A recent decision by the U.S. Court of Appeals for the Ninth Circuit offers potential lessons for both companies and their securities defense counsel.
In In re Alphabet, Inc. Sec. Lit., 1 F.4th 687 (9th Cir. 2021), the plaintiffs alleged that Alphabet – Google’s parent company – failed to disclose that a securities glitch in the Google+ social network had left the private data of hundreds of thousands of users exposed to third-party developers and that Google+ was plagued by other security vulnerabilities. Google discovered these issues in early 2018 and remediated them. In October 2018, however, the Wall Street Journal published a lengthy story about the Google+ issues and how the company had decided not to tell the public about them during a time when technology companies were under regulatory scrutiny for their handling of customer data. Google responded with a blog post acknowledging what had happened and announcing that it was shutting down the Google+ social network. Alphabet’s stock price fell following these disclosures and a securities class action was filed shortly thereafter.
The district court dismissed the case, finding that the plaintiffs failed to adequately plead the existence of material misstatements and scienter. On appeal, however, the Ninth Circuit reversed the decision as to some of the claims.
Most importantly, the panel considered whether Alphabet’s Form 10-Qs issued in April 2018 and July 2018 were materially misleading. The risk disclosures incorporated into those filings “warned, among other things, that even unfounded concerns about Alphabet’s ‘practices with regard to the collection, use, disclosure, or security of personal information or other privacy related matters’ could damage the company’s ‘reputation and adversely affect [its] operating results.'” While some courts have questioned whether risk disclosures can ever form the basis for a securities fraud claim because they are inherently prospective in nature, the Ninth Circuit previously has held that if risk disclosures do not alert the reader that the described risks already have come to fruition they may be actionable.
Alphabet argued that there was a key factual difference between its case and the Ninth Circuit precedent: by the time the Form 10-Qs were issued, Google already had remediated the problem. Therefore, the company had no affirmative duty to disclose a problem that no longer existed. The panel disagreed, finding that because “Google’s business model was based on trust, the material implications of a bug that improperly exposed user data for three years were not eliminated merely by plugging the hole in Google+’s security.” Moreover, Google also had discovered other security vulnerabilities that led to the decision to shut down the whole platform. Under these circumstances, the panel held that Google needed to update its risk factors if they wanted to avoid making materially misleading statements. (The panel also found that the plaintiffs had adequately alleged the defendants’ scienter as to these risk factors.)
In addition, the plaintiffs brought claims under all three subsections of Rule 10b-5. That is to say, the plaintiffs alleged the defendants (a) made material misstatements under Rule 10b-5(b), and (b) disseminated and approved material misstatements and engaged in a course of conduct to conceal the truth from investors under under Rule 10b-5(a) and Rule 10b-5(c) (often referred to as “scheme liability”). On appeal, the plaintiffs argued that the district court failed to address their scheme liability claims and therefore erred in dismissing them. Alphabet countered that the plaintiffs had waived those claims by not raising them in their opposition to Alphabet’s motion to dismiss and, in any event, the scheme liability claims were duplicative of the material misstatement claims.
The panel disagreed. It noted that Alphabet’s motion to dismiss had not specifically targeted the scheme liability claims, so the plaintiffs could not have waived those claims in its opposition. Moreover, the scheme liability claims were not merely duplicative. Under Lorenzo – a 2019 decision by the U.S. Supreme Court – it was possible for the plaintiffs to bring separate “scheme liability” claims even if the underlying conduct involved material misstatements. Accordingly, the panel reversed the dismissal of all of the plaintiffs’ claims brought under Rule 10b-5(a) and (c).
Holding: Reversed in part, affirmed in part, judgment vacated, remanding for further proceedings.
Notes: (1) Companies headquartered in the Ninth Circuit will need to think carefully about the scope of their disclosures. Merely by disclosing the risk of data security issues, Alphabet apparently also was required to disclose any material data security issues that had arisen in the past and were already resolved. The panel’s view of a company’s duty of disclosure arguably goes well beyond what other courts have found Section 10(b) and Rule 10b-5 to require.
(2) Securities defense counsel are now on notice that they must separately and specifically address scheme liability claims in the motion to dismiss or risk the court finding that they were unopposed.
(3) The defendants moved for rehearing or rehearing en banc, which was denied on July 23, 2021. Then, last week, the defendants filed a motion to stay mandate pending the filing of a petition for writ of certiorari to the U.S. Supreme Court. Stay tuned.