State v. Alphabet, Inc. (In re Alphabet, Inc. Sec. Litig.)

• Decision Date: 16 June 2021
• Docket Number: No. 20-15638,20-15638
• Citation: 1 F.4th 687
• Parties: IN RE ALPHABET, INC. SECURITIES LITIGATION, State of Rhode Island, Office of the Rhode Island Treasurer on behalf of the Employees’ Retirement System of Rhode Island ; Lead Plaintiff, Individually and On Behalf of All Others Similarly Situated, Plaintiff-Appellant, v. Alphabet, Inc.; Lawrence E. Page; Sundar Pichai; Ruth M. Porat; Google LLC; Keith P. Enright; John Kent Walker, Jr., Defendants-Appellees.
• Court: U.S. Court of Appeals — Ninth Circuit

1 F.4th 687

IN RE ALPHABET, INC. SECURITIES LITIGATION,

State of Rhode Island, Office of the Rhode Island Treasurer on behalf of the Employees’ Retirement System of Rhode Island ; Lead Plaintiff, Individually and On Behalf of All Others Similarly Situated, Plaintiff-Appellant,

v.Alphabet, Inc.; Lawrence E. Page; Sundar Pichai; Ruth M. Porat; Google LLC; Keith P. Enright; John Kent Walker, Jr., Defendants-Appellees.

No. 20-15638

United States Court of Appeals, Ninth Circuit.

Argued and Submitted February 4, 2021 San Francisco, California

Filed June 16, 2021

Jason A. Forge (argued), Michael Albert, J. Marco Janoski Gray, and Ting H. Liu, Robbins Geller Rudman & Dowd LLP, San Diego, California, for Plaintiff-Appellant.

Ignacio E. Salceda (argued), Benjamin M. Crosson, Cheryl W. Foung, Stephen B. Strain, and Emily Peterson, Wilson Sonsini Goodrich & Rosati, Palo Alto, California; Gideon A. Schor, Wilson Sonsini Goodrich & Rosati, New York, New York; for Defendants-Appellees.

Before: Sidney R. Thomas, Chief Judge, and Sandra S. Ikuta and Jacqueline H. Nguyen, Circuit Judges.

IKUTA, Circuit Judge:

In March 2018, amid the furor caused by news that Cambridge Analytica improperly harvested user data from Facebook's social network, Google discovered that a security glitch in its Google+ social network had left the private data of some hundreds of thousands of users (according to Google's estimate) exposed to third-party developers for three years and that Google+ was plagued by multiple other security vulnerabilities. Warned by its legal and policy staff that disclosure of these issues would result in immediate regulatory and governmental scrutiny, Google and its holding company, Alphabet, chose to conceal this discovery, made generic statements about how cybersecurity risks could affect their business, and stated that there had been no material changes to Alphabet's risk factors since 2017. This appeal raises the question whether, for purposes of a private securities fraud action, the complaint adequately alleged that Google, Alphabet, and individual defendants made materially misleading statements by omitting to disclose these security problems and that the defendants did so with sufficient scienter, meaning with an intent to deceive, manipulate, or defraud.

I

A

At the motion to dismiss stage, we start with the facts plausibly alleged in the complaint, documents incorporated into the complaint by reference, and matters of which a court may take judicial notice. See Ashcroft v. Iqbal , 556 U.S. 662, 678–79, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) ; Tellabs, Inc. v. Makor Issues & Rts., Ltd. , 551 U.S. 308, 322, 127 S.Ct. 2499, 168 L.Ed.2d 179 (2007). The story begins in the 1990s when Lawrence Page and Sergey Brin, then students at Stanford University, developed Google, a web-based search engine. Over the next two decades, Google rapidly expanded beyond its search engine services into a range of other internet-related services and products, including advertising technology, cloud computing, and hardware.

Since its initial public offering prospectus in 2004 and throughout Google's continued rise, Google and its executives publicly recognized the importance of user privacy and user trust to Google's business. Google executives expressed their understanding that Google's "success is largely dependent on maintaining consumers’ trust" so that "users will continue to entrust Google with their private data, which Google can then monetize." As one media outlet put it, "Google has a strong incentive to position itself as a trustworthy guardian of personal information because, like Facebook, its financial success hinges on its success to learn about the interests, habits and location[s] of its users in order to sell targeted ads." Google and its executives repeatedly emphasized that maintaining users’ trust is essential and that a significant security failure "would be devastating." Google's public emphasis on user trust and user privacy remained central to its business when, in 2011, Google launched Google+ "in an attempt to make a social media network to rival that of Facebook and Twitter, and to join all users of Google services (i.e. , Search, Gmail, YouTube, Maps) into a single online identity."

In October 2015, Google restructured itself from Google, Inc. into Google LLC and created Alphabet, Inc. as its parent company, which is "essentially a holding company" whose "lifeblood is Google." Page, who had been the CEO of Google, became the CEO of Alphabet. Sundar Pichai, a longtime Google senior executive, replaced Page as the CEO of Google. Page and Pichai both sat on Alphabet's Board of Directors and served on the board's three-person Executive Committee. Pichai directly reported to Page and maintained regular contact with him; Pichai was also directly accountable to Page. Pichai also participated in Alphabet's public earnings calls. Page received weekly reports of Google's operating results and continued to make "key operating decisions" at Google.

Google's corporate restructuring did not change the central importance of privacy and security. Google and Alphabet consistently indicated that Google's foremost competitive advantage against other companies was its sophistication in security. Thus, according to Alphabet's Chief Financial Officer in February 2018, security is "clearly what we've built Google on."

While highlighting expertise in security and data privacy, Google and Alphabet also acknowledged the substantial impact that a cybersecurity failure would have on their business. According to Alphabet's 2017 Annual Report on Form 10-K filed with the Securities and Exchange Commission (SEC), "[c]oncerns about our practices with regard to the collection, use, disclosure, or security of personal information or other privacy related matters, even if unfounded, could damage our reputation and adversely affect our operating results." Alphabet warned that "[i]f our security measures are breached resulting in the improper use and disclosure of user data" then Alphabet's "products and services may be perceived as not being secure, users and customers may curtail or stop using our products and services, and we may incur significant legal and financial exposure." As Pichai explained in January 2018, "users use Google because they trust us and it is something easy to lose if you are not good stewards of it. So we work hard to earn the trust every day."

B

"By the spring of 2018, the trustworthiness of technology and those who control it were under unprecedented scrutiny." According to the complaint, a trigger for this scrutiny was the publication of reports that a research firm, Cambridge Analytica, "improperly harvested data from Facebook users’ profiles" to be used for political advertising. The immediate effects of this reporting were "devastating to Facebook and its investors," including a 13% decline in Facebook's stock price, which amounted to a loss of approximately $75 billion of market capitalization.

This scandal quickly led to congressional hearings into Facebook's leak of user information to a third-party data collector. Facebook was not the only target of scrutiny, as the Senate Judiciary Committee, chaired by Senator Grassley, requested that Google and Twitter testify at these hearings about their data privacy and security practices. In a letter to Pichai, Senator Grassley outlined the committee's "significant concerns regarding the data security practices of large social media platforms and their interactions with third party developers and other commercial[ ] users of such data." According to Senator Grassley, Pichai declined to testify after "asserting that the problems surrounding Facebook and Cambridge Analytica did not involve Google."

At around the same time, in May 2018, the European Union implemented the General Data Protection Regulation (GDPR), a new framework for regulating data privacy protections in all member states. Among other things, the GDPR required prompt disclosure of personal data breaches, not later than 72 hours after learning of the breach. On its website, Google reaffirmed its commitment to complying with the GDPR across all its services and reaffirmed Google's aim "always to keep data private and safe."

C

While external scrutiny of data privacy and security grew in March and April 2018, internal Google investigators had discovered a software glitch in the Google+ social network that had existed since 2015 (referred to in the complaint as the "Three-Year Bug"). Because of a bug in an application programming interface for Google+, third-party developers could collect certain users’ profile data even if those users had relied on Google's privacy settings to designate such data as nonpublic. The exposed private profile data included email addresses, birth dates, gender, profile photos, places lived, occupations, and relationship status.

Not only did Google's security protocols fail to detect the problem for three years, but Google also had a limited set of activity logs that could review only the two most recent weeks of user data access. Due to this record-keeping limitation, Google "had no way of determining how many third-parties had misused its users’ personal private data." And Google "could only estimate that it exposed to third-parties the personal private data of hundreds of thousands of users" based on "less than 2% of the Three-Year Bug's lifespan." Despite the efforts of "over 100 of Google's best and brightest," Google "could not confirm the damage from [the bug] or determine the number of other bugs." At the same time, this investigation into the Three-Year Bug detected other shortcomings in Google's security systems, including "previously unknown, or unappreciated, security vulnerabilities that made additional data exposures virtually inevitable." The complaint refers collectively to the Three-Year Bug and these additional vulnerabilities as the "Privacy Bug."

Around April 2018, Google's legal...