In Re Alphabet, Inc. Securities Litigation

Facts

Google discovered that a security glitch in its Google+ social network had left the private data of some hundreds of thousands of users (according to Google's estimate) exposed to third-party developers for three years and that Google+ was plagued by multiple other security vulnerabilities. Warned by its legal and policy staff that disclosure of these issues would result in immediate regulatory and governmental scrutiny, Google and its holding company, D, chose to conceal this discovery, made generic statements about how cybersecurity risks could affect their business, and stated that there had been no material changes to D's risk factors since 2017. Since its initial public offering prospectus in 2004 and throughout Google's continued rise, Google and its executives publicly recognized the importance of user privacy and user trust to Google's business. Google executives expressed their understanding that Google's 'success is largely dependent on maintaining consumers' trust' so that 'users will continue to entrust Google with their private data, which Google can then monetize.' 'Google has a strong incentive to position itself as a trustworthy guardian of personal information because, like Facebook, its financial success hinges on its success to learn about the interests, habits and location[s] of its users in order to sell targeted ads.' Google and its executives repeatedly emphasized that maintaining users' trust is essential and that a significant security failure 'would be devastating.' In October 2015, Google restructured itself from Google, Inc. into Google LLC and created D. as its parent company, which is 'essentially a holding company' whose 'lifeblood is Google.' The corporate restructuring did not change the central importance of privacy and security. Google and Alphabet consistently indicated that Google's foremost competitive advantage against other companies was its sophistication in security. Google and D also acknowledged the substantial impact that a cybersecurity failure would have on their business. D warned that 'if our security measures are breached resulting in the improper use and disclosure of user data' then Alphabet's 'products and services may be perceived as not being secure, users and customers may curtail or stop using our products and services, and we may incur significant legal and financial exposure.' 'Users use Google because they trust us and it is something easy to lose if you are not good stewards of it. So we work hard to earn the trust every day.' Cambridge Analytica, 'improperly harvested data from Facebook users' profiles' to be used for political advertising. The immediate effects of this reporting were 'devastating to Facebook and its investors,' including a 13% decline in Facebook's stock price, which amounted to a loss of approximately $75 billion of market capitalization. Congressional hearings into Facebook's leak of user information were held. Google declined to testify after 'asserting that the problems surrounding Facebook and Cambridge Analytica did not involve Google.' In May 2018, the European Union implemented the General Data Protection Regulation (GDPR), a new framework for regulating data privacy protections in all member states. Among other things, the GDPR required prompt disclosure of personal data breaches, not later than 72 hours after learning of the breach. Google reaffirmed its commitment to complying with the GDPR across all its services and reaffirmed Google's aim 'always to keep data private and safe.' In March and April 2018, internal Google investigators discovered a software glitch in the Google+ social network that had existed since 2015. Third-party developers could collect certain users' profile data even if those users had relied on Google's privacy settings to designate such data as nonpublic. The exposed private profile data included email addresses, birth dates, gender, profile photos, places lived, occupations, and relationship status. Google's security protocols failed to detect the problem for three years, and its set of activity logs could review only the two most recent weeks of user data access. Google 'had no way of determining how many third-parties had misused its users' personal private data.' Other security problems were detected that made additional data exposures virtually inevitable. Around April 2018, Google's legal and policy staff prepared a memo detailing the vulnerabilities. They warned that the disclosure of these security issues 'would likely trigger 'immediate regulatory interest' and result in D 'coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal.'' The memo warned that 'disclosure 'almost guarantees Sundar [Pichai] will testify before Congress.'' Pichai and other senior Google executives received and read the memo in early April 2018. P alleges that key officers and directors, including Page and Pichai, chose a strategy of nondisclosure. Pichai approved a plan to conceal the existence of the security vulnerabilities 'to avoid any additional regulatory scrutiny, including having to testify before Congress.' Despite Google+ having 395 million monthly active users, more than either Twitter or Snapchat, Pichai and Page approved a plan to shut down the Google+ consumer platform. D and Google continued to give the public the same assurances about security and privacy as before. Google and D made lots of statements and filed regulatory reports that simply lied. D thought that its 'decision to buy time' would reduce the detrimental effects of eventual disclosure by avoiding disclosure at a time when Facebook was facing regulatory scrutiny, public criticism, and loss of consumer confidence as a result of the Cambridge Analytica scandal. In October 2018, the Wall Street Journal published a lengthy story on the events surrounding these issues. The story reported that 'Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage.' The day the news broke, Google finally admitted to exposing the private data of hundreds of thousands of users and announced it was shutting down the Google+ social network for consumers. Democratic senators wrote to demand an investigation by the Federal Trade Commission. Republican senators wrote letters too. D's publicly traded share price fell after the Wall Street Journal article. According to the complaint, D's share price fell $11.91 on October 8, $10.75 on October 9, and $53.01 on October 10. Just weeks later, in December 2018, Google disclosed the discovery of another Google+ bug that had exposed user data from 52.5 million accounts. Google also announced it was accelerating the shutdown of the consumer Google+ platform to occur four months earlier than planned. Rhode Island (P) filed a securities fraud action and was designated the lead plaintiff. Ps allege violations of Section 10(b) of the Securities Exchange Act of 1934, 15 U.S.C. § 78j(b), and SEC Rule 10b-5, 17 C.F.R. § 240.10b-5, for securities fraud, as well as violations of Section 20(a) of the Exchange Act, 15 U.S.C. § 78t(a), which imposes joint and several liability on persons in control of 'any person liable under any provision' of securities law. D moved to dismiss the complaint for failure to state a claim. The district court held that the complaint failed to allege any material misrepresentation or omission and failed to allege scienter sufficiently. Further, the court held that because the Section 10(b) claim failed, the Section 20(a) claim for controlling-person liability 'necessarily fails.' Ps appealed. 

Issues

Rule of Law

Holding and Decision

Legal Analysis

© 2007-2024 ABN Study Partner.