Ninth Circuit revives Alphabet securities fraud lawsuit on undisclosed social network security bug

In 2018, internal Google investigators discovered a software bug in the Google+ social network that had, since 2015, exposed the profile data of hundreds of thousands of users to third-party developers (the Three-Year Bug).  In re Alphabet, Inc. Sec. Litig., No. 20-15638, slip op. at 9 (9th Cir. June 16, 2021).  The complaint alleges that Alphabet CEO Lawrence Page, Google CEO Sundar Pichai, and other senior Google executives read an April 2018 internal memo (the Privacy Bug Memo) detailing the Three-Year Bug and chose not to disclose the issues to investors.  Id. at 10.  In April 2018 and again in June 2018, Alphabet filed quarterly Form 10-Q reports incorporating prior-year security and privacy risk disclosures without adding new disclosures about the Three-Year Bug or other cybersecurity vulnerabilities.  Id. at 11.  In October 2018, the Wall Street Journal published an article that discussed the vulnerability.  Id. at 12.  

Three days after the news broke, plaintiffs—including the State of Rhode Island on behalf of the Employees’ Retirement System of Rhode Island (Rhode Island)—sued Alphabet, Google, Page, Pichai, and two other senior executives for securities fraud under Section 10(b) and Section 20(a) of the Exchange Act, alleging that Alphabet made materially misleading omissions about the Three-Year Bug.  Id. at 15.  Alphabet moved to dismiss for failure to state a claim.  Id.  The district court granted the motion, finding that Rhode Island had failed to allege a material misrepresentation or omission and also failed to sufficiently allege scienter.  Id.  

The Ninth Circuit first focused on the omission and scienter allegations, holding that plaintiffs adequately alleged that Alphabet omitted material facts necessary to make statements in its quarterly reports about security risks not misleading.  Id. at 23-27.  In so holding, the panel relied on (1) the lack of any new risk disclosures in Alphabet’s April and June 2018 10-Q filings in light of the detection of the cybersecurity issues; (2) internal deliberation as evidenced by the Privacy Bug Memo; and (3) growing public scrutiny following the Cambridge Analytica data breach.  Id. at 24.  The panel also found that the omission was material based on cybersecurity disclosure guidance from the SEC.  The guidance indicates that companies should weigh “harm to [their] reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.”  Id. at 25 (quoting Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 83 Fed. Reg. 8166, 8168–69).  Further, the panel held that the omission was misleading because Alphabet’s risk disclosures did not “alert the reader that some of these risks may already have come to fruition.”  Id. at 26 (quoting Berson v. Applied Signal Tech., Inc., 527 F.3d 982, 985-87 (9th Cir. 2008)).  The panel rejected Alphabet’s argument that, because it had already addressed the bug by the time of the SEC filings, there was no need to disclose it.  The court held that “the material implications of a bug that improperly exposed user data for three years were not eliminated merely by plugging the hole in Google+’s security.”  Id. at 27. 

The panel also held that Rhode Island adequately alleged scienter.  Id. at 30-33.  The panel concluded that the complaint raised a “strong inference” that Alphabet and senior executives read the Privacy Bug Memo, knew of the vulnerabilities, and that Alphabet intentionally did not publicly disclose the information to “buy time.”  Id. at 30, 33.  The court was unpersuaded by Alphabet’s argument that the complaint needed to allege “suspicious stock sales” by company officials or information from “confidential witnesses” in order to adequately plead scienter, finding that neither was needed when scienter was otherwise credibly alleged.  Id. 

The panel also affirmed the district court’s holding that ten additional statements in the complaint did not support a securities fraud claim.  Id. at 37.  These claims referred to statements made in earnings calls to investors instructing them to refer to the 2017 Form 10-K for additional information about risk without asserting that there had been “no material changes” since the filing, and statements emphasizing Google’s commitment to user privacy by senior executives and in a proxy statement.  Id. at 34-36.  The court confirmed that misleading material representations must “rise to the level of ‘concrete description[s] of the past and present’ that affirmatively create a misleading impression of a ‘state of affairs that differed in a material way from the one that actually existed.’”  Id. at 36 (quoting In re Quality Sys., Inc. Sec. Litig., 865 F.3d 1130, 1144 (9th Cir. 2017)).  In addition, the complaint alleged that Page and Pichai did not testify before the U.S. Senate Intelligence Committee in September 2018 alongside Facebook and Twitter, which left “an empty chair for Google.”  Id.  The panel held that “[a]n empty chair is neither a statement of material fact nor the misleading omission of a material fact.”  Id.

Finally, the panel reversed the district court’s sua sponte dismissal of plaintiffs’ Rule 10b-5(a) and (c) claims, including because Alphabet had failed to target those claims in its motion to dismiss.  Id. at 38. 

The panel included Chief Circuit Judge Sidney R. Thomas, Circuit Judge Sandra S. Ikuta, and Circuit Judge Jacqueline H. Nguyen.

For further perspective on the need for executives to pay close attention to cybersecurity risks and incidents, please also see our recent update on that topic, which can be found here.