The U.S. Supreme Court has agreed to take up a case involving risk factor disclosures in connection with the alleged misuse of Facebook user data by Cambridge Analytica. The case will address a Circuit Court split on the question of what companies must disclose in its risk factors about past instances where risks materialized. As Facebook put it in its petition for writ of certiorari, the question the case presents is whether risk factor disclosures are misleading if they do not disclose past materializations of the risk even if the past event poses no current risk to the company’s ongoing or future business.  The case itself is important because it raises important issues about potential securities law liabilities arising from privacy issues, and the Court’s consideration of the case could address important continuing concerns about corporate risk factor disclosures. A copy of the Court’s June 10, 2024, order in Facebook, Inc. v. Amalgamated Bank granting Facebook’s petition can be found here.


This case arises out of the Facebook-Cambridge Analytica User Data Scandal. Cambridge Analytica allegedly improperly used Facebook user data to target voters in connection with the 2016 U.S. Presidential election. News reports revealed Cambridge Analytica’s use of Facebook user data. However, a subsequent whistleblower-based news report revealed the extent of Cambridge Analytica’s use of the data, and its continued use of the data even after Facebook had become aware of the misuse and had asked Cambridge Analytica to destroy the data.

Facebook investors filed several securities class action lawsuits against Facebook (now known as Meta) and certain of its directors and officers. The lawsuits (later consolidated) raised a number of allegations, including, with greatest relevance to the issues the Supreme Court has agreed to take up, that the company in its risk factor disclosures had referred to the risks to the company of an unauthorized user data disclosure, but had presented the risk as hypothetical when in fact it has already materialized. The district court granted the defendants’ motions to dismiss, and the plaintiff appealed.

As discussed here, in an October 18, 2023, opinion, the Ninth Circuit, with Judge Bumatay partially dissenting, affirmed in part and reversed in part the district court’s dismissal. Of greatest significance, the appellate court reversed the lower court and revived the lawsuit with respect to the plaintiffs’ allegations concerning what Facebook had disclosed about what it knew about Cambridge Analytica’s misuse of user data. Of greatest significance to the Supreme Court’s consideration of the case, the appellate court said that “Because Facebook had presented the prospect of misuse of user data as “purely hypothetical’” when it had already occurred, such a statement “could be misleading even if the magnitude of the ensuing harm was still unknown.”

The Cert Petition

On March 4, 2024, Facebook filed a petition to the Supreme Court for a writ of certiorari. In its petition, Facebook argued that the Ninth Circuit panel’s decision was erroneous, and sought to have the Supreme Court review the following question: “Are risk disclosures false or misleading when they do not disclose that a risk has materialized in the past, even if that past event presents no known risk of ongoing or future business harm?” (Facebook also urged the Court to take up a second question having to do with pleading loss causation, but the Court agreed only to take up the first question.)

In seeking to have the Court take up the case, Facebook argued that the Circuit courts have split on the question of what risk factor disclosures are required with respect to prior events. Facebook argued that prior to this case, the Circuit Courts had developed differing approaches: the Sixth Circuit does not require any risk factors disclosures of past events; and six other circuits require risk factor disclosures only if the company knows the past events will harm the business. In this case, Facebook argued, a two-judge panel adopted, according to Facebook, an “extreme, outlier” position, even if past event poses no known threat of business harm.

In addition to arguing that the Ninth Circuit’s standard makes no sense and would result in risk factor disclosures becoming less useful to investors as it would drown them in irrelevant information about past incidents with no current relevance, and would also encourage “plaintiffs to plead fraud-by-hindsight by attaching significance after a stock drop to events a company had no reason to know were significant at the time of disclosure.”

In their opposition to the petition, the plaintiffs first argued that the question Facebook argues that the case presents is based on a faulty premise that the prior incident involved no known current or future risk. The Ninth Circuit’s opinion, the plaintiffs argue, in to the contrary. The plaintiffs also argued that there is in fact no circuit split, and that in fact the circuit rulings can be reconciled, and that the Ninth Circuit’s holding is also consistent – in each case, the plaintiffs argued, the courts held that a risk cannot be presented as hypothetical if it has already occurred.

Several parties filed amicus briefs in support of Facebook’s petition. For example, the U.S. Chamber of Commerce argued in an amicus brief that the Ninth Circuit’s ruling “all but guarantees that every incident that, with the full benefit of hindsight, can be said to have harmed a public company’s business will spawn securities fraud claims alleging that the company should have disclosed the event sooner.  As the only way to play defense against that outcome, companies will be forced to bloat their future risk disclosures with descriptions of past events—even those that the company does not believe will have any real world impact on its business.”

On June 10, 2024, the U.S. Supreme Court granted the writ of certiorari. The case will be on the Court’s docket for its 2024-2025 term, which begins in October.


Any time the U.S. Supreme Court agrees to take up a securities case, it is significant. The Court simply does not take up that many securities cases, and any occasion on which the Court will be called upon to weigh in on the securities laws is noteworthy. Also, any time the U.S. Supreme Court takes up a securities case there is always the possibility that that Court will introduce an approach that shakes up the securities litigation world. (Think, for example, of the Morrison case and its aftermath.)

The fact that the Supreme Court has agreed to take up this case is of particular significance. It is not an uncommon allegation at all in securities complaints that the defendants presented risks as hypothetical that have allegedly already materialized. It will be interesting to see what the Court makes of these kinds of allegations, in the context of a very high profile lawsuit. The Court’s ruling on this case could also have larger significance with respect to risk factor disclosures generally.

There is at least one other reason why the Court’s taking up this case could be significant. That is because at its heart this case is about privacy. The fundamental wrong that Cambridge Analytica (and by extension Facebook) allegedly committed is a violation of Facebook users’ privacy rights. I have long thought that privacy related issues could represent a significant new area of corporate and securities litigation exposure. This case has been one of the most prominent examples of how privacy-related issues can translate into securities litigation. I know, I know, the Supreme Court case is not going to be about privacy issues as such. However, if any portion of the case survives the Supreme Court’s review, it could have important implications about privacy issues as a source of litigation risk.

In any event, this case is now on the Court’s docket for its next term, and it will be interesting to watch.