In a very interesting June 16, 2021 opinion, the Ninth Circuit has reversed in part the district court’s dismissal of the privacy and cybersecurity-related securities class action lawsuit filed against Google- parent Alphabet, Inc, relating the company’s discovery of and decision not to disclose a software vulnerability that exposed user data of nearly half a million users of the Google+ social media site. The appellate court’s decision, a copy of which can be found here, could represent a significant development in the evolution of cybersecurity and privacy-related securities litigation.
In a front page October 8, 2018 article entitled in Wall Street Journal’s print edition “Google Hid Data Breach for Months” (here), the newspaper reported that in March 2018, Google discovered a software flaw (referred to in the securities lawsuit complaint as the Three Year Bug) that between 2015 and March 2018 had allowed outside developers to access personal profile date of users of the Google+ social media site, including the data of users who had not opted to share their data publicly. In tests, the company determined that the data of nearly half of a million users had been exposed. The profile data that was exposed included full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status. Investigation into the Three Year Bug also detected other shortcomings in Google’s security system, including other previously unknown vulnerabilities (referred to in the complaint as the Privacy Bug)
Following discovery of the glitch, the company’s legal and policy staff drafted a memo (referred to in the complaint as the Privacy Bug Memo) for senior executives. According to the Journal article, among other things, the memo advised that disclosing the incident would, in light of Congressional investigations relating to the Facebook/Cambridge Analytica matter, likely trigger “immediate regulatory interest” and perhaps draw Google into the Facebook/Cambridge Analytica spotlight. The memo also reflected internal analysis that the incident had not crossed any of the thresholds in the company’s internal guidelines for disclosure. A council of top executives tasked to oversee key decisions relating to privacy decided not to disclose the incident. The Journal article also reported that CEO Sundar Pichai was briefed on the internal committee’s decision not to notify users after the council reached its decision. As the complaint subsequently alleged, the company chose a strategy of nondisclosure.
Following the publication of the Journal article, the company’s share price declined, and there were several public statements by members of Congress condemning Alphabet for failing to disclose the information.
As discussed here, shortly after the Journal article’s publication, plaintiff shareholders filed a series of securities class action lawsuits, which were later consolidated in the Northern District of California. The complaint names as defendants Alphabet and related entities, as well as certain of the Alphabet’s directors and officers. The defendants moved to dismiss the plaintiff’s complaint. The district court granted the defendants’ motion to dismiss and the plaintiff appealed.
The June 16, 2021 Opinion
In a 38-page June 16, 2021 opinion written by Judge Sandra Segal Ikuta for a unanimous three-judge panel, the Ninth Circuit reversed in part the district court’s dismissal. The appellate court concluded that, contrary to the conclusions of the district court, the complaint adequately alleged that two statements Alphabet made in its quarterly reports omitted material facts necessary to make the statements not misleading, and that the omissions were material. The appellate court also concluded that the plaintiff had adequately pled scienter with respect to the two alleged statements. The appellate court upheld the district court’s dismissal with respect to ten other alleged misstatements on which the plaintiff sought to rely.
In the company’s April 23, 2018 and June 30, 2018 10-Qs, the company made no disclosures about the Three Year Bug or the Privacy Bug, but in each of the filings, the company said “There have been no material changes to our risk factors since our Annual Report on Form 10-K for the year ended December 31, 2017.”
The appellate court said with respect to these statements in the April 10-Q that given that the filings was made “after the detection of the cybersecurity issues and after internal deliberation based on the Privacy Bug Memo, and during the growing scrutiny following the Cambridge Analytica scandal, the complaint plausibly alleges that the omission of any mention of the Three-Year Bug or the other security vulnerabilities made the statements in each of Form 10-Q materially misleading to a reasonable investor and significantly altered the total mix of information available to investors.”
The appellate court also found that the plaintiff had plausibly alleged that the omission was material, noting that in Alphabet’s 2017 10-K the company had warned of the harms that could follow from the detection and disclosure of security vulnerabilities,” and that public statements of company executives also “demonstrated the importance of user trust and public perceptions of security and privacy practices.” The Privacy Bug Memo itself, the court noted, “warned of the significant consequences of the problems discovered and their disclosure.” The market reaction and media coverage of the vulnerability revelation also support the materiality of the omission. Finally, the appellate court noted the SEC’s statement on Cybersecurity Disclosures also supports the conclusion that the omission was material. The court concluded that the omission of the Privacy Bug from the 10-Q statements “significantly altered the total mix of information available for decisionmaking by a reasonable investor.”
The appellate court also concluded that the complaint’s allegations, taken as a whole, “raise a strong inference that [defendant Larry] Page, and therefore Alphabet, knew about the Three-Year Bug, the Privacy Bug, and the Privacy Bug Memo, and that Alphabet intentionally did not disclose this information in its 10-Q statements.” The Memo “informed senior executive leadership at Google of the scope of the problem, warned of the consequences of its disclosure, and presented Google leadership with a clear decision on whether to disclose the problems.”
The complaint, the appellate court found, raises a strong inference that Page was aware of the Three-Year Bug and other vulnerabilities before he signed the April 2018 10-Q. The court drew this inference based on Page’s role and the fact that Google President Sundar Pichai was aware of the vulnerabilities and of the memo. Pichai and Google’s roles and the importance of the information raise “strong inferences that Pichai informed Page.” The competing inference – that “Pichai concealed ‘the largest data-security vulnerability in the history of the two Companies whose existence depends on data security’ from the CEO of Alphabet at a time when social media networks were under immense regulatory and governmental scrutiny – is not plausible.”
The appellate court concluded that “there is a strong inference that Page had the requisite knowledge, which can be imputed to Alphabet.” There is an equally strong inference that Alphabet “intentionally did not disclose the cybersecurity information to the public in order to avoid or delay the impacts disclosure could have on regulatory scrutiny, public criticism, and loss of consumer confidence.”
The appellate court affirmed the district court’s dismissal with respect to ten other statements on which the plaintiff sought to rely. However, the appellate court reversed the district court’s dismissal of the plaintiff’s scheme liability claims.
The appellate court’s reversal in part of the district court’s dismissal of the plaintiff’s claims is obviously a huge development. As I noted in my post earlier this week about the dismissal of the Marriott data breach-related securities lawsuits, as a general matter cybersecurity incident-related D&O claims have not fared particularly well. At the time I made the statement, you could have included the district court’s dismissal of the Google+ securities lawsuit as an example of a case where the plaintiff’s claims did not survive judicial scrutiny. However, the appellate court’s reversal in part of the district court not only revives the plaintiff’s claims in this case, it puts the cybersecurity incident-related D&O claims in a new light.
Prospective cybersecurity incident plaintiffs will not only be heartened by the reversal but also by a variety of aspects of the reversal. For example, the appellate court was completely willing to consider the context of the alleged omissions in considering whether the omissions were material and misleading. The Court was quite struck by the context of the Facebook/Cambridge Analytica scandal, and that clearly had an important impact on the appellate court’s decision. It is also interesting that the appellate court was willing to consider the SEC’s Cybersecurity Disclosure guidelines in assessing whether or not the omissions were misleading.
Perhaps even more important was the appellate court’s willingness to find that the plaintiff had adequately pled scienter, even though the plaintiff was unable to allege that Page had actually read the Privacy Bug Memo or was even aware of the vulnerabilities. I have to admit that I am a little skeptical that the “Page must have known” line of analysis is entirely convincing. Alphabet is a huge company with massive sprawling operations. In trying to fill in what Page had to have known, the appellate court seems to have accepted the plaintiff’s characterization of how big a deal the vulnerabilities discovery was in the context of Alphabet’s entire operations. There is no doubt that after the Journal’s sensational revelations, the vulnerabilities certainly looked like a big deal, but even still were the vulnerabilities a big enough deal for us to be able to just assume that Page must have known about them? The appellate court thought so. I am not as sure.
In any event, the appellate court’s decision is important not just because it revived a cybersecurity incident-related securities suit but also because of the nature of the cybersecurity incident. That is, the specific incident was not a data breach; rather it was the discovery of a vulnerability. There is no evidence that third parties actually accessed the information. The issue is that the user data was exposed to access, in contrast to company assurances that the user data would not be exposed.
In other words, the underlying incident is primarily a privacy-related issue, rather than just a cybersecurity issue. (Indeed, the privacy related questions surrounding the Facebook/Cambridge Analytica scandal and the EU’s adoption of the GDPR are important parts of the context with which Alphabet decided not to disclose the vulnerabilities.) The revival of this securities suit relating as it does to privacy-related concerns is consistent with an observation I have previously made on this blog, which is that privacy-related concerns have the potential to be a significant area for future D&O claims.
Special thanks to a loyal reader for sending me a copy of the Ninth Circuit’s opinion.