• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

Recent Updates in Two Closely-Watched Cybersecurity and Privacy-Related Securities Fraud Class Actions

April 4, 2022 By Oyinkan Muraina, Sierra Shear and Cara Peterman

Observers have been awaiting decisions in a number of cybersecurity and privacy securities fraud class actions with potentially important implications for corporate liability.  Over the last several weeks, critical developments emerged in two such cases: the defendants’ motion to dismiss was granted in part and denied in part in In re Zoom Securities Litigation, and the Supreme Court denied cert of the Ninth Circuit’s decision reviving the claims in Alphabet Inc. v. Rhode Island.

On February 16, 2022, Judge James Donato of the U.S. District Court for the Northern District of California issued an order granting in part and denying in part the Zoom defendants’ motion to dismiss.

Shareholder plaintiffs sued Zoom in April 2020, after widespread adoption of Zoom’s video communication software led to a spate of reports purportedly undermining the company’s claims that it offered end-to-end encryption and scrutinizing the company’s data collection practices. Shareholder plaintiffs alleged that Zoom, its CEO, and its CFO violated the federal securities laws by making false and misleading statements and omissions about the company’s data security capabilities in certain initial public offering documents. In December 2020, the lead plaintiff filed a consolidated complaint on behalf of shareholders who purchased or acquired Zoom securities between April 18, 2019 and April 6, 2020.

In particular, the complaint challenged 15 of the company’s statements. As to 14 out of the 15 challenged statements, the Court dismissed shareholder plaintiff’s claims for failure to adequately allege that the defendants acted with scienter, or fraudulent intent. At the outset, the Court held that the complaint failed to state a claim against Zoom’s CEO and CFO because the challenged statements regarding the scope of the company’s collection and use of customers’ personal data were vaguely attributed to Zoom or “defendants,” as opposed to a specific individual. Additionally, the Court held that the complaint failed to state a claim against Zoom because there were no allegations that Zoom’s public statements were “so important and so dramatically false” that they created “a strong inference that at least some corporate officials knew of their falsity upon publication.” As a result, the Court held that absent allegations that specific individuals uttered or published the challenged statements, there could be no finding of corporate intent or knowledge of wrongdoing.

However, the Court allowed plaintiff’s claim to proceed against Zoom and Zoom’s CEO with respect to a single alleged misstatement that appeared in Zoom’s April 18, 2019, Registration Statement and Prospectus that: “We offer robust security capabilities, including end-to-end encryption, secure login, administrative controls and role-based access controls.” The Court found that the CEO “made” the statement because he signed the Registration Statement. The Court found that plaintiff had adequately plead that the statement was false and misleading in light of an April 2020 blog post by the CEO stating that the company had “fallen short of the community’s – and our own – privacy and security expectations” and another post which apologized “for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption. . . . While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”

Defendants argued that the apology was not an admission that Zoom had knowingly misled investors. The Court disagreed, noting that plaintiff had adequately pleaded that the statement “[w]e offer robust security capabilities, including end-to-end encryption…” was made with the intent to defraud or at a minimum with deliberate recklessness, based on the CEO’s (1) possession of an advanced degree in engineering, (2) previous role as a founding engineer at a web conferencing platform, (3) leading role in “the effort to engineer Zoom Meetings’ platform,” and (4) identification on “several patents that specifically concern encryption techniques.” Defendants have requested leave to file a motion for partial reconsideration of the Court’s order.

On March 7, 2022, two weeks after the Northern District of California resolved the motion to dismiss in Zoom, the U.S. Supreme Court declined to consider Alphabet’s appeal of the Ninth Circuit’s decision in another cybersecurity-related case, Alphabet Inc. v. Rhode Island, without further explanation.  The Alphabet litigation dates back to October 2018, when investors sued Google LLC, its parent Alphabet Inc., and various executives after reports revealed that the company discovered two software bugs that potentially exposed the personal data of certain users of the Google+ social network.

Shareholder plaintiffs allege that Alphabet misled investors when it purportedly disclosed in its SEC filings a risk that the company could suffer cybersecurity threats in the future but did not disclose that it had previously identified a software bug related to the Google + social network that exposed user data. Though the district court initially dismissed the majority of the claims, the Ninth Circuit reversed, holding that “[r]isk disclosures that speak entirely of as-yet-unrealized risks and contingencies and do not alert the reader that some of these risks may already have come to fruition can mislead reasonable investors.” The Supreme Court declined to weigh in on the debate, leaving undisturbed the Ninth Circuit’s decision to revive the proposed class action. This case, along with Zoom, is yet another important data point in the developing story of whether securities litigation will remain a new front on which to litigate issues of cybersecurity and data privacy.

Filed Under: Cyber Risk, Cybersecurity, Data Breach, Data Breach Litigation, Data Protection, Data Security, Online Privacy

About Oyinkan Muraina

Oyinkan Muraina is an associate in Alston & Bird’s Securities & Litigation Group. Before joining the firm, Oyinkan handled antitrust, civil, and high-stakes commercial cases for an international law firm.

[Read Bio]

About Sierra Shear

Sierra Shear is a senior associate with Alston & Bird’s Securities Litigation Group and focuses her practice on securities litigation and enforcement matters, representing public companies, financial institutions, and their officers and directors in complex individual and class action cases.

[Read Bio]

About Cara Peterman

Cara Peterman is a partner with Alston & Bird’s Securities Litigation Group. Her practice focuses on fiduciary duty and shareholder derivative suits, securities fraud, and other complex commercial litigation.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • DOJ Issues New Policy on CFAA Prosecutions
  • EDPB Issues Draft Guidelines on the Calculation of Administrative Fines
  • The California Privacy Protection Agency Solicits Public Input on Forthcoming Privacy Regulations
  • U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
  • Colorado Issues Pre-Rulemaking Considerations for the Colorado Privacy Act
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.