In what is apparently the largest privacy and cybersecurity-related securities class action lawsuit settlement ever, the parties to the Alphabet Google+ user data securities suit have agreed to settle the action for $350 million. As discussed below, this massive settlement, which is subject to court approval, is significant for a number of important reasons. A copy of the parties’ February 5, 2024, Stipulation of Settlement can be found here. The plaintiffs’ February 5, 2024, motion for preliminary settlement approval can be found here.

Background

In a front page October 8, 2018 Wall Street Journal article entitled “Google Hid Data Breach for Months” (here), the newspaper reported that in March 2018, Google discovered a software flaw (referred to in the securities lawsuit complaint as the Three Year Bug) that between 2015 and March 2018 had allowed outside developers to access personal profile date of users of the Google+ social media site, including the data of users who had not opted to share their data publicly. In tests, the company determined that the data of nearly half of a million users had been exposed. The profile data that was exposed included full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status.

Following discovery of the glitch, the company’s legal and policy staff drafted a memo (referred to in the complaint as the Privacy Bug Memo) for senior executives. According to the Journal article, among other things, the memo advised that disclosing the incident would, in light of Congressional investigations relating to the Facebook/Cambridge Analytica matter, likely trigger “immediate regulatory interest” and perhaps draw Google into the Facebook/Cambridge Analytica spotlight. The memo also reflected internal analysis that the incident had not crossed any of the thresholds in the company’s internal guidelines for disclosure. A council of top executives tasked to oversee key decisions relating to privacy decided not to disclose the incident.

As discussed here, shortly after the Journal article’s publication, plaintiff shareholders filed a series of securities class action lawsuits, which were later consolidated in the Northern District of California. The complaint names as defendants Alphabet and related entities, as well as certain of the Alphabet’s directors and officers. The defendants moved to dismiss the plaintiff’s complaint. The district court granted the defendants’ motion to dismiss, and the plaintiff appealed.

The Ninth Circuit Opinion

As discussed here, in a 38-page June 16, 2021 opinion written by Judge Sandra Segal Ikuta for a unanimous three-judge panel, the Ninth Circuit reversed in part the district court’s dismissal. The appellate court concluded that, contrary to the conclusions of the district court, the complaint adequately alleged that two statements Alphabet made in its quarterly reports omitted material facts necessary to make the statements not misleading, and that the omissions were material. The appellate court also concluded that the plaintiff had adequately pled scienter with respect to the two alleged statements. The appellate court upheld the district court’s dismissal with respect to ten other alleged misstatements on which the plaintiff sought to rely.

In the company’s April 23, 2018 and June 30, 2018 10-Qs, the company made no disclosures about the Three Year Bug or the Privacy Bug, but in each of the filings, the company said “There have been no material changes to our risk factors since our Annual Report on Form 10-K for the year ended December 31, 2017.”

The appellate court said with respect to these statements in the April 10-Q that given that the filings was made “after the detection of the cybersecurity issues and after internal deliberation based on the Privacy Bug Memo, and during the growing scrutiny following the Cambridge Analytica scandal, the complaint plausibly alleges that the omission of any mention of the Three-Year Bug or the other security vulnerabilities made the statements in each of Form 10-Q materially misleading to a reasonable investor and significantly altered the total mix of information available to investors.”

The appellate court also concluded that the complaint’s allegations, taken as a whole, “raise a strong inference that [defendant Larry] Page, and therefore Alphabet, knew about the Three-Year Bug, the Privacy Bug, and the Privacy Bug Memo, and that Alphabet intentionally did not disclose this information in its 10-Q statements.” The Memo “informed senior executive leadership at Google of the scope of the problem, warned of the consequences of its disclosure, and presented Google leadership with a clear decision on whether to disclose the problems.”

The Settlement

Following the appellate court’s ruling, the case returned to the district court and proceedings went forward. The parties also pursued mediation, which ultimately resulted in the $350 million settlement. In the parties’ stipulation of settlement, the defendants expressly deny that the plaintiffs’ allegations and deny that they engaged in wrongdoing. The settlement is subject to court approval.

In its memorandum in support of preliminary court approval, the plaintiff states, among other things that counsel for the class will seek an attorney fee award of no more than 19% of the settlement, or roughly $66.5 million, as well as $1.7 million in litigation expenses.

Discussion

I have long thought that privacy-related issues represent one of the important emerging areas of D&O liability exposure. However, many of the highest profile privacy-related securities suits have struggled in the courts. For example, the securities lawsuit filed against Facebook related to the Cambridge Analytical case initially was dismissed, as was the plaintiff’s complaint in the Alphabet Google+ user data lawsuit. However, as discussed here, the Ninth Circuit reversed the dismissal in the Facebook Cambridge Analytica securities lawsuit, as the appellate court also did in the Alphabet Google+ user data securities suit.

The subsequent settlement of the Alphabet Google+ user data lawsuit for $350 million highlights the magnitude of the potential exposures companies arguably may face with respect to privacy-related issues. The fact that the Ninth Circuit revived both the Facebook Cambridge Analytica-related securities lawsuit and the Alphabet Google+ user data lawsuit also underscores the extent of the liability exposure that companies may face with respect to privacy-related disclosure issues.

The $350 million settlement, as massive as it is, does not even make it into the top 50 all time securities class action lawsuit settlements. Based on my review, the recent Alphabet Google+ user data securities suit settlement would rank somewhere around the 53rd all-time largest securities class action lawsuit settlement. The settlement nevertheless does represent a milestone of sorts, as, according to the plaintiff’s motion for preliminary settlement approval, the settlement, if approved, would represent the fourth-largest securities class action recovery in the Northern District of California.

There is another way to put the magnitude of this settlement into perspective, and that is by contrast to the largest cybersecurity-related securities lawsuit settlements. To be sure, privacy-related lawsuits differ at least with respect to their underlying allegations from cybersecurity-related lawsuits. Here, while there was a software bug that exposed Google+ user data, there was no cyber security breach. While a cybersecurity breach can cause privacy-related problems, as this case shows, there does not need to be a breach for a privacy incident to occur.

Plaintiffs’ lawyers have pursued cybersecurity-related claims for several years now, but the results from the plaintiffs’ perspective have been decidedly mixed, with many cybersecurity-related securities lawsuits dismissed. There have, however, been certain cybersecurity-related cases that have survived dismissal motion and resulted in significant settlements, the most noteworthy of which is the Equifax data breach-related case, which, as discussed here, settled in 2020 for $149 million. The largest-ever settlement in the Equifax case of $149 million presents an interesting contrast with the recent settlement in the Alphabet Google+ user data suit of $350 million.

At a minimum, and as noted above, the recent Alphabet Google+ user data securities suit settlement of $350 million highlights the extent to which privacy related exposures represent a significant corporate risk. The magnitude of the settlement, particularly by contrast to the largest-ever cybersecurity-related securities suit settlements, shows that privacy-related exposures represent risks as significant as if not greater than the exposures companies face with respect to cybersecurity-related issues. And in any event, without regard to the relative orders of magnitude, privacy-related risk exposures, along with cybersecurity-related risk exposures, are clearly among the significant corporate and securities litigation risk exposures companies face.

The appellate court also found that the plaintiff had plausibly alleged that the omission was material, noting that in Alphabet’s 2017 10-K the company had warned of the harms that could follow from the detection and disclosure of security vulnerabilities,” and that public statements of company executives also “demonstrated the importance of user trust and public perceptions of security and privacy practices.”