Thoma Bravo acted jointly to exercise control over SolarWinds are sufficient to survive a motion to dismiss.
D. Leave to Amend
Plaintiffs requested that, should the Court grant any relief under the motions to dismiss, that it grant leave to amend the complaint. (Dkt. 55, at 82). "The court should freely give leave when justice so requires." Fed. R. Civ. P. 15(2). Rule 15(a) "requires the trial court to grant leave to amend freely, and the language of this rule evinces a bias in favor of granting leave to amend." Lyn–Lea Travel Corp. v. Am. Airlines , 283 F.3d 282, 286 (5th Cir. 2002) (citation and internal quotation marks omitted). As such, the Court will allow Plaintiffs to re-plead their allegations of scienter against Thompson.
IV. CONCLUSION
For these reasons, IT IS ORDERED that Brown and SolarWinds’ motion to dismiss, (Dkt. 41), Silver Lake's motion to dismiss, (Dkt. 42), and Thoma Bravo's motion to dismiss, (Dkt. 45), are DENIED .
IT IS FURTHER ORDERED that Thompson's motion to dismiss, (Dkt. 44), is GRANTED.
IT IS FINALLY ORDERED that should Plaintiffs wish to amend their complaint against Thompson, they shall file their amended complaint on or before April 18, 2022.