Takeaway: To ensure investor safety and emphasize a commitment to user privacy, corporate executives and similarly-situated high ranking officers must not provide any statements or omissions that affirmatively create a misleading impression of the current “state of affairs that differed in a material way from the one that actually existed.” But what qualifies as a misleading statement or omission? This question has recently been addressed by the Ninth Circuit in the context of Securities Fraud claims, which requires a plaintiff to plead and prove that: (1) the defendant omitted material facts necessary in order to make the statements not misleading; and (2) scienter on behalf of the person making the statement.

Section 10(b) of the Securities Exchange Act of 1934, the SEC prescribed Rule 10b-5, makes it unlawful:

(a) To employ any device, scheme, or artifice to defraud,

(b) To make any untrue statement of a material fact or to omit to state a material fact necessary to make the statements made, in the light of the circumstances under which they were made, not misleading, or

(c) To engage in any act, practice, or course of business which operates or would operate as a fraud or deceit upon any person, in connection with the purchase or sale of any security.

The United States Supreme Court has interpreted Section 10(b) and Rule 10b-5 as providing an implied private cause of action.[1] In a typical § 10(b) private action” based on material misrepresentations or omissions, a plaintiff must prove “(1) a material misrepresentation or omission by the defendant; (2) scienter; (3) a connection between the misrepresentation or omission and the purchase or sale of a security; (4) reliance upon the misrepresentation or omission; (5) economic loss; and (6) loss causation.[2]

Under Section 10(b) and Rule 10b-5(b), “the maker of a statement is the person or entity with ultimate authority over the statement, including its content and whether and how to communicate it.”[3] Persons “who do not ‘make’ statements (as Janus defined ‘make’), but who disseminate false or misleading statements to potential investors with the intent to defraud, can be found to have violated the other parts of Rule 10b-5, subsections (a) and (c), as well as related provisions of the securities laws” including Section 10(b).[4]

There are two elements to a typical Section 10(b) claim. The first element is that a defendant omitted “to state a material fact necessary in order to make the statements made … not misleading”.[5] To meet this requirement, the plaintiff must prove both that the omission is misleading and that it is material.[6]

The second element, scienter, is not set forth in the statute. Rather, the Supreme Court has determined that “[t]he words ‘manipulative or deceptive’ used in conjunction with ‘device or contrivance’ strongly suggest that § 10(b) was intended to proscribe knowing or intentional misconduct.”[7]

The Ninth Circuit recently had the opportunity to address Section 10(b) claims in the context of Corporate Director liability stemming from a cybersecurity data breach in In re Alphabet, Inc. Securities Litigation, 1 F.4th 687 (9th Cir. 2021). There, in March 2018, amid the furor caused by news that Cambridge Analytica improperly harvested user data from Facebook’s social network, Google discovered that a security glitch in its Google+ social network had left the private data of some hundreds of thousands of users (according to Google’s estimate) exposed to third-party developers for three years and that Google+ was plagued by multiple other security vulnerabilities. Because of a bug in an application programming interface for Google+, third-party developers could collect certain users’ profile data even if those users had relied on Google’s privacy settings to designate such data as nonpublic. The exposed private profile data included email addresses, birth dates, gender, profile photos, places lived, occupations, and relationship status. Warned by its legal and policy staff that disclosure of these issues would result in immediate regulatory and governmental scrutiny, Google and its holding company, Alphabet, chose to conceal this discovery, made generic statements about how cybersecurity risks could affect their business, and stated that there had been no material changes to Alphabet’s risk factors since 2017. The question before the Court was whether, for purposes of a private securities fraud action, the complaint adequately alleged that Google, Alphabet, and individual defendants made materially misleading statements by omitting to disclose these security problems and that the defendants did so with sufficient scienter, meaning with an intent to deceive, manipulate, or defraud. [8]

Three days after a Wall Street Journal article[9] exposed Google, Alphabet and its executives for Google’s discovery of Google+’s security vulnerabilities and its subsequent decision to conceal those vulnerabilities, Rhode Island filed a securities fraud action, as did other plaintiffs. After the cases were consolidated, Rhode Island was designated the lead plaintiff. It filed a consolidated amended complaint in April 2019, naming Alphabet, Google, two other Google senior executives, and others as defendants. The complaint alleged primary violations of Section 10(b) of the Securities Exchange Act of 1934, 15 U.S.C. § 78j(b), and SEC Rule 10b-5, 17 C.F.R. § 240.10b-5, for securities fraud, as well as violations of Section 20(a) of the Exchange Act, 15 U.S.C. § 78t(a), which imposes joint and several liability on persons in control of “any person liable under any provision” of securities law.[10]

In addressing Plaintiffs’ claims, the Court analyzed the two elements of a Section 10(b) claim. Regarding the first element, the Court applied the objective standard of a “reasonable investor” to determine whether a statement is misleading.[11] In doing so, the Court evaluated whether an omission relating to cybersecurity is materially misleading, and considered the SEC’s interpretive guidance regarding the adequacy of cybersecurity-related disclosures.[12] The Court reasoned:

We have held that “transparently aspirational” statements, as well as statements of “mere corporate puffery, vague statements of optimism like ‘good,’ ‘well-regarded,’ or other feel good monikers,” are generally not actionable as a matter of law, because “professional investors, and most amateur investors as well, know how to devalue the optimism of corporate executives,” Such statements rise to the level of materially misleading statements only if they provide “concrete description of the past and present” that affirmatively create a plausibly misleading impression of a “state of affairs that differed in a material way from the one that actually existed.”[13]

In analyzing the second element of 10(b) claim, scienter, the Court remarked:

We have since held that “a reckless omission of material facts” satisfies the element of scienter, provided that such recklessness reflects some degree of intentional or conscious misconduct. We refer to this standard as “deliberate recklessness” and define it as ‘an extreme departure from the standards of ordinary care,’ which ‘presents a danger of misleading buyers or sellers that is either known to the defendant or is so obvious that the actor must have been aware of it.’[14]

The Court, noting that complaint identified a dozen allegedly misleading statements, considered two statements made by Alphabet in its quarterly reports filed with the SEC on Form 10-Q in April 2018 and July 2018. The April 2018 report for the period ending March 31, 2018, stated that Alphabet’s “operations and financial results are subject to various risks and uncertainties,” including those identified in Alphabet’s Annual Report on Form 10-K for the year ended December 31, 2017, and asserted that “[t]here have been no material changes to our risk factors since our Annual Report on Form 10-K for the year ended December 31, 2017.”[15]

The Court concluded:

“Given that the April 10-Q filing was made after the detection of Google’s cybersecurity issues, after internal deliberation based on the Privacy Bug Memo, and during the growing scrutiny following the Cambridge Analytica scandal, the complaint plausibly alleges that the omission of any mention of the Three-Year Bug or the other security vulnerabilities made the statements in each Form 10-Q materially misleading to a reasonable investor and significantly altered the total mix of information available to investors.”[16]

The Court also relied on the SEC’s guidance on when companies should disclose “cybersecurity incidents” to support its conclusion that Alphabet’s omission was material.[17] In determining disclosure obligations and “[t]he materiality of cybersecurity risks and incidents,” the SEC advises that companies should weigh, among other things, “harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.”[18] The Court subsequently concluded that the complaint plausibly alleged that these risks of harm ripened into actual harm when the Privacy Bug was detected and created the new risk that this discovery would become public.[19]

The Court reached the conclusion that the complaint plausibly alleged that Alphabet’s omission was misleading, noting “[r]isk disclosures that “speak entirely of as-yet-unrealized risks and contingencies” and do not “alert the reader that some of these risks may already have come to fruition” can mislead reasonable investors.[20]

In rejecting Alphabet’s arguments, the Court noted that a cybersecurity incident may be material even if it does not compromise sensitive financial or medical information or have an immediate financial impact on the company. The standard is whether there is a “substantial likelihood” that the information at issue “would have been viewed by the reasonable investor as having significantly altered the total mix of information made available for the purpose of decision-making by stockholders concerning their investments.” Because cybersecurity incidents may cause a range of substantial costs and harms, reasonable investors would likely find omissions regarding significant cybersecurity incidents material to their decision-making.[21]

The Ninth Circuit ultimately concluded that Rhode Island adequately alleged falsity, materiality, and scienter for the April 2018 and July 2018 10-Q statements and reversed the district court’s holdings to the contrary and remanded the case for further proceedings.

[1] Stoneridge Inv. Partners, LLC v. Scientific-Atlanta, 552 U.S. 148, 157 (2008).
[2] Id.
[3] Janus Cap. Grp., Inc. v. First Derivative Traders, 564 U.S. 135, 142 (2011).
[4] Lorenzo v. SEC, 139 S. Ct. 1094, 1099, 1100–03 (2019).
[5] 17 C.F.R. § 240.10b-5(b).
[6] Id.
[7] Ernst & Ernst v. Hochfelder, 425 U.S. 185, 197, 96 S.Ct. 1375, 47 L.Ed.2d 668 (1976).
[8] In re Alphabet, Inc. Securities Litigation, 1 F.4th 687, 693, 695 (9th Cir. 2021).
[9] See Douglas MacMillan & Robert McMillan, Google Exposed User Data, Feared Repercussions of Disclosing to Public, Wall Street J. (Oct. 8, 2018).
[10] In re Alphabet, Inc, 1 F.4th at 697-98.
[11] Id. at 699.
[12] Id. at 700.
[13] Id. (citations omitted).
[14] Id. at 701 (citations omitted).
[15] Id. at 702. The Court noted in Footnote 4 that Alphabet’s July 2018 Form 10-Q, for the quarter ending June 30, 2018, is substantively identical to the April 2018 report.
[16] Id. at 702.
[17] Id. at 703; see also, Cybersecurity Disclosures, 83 Fed. Reg. at 8169.
[18] Id. (internal citations omitted).
[19] Id.
[20] Id. (citations omitted).
[21] Id. at 704-05.