| Commitments and Contingencies | 13. Commitments and Contingencies Litigation On September 10, 2019, ZapFraud, Inc. (ZapFraud), filed a complaint in the U.S. District Court for the District of Delaware against the Company’s wholly owned subsidiaries, Mimecast North America, Inc., Mimecast Services Limited and Mimecast UK Limited. The complaint alleges that certain elements of the Company’s email security technology infringe a patent held by ZapFraud. ZapFraud seeks an award for damages in an unspecified amount, attorney’s fees and injunctive relief. On November 22, 2019, the Company filed a Motion to Dismiss for Failure to State a Claim. On April 24, 2020, ZapFraud amended its complaint by alleging that the Company’s email security technology infringes an additional patent that was recently issued to ZapFraud. On May 22, 2020, the Company filed a revised Motion to Dismiss for Failure to State a Claim that responds to ZapFraud’s amended complaint. On September 18, 2020, the court held a hearing on the motion and on November 20, 2020 the magistrate judge issued a recommendation that the court grant the Company’s motion. On December 11, 2020, ZapFraud filed objections to the magistrate judge’s recommendation and the Company responded to those objections on January 4, 2021. On March 25, 2021, the court adopted the recommendation of the magistrate judge, and granted the Company’s motion to dismiss. On September 22, 2021, the decision of the district court to adopt the magistrate judge’s recommendation became final and non-appealable. On January 14, 2022, in connection with the Transaction, a purported individual shareholder of Mimecast filed a complaint in the United States District Court for the Southern District of New York, captioned O’Dell v. Mimecast Limited, et al. , No. 1:22-cv-00367, naming as defendants the Company and each member of the Company’s Board of Directors as of the date of the Transaction Agreement (O’Dell). Between January 21, 2022 and January 25, 2022, three additional cases were filed by purported individual shareholders of Mimecast in the same court, captioned Whitfield v. Mimecast Limited, et al. , 1:22-cv-00579 (Whitfield), Smith v. Mimecast Limited, et al. , No.1:22-cv-00630 (Smith), and Hutchinson v. Mimecast Limited, et al. , No. 1:22-cv-00665 (Hutchinson), and on January 23, 2022, one additional case was filed by a purported individual shareholder of Mimecast in the United States District Court for the Eastern District of New York, captioned Mendoza v. Mimecast Limited, et al. , No. 1:22-cv-00384 (Mendoza). The O’Dell, Whitfield, Smith, Hutchinson, and Mendoza cases, and any similar subsequently filed cases involving the Company, the Company’s Board of Directors or any committee thereof and/or any of the Company’s directors or officers relating directly or indirectly to the Transaction Agreement, the Transaction or any related transaction, are referred to as the Transaction Litigations. The Transaction Litigations filed to date generally allege that the preliminary proxy statement filed by the Company with the Securities and Exchange Commission (SEC) on January 13, 2022 in connection with the Transaction is materially incomplete and misleading by allegedly failing to disclose purportedly material information relating to the sale process leading to the Transaction, Company financial projections, and the analyses performed by Citigroup Global Markets Inc., financial advisor to the Board of Directors and the special committee of the Board of Directors, in connection with the Transaction. The Transaction Litigations assert violations of Section 14(a) of the Securities Exchange Act of 1934 (the Exchange Act), Rule 14a-9 promulgated thereunder, and 17 C.F.R. § 244.100 against Mimecast and the members of the Company’s Board of Directors and violations of Section 20(a) of the Exchange Act against the Company’s Board of Directors. The Transaction Litigations seek, among other things: an injunction enjoining consummation of the Transaction, rescission of the Transaction Agreement, a declaration that the Company and the Company's Board of Directors violated Sections 14(a) and 20(a) of the Exchange Act and Rule 14a-9 promulgated thereunder, an order directing the Company's Board of Directors to comply with the Exchange Act, damages, costs of the action, including the plaintiff's attorneys' fees and experts' fees and expenses, and any other relief the court may deem just and proper. The Company cannot predict the outcome of each Transaction Litigation, nor can the Company predict the amount of time and expense that will be required to resolve each Transaction Litigation. The Company believes that the O’Dell, Smith, Hutchinson, Whitfield, and Mendoza cases are without merit and the Company and its directors intend to vigorously defend against each Transaction Litigation and any subsequently filed similar actions. It is possible that additional similar complaints could be filed in connection with the Transaction. If additional similar complaints are filed, absent new or significantly different allegations, Mimecast will not necessarily disclose such additional complaints or filings. From time to time, the Company may be involved in legal proceedings and subject to claims in the ordinary course of business. Although the results of these proceedings and claims cannot be predicted with certainty, the Company does not believe the ultimate cost to resolve these matters would individually, or taken together, have a material adverse effect on the Company’s business, operating results, cash flows or financial condition. Regardless of the outcome, such proceedings can have an adverse impact on the Company because of defense and settlement costs, diversion of resources and other factors, and there can be no assurances that favorable outcomes will be obtained. Except as described above, the Company was not subject to any material legal proceedings during the nine months ended December 31, 2021 and 2020, and, to the best of its knowledge, except as described above, no material legal proceedings are currently pending or threatened. Indemnification In the ordinary course of business, the Company provides indemnifications of varying scope and terms to customers, business partners, vendors, lessors, directors, officers, employees, and other parties with respect to certain matters. Indemnification may include losses from intellectual property infringement claims made by third parties, the Company’s breach of certain agreements, and other liabilities relating to or arising from the Company’s acts or omissions. These indemnification provisions may survive termination of the underlying agreement and the maximum potential amount of future indemnification payments may not be subject to a cap. It is not possible to determine the maximum potential loss under these indemnification provisions due to the Company’s limited history of prior indemnification claims and the unique facts and circumstances involved in each particular indemnification. Based on historical experience and information known as of December 31, 2021 and March 31, 2021, the Company has not incurred any costs for the above indemnities. In certain circumstances, the Company warrants that its services will perform in all material respects in accordance with its standard published specification documentation in effect at the time of delivery of the services to the customer for the term of the agreement. To date, the Company has not incurred significant expense under its warranties and, as a result, the Company believes the estimated fair value of these agreements is immaterial. Security Incident In January 2021, the Company became aware of a security incident later determined to be conducted by the same sophisticated threat actor responsible for the SolarWinds supply chain attack. The Company immediately launched an internal forensic investigation. The investigation was supported by leading third-party forensics and cyber incident response experts at Mandiant, a division of FireEye, Inc., and in coordination with law enforcement to aid their investigation into this threat actor. During the investigation, the Company learned that the threat actor used the SolarWinds supply-chain compromise to gain access to part of its production grid environment. Using this entry point, the threat actor accessed certain Mimecast-issued certificates and related customer server connection information. The threat actor also accessed a subset of email addresses and other contact information, as well as encrypted and/or hashed and salted credentials. In addition, the threat actor accessed and downloaded a limited number of the Company’s source code repositories, but the Company found no evidence of any modifications to its source code nor does it believe there was any impact on its products. As the investigation progressed, the Company issued a series of advisories to affected customers, including recommended precautionary steps to mitigate risk and, in some cases, to address regulatory requirements. The forensic investigation was completed in March 2021 and the Company has eliminated the threat actor’s access to its environment. The Company has taken a number of actions to prevent future access to its environment and will continue to monitor for threats and take precautionary steps as needed. The Company is subject to risk and significant uncertainties as a result of this security incident, including those described in Part II, Item 1A, “Risk Factors” in this Quarterly Report on Form 10-Q. While the investigation is complete, there can be no assurance as to what the overall impact of these events will be. These types of events often have cascading impacts that unfold over time and may result in a loss of revenue, a diminution of the Company’s business prospects and incremental costs, including costs associated with litigation or investigations by regulatory authorities, any of which may adversely impact the Company’s financial results. The Company has incurred and expects to incur significant costs related to the security incident. For the year ended March 31, 2021, the Company recorded $ 0.8 million of pre-tax expenses related to the security incident, net of anticipated insurance recoveries. For the three and nine months ended December 31, 2021 , expenses related to the security incident were no t material. Expenses include costs of the forensic investigation, remediation costs, and legal and other professional services. It is also expected that the Company will continue to incur costs related to its response, remediation, and investigatory efforts relating to this security incident. While the Company has cyber insurance coverage, the amount of such insurance may be insufficient to compensate for any expenses or losses that may result from the security incident or the insurance carrier may refuse to reimburse the Company for certain costs under the terms of the policy. The full scope of the costs and related impacts of the security incident, including the availability of insurance to offset some of these costs, cannot be estimated at this time. |
