Last week, the Wall Street Journal reported that this past spring Google had exposed thousands of the Google+ social network users’ private data and then opted to withhold disclosure of the incident because of concerns that doing so would attract regulatory scrutiny and harm the company’s reputation. Following the news reports, questions immediately were asked about a possible SEC investigation of the incident. And now, these developments have drawn two new securities class action lawsuits in which shareholders of Alphabet, Google’s parent company, allege that the company misled investors about the adequacy of the company’s security measures to protect user data from theft and security breaches. As discussed below, the new lawsuits bring together several securities litigation filing trends involving data and privacy-related issues.
In a front page October 8, 2018 article entitled in the newspaper’s print edition “Google Hid Data Breach for Months” (here), the Wall Street Journal reported that in March 2018, Google discovered a software flaw that between 2015 and March 2018 had allowed outside developers to access personal profile date of users of the Google+ social media site, including the data of users who had not opted to share their data publicly. In tests, the company determined that the data of nearly half of a million users had been exposed. The profile data that was exposed included full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status.
Following discovery of the glitch, the company’s legal and policy staff drafted a memo for senior executives. According to the Journal article, among other things, the memo advised that disclosing the incident would likely trigger “immediate regulatory interest.” The memo also reflected internal analysis that the incident had not crossed any of the thresholds in the company’s internal guidelines for disclosure. A council of top executives tasked to oversee key decisions relating to privacy decided not to disclose the incident. The Journal article also reported that CEO Sundar Pichai was briefed on the internal committee’s decision not to notify users after the council reached its decision.
On October 11, 2018, two shareholder lawsuits were filed relating to the incident; one was filed in the Eastern District of New York (complaint here) and one was filed in the Northern District of California (complaint here). Both lawsuits were filed against the company; Sundar Pichai, the company’s CEO; and Ruth Porat, the company’s CFO. The Eastern District of New York lawsuit purports to be filed on behalf of Alphabet investors who purchased company securities between April 24, 2018 and October 10, 2018. The Northern District of California lawsuit purports to represent a class of persons who purchased company securities between April 23, 2018 and October 7, 2018.
Both complaints refer to the Wall Street Journal article at length in describing the Google+ user data exposure. In asserting supposed violations of the federal securities laws, the Eastern District of New York lawsuit alleges that the defendants made false or misleading statements or failed to disclosue that “(1) Google exposed the private data of hundreds of thousands of Google+ social network users; (2) Google actively concealed this data breach for several months; (3) this conduct violated Google’s purported data privacy and security policies; (4) discovery of the foregoing conduct could foreseeably subject Alphabet to heighted regulatory scrutiny; and (5) as a result, Alphabet’s public statements were materially false and misleading at all relevant times.”
The Northern District of California lawsuit alleges that the defendants made false or misleading statements or failed to disclose that “(1) the Company’s security measures had failed recently and massively, as Google had exposed the private data of hundreds of thousands of users of Google+ to third parties; (2) damage to the Company’s reputation and operating results and loss of customers from this failure of the Company’s security measures were imminent and inevitable; (3) the Company’s security protections did not shield personal user data against theft and security breaches; and (4) the Company’s security measures had been breached due to employee error, malfeasance, system errors or vulnerabilities.”
Both complaints allege that Alphabet’s share price declined on the news of the Google+ user data exposure, although the allegations differ slightly about the magnitude of the alleged decline. The Eastern District of New York complaint alleges that in the two trading days following the news, Alphabet’s market capitalization decline by approximately $10 billion.
The new securities suits against Alphabet bring together several different recent securities class action lawsuit filing trends. At the most general level, the new Alphabet lawsuits represent examples of a phenomenon I have described as “event-driven securities suits.” The types of lawsuits, by contrast to securities suits in the past that were based on accounting or financial misrepresentations, instead are based on operational events at the company. An example of this type of lawsuit is the Grenfel Towers fire-related securities lawsuit that was filed against Arconic. First comes the event, then comes the securities lawsuit. In this case, first came the news of the data exposure, then came the securities suits.
The new Alphabet securities suit are also examples of another securities lawsuit filing trend, the filing of lawsuits following the disclosure of a data breach. Commentators had long been predicting that we could expect a wave of these kinds of securities lawsuits, but for a long time at least the predicted lawsuits failed to materialize. However, more recently, there have been a number of these kinds of data breach-related securities suits filed. Just in the last few days, there have been data breach-related securities lawsuit filed against online education company Chegg (as described here) and Chinese hotel management company Huazhu Group (here).
Until recently, data breach news was relatively unlikely to draw a securities suit because in most cases the disclosure of a data breach did not trigger a stock price decline. This began to change last year, where massive data breach disclosures at Yahoo and Equifax first caused the companies’ share prices to decline and then drew securities class action lawsuits.
The data breach-related securities lawsuits filed in just the last few days – including the new lawsuits against Alphabet — also included stock price declines. In any event, it seems that by contrast to the past, plaintiffs’ lawyers seem more willing to file securities lawsuits following data breach disclosures.
There is an important sense in which the new Alphabet lawsuits are different than the prior data breach-related securities lawsuits, and that is that the events involved in the Alphabet lawsuit did not involve a data breach. The exposure of the Google+ user data did not involve a hack or an intrusion. There really was no breach as such at all. Instead, the Google+ code had a weakness or vulnerability that allowed the user data to be exposed to third party developers. (Interestingly, in its investigation of the flaw, Google did not find any evidence that any of the developers improperly used or even accessed the user data.) So in that sense, it is inaccurate to describe the new Alphabet lawsuits as data breach lawsuits. It might be more accurate to describe them as data exposure-related lawsuits.
This distinction between data breach and data exposure highlights another securities class action litigation trend that the new Alphabet lawsuits represent – that is, the recent rise of privacy-related securities class action lawsuits. The privacy concern is related to but different from the data breach concern. In the data breach-related lawsuits, the alleged harm is based on the failure to protect user data from breach or intrusion. In the privacy-related lawsuits, the concern it not a breach or intrusion, it is the way the defendant company made use of user information, with particular concern about users’ confidentiality interests.
An example of a recent privacy-related securities lawsuit is the lawsuit filed earlier this year against Facebook following the news of the Cambridge Analytica debacle. The new Alphabet lawsuits also represent examples of these kinds of lawsuits, based as they are on allegations not of a hacking or intrusion, but based rather on the revelations of the exposure of users’ confidential information.
As I detailed in a recent post, privacy issues are a growing area of corporate concern and a potentially significant area for emerging D&O claims. The recent Alphabet lawsuits underscore the importance of privacy-related issues and the risk that privacy concerns can (and likely will) lead to D&O claims.
The Alphabet lawsuits have only just been filed and it is far too early to tell how they will fare. It could be argued that both of the complaints read more like mismanagement lawsuits, rather than misrepresentation lawsuits. However, the plaintiffs will try to get as much mileage as they can out of the fact that the defendants allegedly made a conscious decision to withhold disclosure of the Google+ user data exposure.
One final thought about this lawsuit has to do with the magnitude of the data compromise. The Google+ data exposure apparently involved the information of about a half of a million users. By contrast, the data breach Facebook announced several days ago involved the information of as many as 50 million users (although the company has recently ratcheted the number down to 30 million). The Yahoo and Equifax data breaches involved the information of hundreds of millions of users. The difference in scale between and among these various incidents is striking. Of course, the Google+ data exposure is still a concern to the social network’s users, even if fewer people’s information was compromised.
But though much smaller, the Google+ data exposure still drew a securities suit. The data exposure also drew a front page article in the Wall Street Journal. What made the Google+ incident newsworthy, and arguably what led to the lawsuits, was the company’s decision to withhold disclosure of the data incident. It is worth asking whether the incident would have drawn anywhere near the level of scrutiny or criticism if the company had just gone ahead and disclosed the data incident when it had been discovered last spring, especially given that the company found no evidence that any third-party developer misused or even accessed the user information. As they used to say back in the days of Watergate, it isn’t the crime, it is the cover-up.
In any event, all signs are that we can expect further lawsuits alleging data breach, data exposure and privacy-related issues. Strap your helmets on, I think this could be a rough ride.
No Changes Any Time Soon on Quarterly Reporting: As I noted in a blog post at the time, President Trump made some waves in August by suggesting (in one of his famous early morning Tweets) the elimination of quarterly reporting, in favor of a system of semiannual reports. In a statement at the time that seemed to leave the door open to the idea of doing away with quarterly reporting, SEC Chair Jay Clayton said that the SEC “continues to study public reporting requirements.”
Now, the Cooley law firm’s Pubco blog reports that at an October 11, 2018 event, Clayton said that while he is open to the idea of changing reporting requirements for smaller companies, “I don’t think quarterly reporting is going to change for our top names anytime soon.” The Wall Street Journal, which also reported on Clayton’s comments, said that Clayton told reporters after the event that investors seemed satisfied with quarterly reporting and less frequent reporting could be jarring. Clayton reportedly also noted that in some countries where public companies don’t have to report earnings every three months, most firms still provide the information.
Oktoberfest (Not That One, The One in Michigan): The Oktoberfest celebration in Munich is an annual event that draws millions of visitors to the city every year. I am fortunate to have been able to attend the event once, a few years back. Sadly, I wasn’t able to go to Munich this year for that city’s famous event. But I did attend Oktoberfest this past weekend – not the one in Munich, the other one. You know, the one in Pentwater, Michigan. The Lake Michigan city’s October celebration may not be as famous as the one in Munich, but unlike the one in Munich, the one in Pentwater does include a Classic Car and Hot Rod show. The city’s October event marks the final end of the season for the lakeside village as well. After Oktoberfest, the curtain comes down and winter looms ahead.