On June 16, 2021, the United States Court of Appeals for the Ninth Circuit reversed in part the dismissal of a putative class action asserting claims under Section 10(b) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder against a technology company and certain of its executives.  In re Alphabet, Inc. Sec. Litig., –F.3d–, 2021 WL 2448223 (9th Cir. 2021).  Plaintiffs alleged that the company failed to disclose a security flaw that risked exposing customer data on its social networking site to third-party developers without customer consent.  The district court granted a motion to dismiss, determining that the complaint failed to allege any misrepresentation or omission and failed to adequately allege scienter.  The Ninth Circuit reversed, holding that plaintiffs had adequately alleged actionable misrepresentations and scienter.  However, the Court affirmed the dismissal of certain allegations that it held were too vague to be actionable.

Plaintiffs' allegations concerned alleged security vulnerabilities at the company's social networking site which left users' private data potentially exposed to third-party developers.  Id. at *2.  According to plaintiffs, the company had identified the issue and the company's legal department had even circulated an internal memorandum detailing the issue and warning that it would likely trigger regulatory attention and Congressional inquiries if disclosed.  Id. at *4.  However, the company allegedly continued to make generic statements in its securities filings about the importance of maintaining customer privacy and the risks the company faced if customer privacy were not maintained, without disclosing the security issue and while stating that there had been "no material changes to our risk factors."  Id.

The Court held that the company's statements that its "operations and financial results are subject to various risks and uncertainties" and that there had been "no material changes to our risk factors" were sufficiently alleged to be materially misleading in light of the alleged omission of the security issue.  The Court emphasized that the company was alleged to have made multiple statements about the harms that could follow from the detection and disclosure of security vulnerabilities, including regulatory scrutiny, and the significant consequences that would result from their disclosure.  Id. at *10.  The Court also noted the SEC had published guidance on the disclosure of cybersecurity instances like the security issue the company faced, which further suggested the alleged misstatements were material.  Id.  And the Court concluded that disclosures about risks that "could" or "may" unfold were sufficiently alleged to be misleading because a reasonable investor would not think those risks had already materialized, even though at the time the statements were made the risks allegedly already had materialized.  Id. at *11.

While the company argued that it had remedied the technical issue before making the statements in its securities filings, the Court found that did not alter the analysis because it did not avoid the implications for lost customer trust if the company already had revealed customer data for a multi-year period.  Id.  And while the company also argued that this issue was not material because the customer information implicated was not particularly sensitive and the company's revenue had increased over the period, the Court explained that a cybersecurity incident can be material if it could impact how a reasonable investor views the company, regardless of the immediate financial impact on the company.  Id.

The Court further held that plaintiffs sufficiently raised a strong inference that the company's CFO acted with scienter.  Id.  at *12.  Although the Court noted that there was no specific allegation that the CFO had received the memorandum detailing the security issue, "numerous allegations ... raise the strong inference that [the CFO] was vitally concerned with [the company's] operations," made "key operating decisions," received weekly reports of operating results, and approved a plan to shut down the social networking site due to the security concerns.  Id. at *13.  The Court concluded that the alternative, that the CFO was not aware of the largest data security vulnerability in the company's history at a time of intense regulatory scrutiny of such vulnerabilities, was not plausible.  Id.  The Court also reasoned that there was a strong inference the company intentionally did not disclose this information in order to avoid or delay the impacts disclosure was expected to have on regulatory scrutiny, public criticism, and loss of consumer confidence.  Id.  The Court further explained that the inference of scienter was sufficient even in the absence of allegations about suspicious stock sales or confidential witness statements.  Id.

The Court then briefly explained why various other challenged statements were not actionable.  For example, the Court determined that a statement the company's head of investor relations made in earnings calls referring investors to the company's securities filings did not plausibly offer any assurance that the state of affairs at the company was different than what actually existed.  Id. at *14.  The Court further concluded that statements such as that the company was "engaged" in becoming compliant with new data privacy laws, and "has a longstanding commitment to ensuring both that our users share their data only with developers they can trust, and that they understand how developers will use that data," amounted merely to "vague and generalized commitments, aspirations, or puffery."  Id.   The Court also noted that the company's refusal to testify in Congress did not amount to a misleading statement actionable under the securities laws.  Id.

Lastly, the Court reversed the district court's sua sponte dismissal of plaintiffs' claims under Rule 10b-5(a) and (c), noting that defendants had not targeted those claims in their motion to dismiss.  The Court also rejected defendants' argument that Rule 10b-5(a) and (c) claims cannot overlap with Rule 10b-5(b).  Id. at *15 (citing Lorenzo v. SEC, 139 S. Ct. 1094, 1101-02 (2019)).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.