Observers have been awaiting decisions in a number of cybersecurity and privacy securities fraud class actions with potentially important implications for corporate liability. Over the last several weeks, critical developments emerged in two such cases: the defendants’ motion to dismiss was granted in part and denied in part in In re Zoom Securities Litigation, and the Supreme Court denied cert of the Ninth Circuit’s decision reviving the claims in Alphabet Inc. v. Rhode Island.
On February 16, 2022, Judge James Donato of the U.S. District Court for the Northern District of California issued an order granting in part and denying in part the Zoom defendants’ motion to dismiss.
Shareholder plaintiffs sued Zoom in April 2020, after widespread adoption of Zoom’s video communication software led to a spate of reports purportedly undermining the company’s claims that it offered end-to-end encryption and scrutinizing the company’s data collection practices. Shareholder plaintiffs alleged that Zoom, its CEO, and its CFO violated the federal securities laws by making false and misleading statements and omissions about the company’s data security capabilities in certain initial public offering documents. In December 2020, the lead plaintiff filed a consolidated complaint on behalf of shareholders who purchased or acquired Zoom securities between April 18, 2019 and April 6, 2020.
In particular, the complaint challenged 15 of the company’s statements. As to 14 out of the 15 challenged statements, the Court dismissed shareholder plaintiff’s claims for failure to adequately allege that the defendants acted with scienter, or fraudulent intent. At the outset, the Court held that the complaint failed to state a claim against Zoom’s CEO and CFO because the challenged statements regarding the scope of the company’s collection and use of customers’ personal data were vaguely attributed to Zoom or “defendants,” as opposed to a specific individual. Additionally, the Court held that the complaint failed to state a claim against Zoom because there were no allegations that Zoom’s public statements were “so important and so dramatically false” that they created “a strong inference that at least some corporate officials knew of their falsity upon publication.” As a result, the Court held that absent allegations that specific individuals uttered or published the challenged statements, there could be no finding of corporate intent or knowledge of wrongdoing.
However, the Court allowed plaintiff’s claim to proceed against Zoom and Zoom’s CEO with respect to a single alleged misstatement that appeared in Zoom’s April 18, 2019, Registration Statement and Prospectus that: “We offer robust security capabilities, including end-to-end encryption, secure login, administrative controls and role-based access controls.” The Court found that the CEO “made” the statement because he signed the Registration Statement. The Court found that plaintiff had adequately plead that the statement was false and misleading in light of an April 2020 blog post by the CEO stating that the company had “fallen short of the community’s – and our own – privacy and security expectations” and another post which apologized “for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption. . . . While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”
Defendants argued that the apology was not an admission that Zoom had knowingly misled investors. The Court disagreed, noting that plaintiff had adequately pleaded that the statement “[w]e offer robust security capabilities, including end-to-end encryption…” was made with the intent to defraud or at a minimum with deliberate recklessness, based on the CEO’s (1) possession of an advanced degree in engineering, (2) previous role as a founding engineer at a web conferencing platform, (3) leading role in “the effort to engineer Zoom Meetings’ platform,” and (4) identification on “several patents that specifically concern encryption techniques.” Defendants have requested leave to file a motion for partial reconsideration of the Court’s order.
On March 7, 2022, two weeks after the Northern District of California resolved the motion to dismiss in Zoom, the U.S. Supreme Court declined to consider Alphabet’s appeal of the Ninth Circuit’s decision in another cybersecurity-related case, Alphabet Inc. v. Rhode Island, without further explanation. The Alphabet litigation dates back to October 2018, when investors sued Google LLC, its parent Alphabet Inc., and various executives after reports revealed that the company discovered two software bugs that potentially exposed the personal data of certain users of the Google+ social network.
Shareholder plaintiffs allege that Alphabet misled investors when it purportedly disclosed in its SEC filings a risk that the company could suffer cybersecurity threats in the future but did not disclose that it had previously identified a software bug related to the Google + social network that exposed user data. Though the district court initially dismissed the majority of the claims, the Ninth Circuit reversed, holding that “[r]isk disclosures that speak entirely of as-yet-unrealized risks and contingencies and do not alert the reader that some of these risks may already have come to fruition can mislead reasonable investors.” The Supreme Court declined to weigh in on the debate, leaving undisturbed the Ninth Circuit’s decision to revive the proposed class action. This case, along with Zoom, is yet another important data point in the developing story of whether securities litigation will remain a new front on which to litigate issues of cybersecurity and data privacy.
