Observers have been awaiting decisions in a series of cybersecurity and privacy securities fraud class actions with potentially significant implications for corporate liability. Over the past several weeks, critical developments have emerged in two of these cases: Defendants’ motion to dismiss was granted in part and denied in part in In re Zoom Securities Litigationand the Supreme Court denied certification of the Ninth Circuit decision reviving the lawsuits in Alphabet Inc. vs. Rhode Island.
On February 16, 2022, Judge James Donato of the United States District Court for the Northern District of California issued an order granting in part and denying in part the zoom Defendants’ motion to dismiss.
Plaintiff shareholders sued Zoom in April 2020, after the widespread adoption of Zoom’s video communication software led to a series of reports allegedly undermining the company’s claims that it offered end-to-end encryption and examining Company data collection practices. The plaintiff shareholders alleged that Zoom, its CEO and its CFO violated federal securities laws by making false and misleading statements and omissions about the company’s data security capabilities in certain initial public offering documents. In December 2020, the lead plaintiff filed a consolidated complaint on behalf of shareholders who bought or acquired Zoom securities between April 18, 2019 and April 6, 2020.
In particular, the complaint challenged 15 of the company’s statements. For 14 of the 15 challenged statements, the Court dismissed the plaintiff’s claims for failing to adequately allege that the defendants acted with malicious or fraudulent intent. At first, the Court held that the lawsuit did not make a claim against Zoom’s CEO and CFO because the contested statements about the extent of the company’s collection and use of customers’ personal data were attributed vaguely to Zoom or the “defendants”, rather than a specific individual. Furthermore, the Court held that the lawsuit did not make a claim against Zoom because there were no allegations that Zoom’s public statements were “so materially and so dramatically false” as to create “a strong inference that at least some corporate officials knew of its falsehood”. at time of publication.” As a result, the Court held that, in the absence of allegations that specific individuals made or published the statements in question, there could be no determination of corporate intent or knowledge of wrongdoing.
However, the Court allowed the plaintiff’s claim to proceed against Zoom and Zoom’s CEO with respect to a single alleged misstatement that appeared in Zoom’s April 18, 2019 Prospectus and Registration Statement that: “We offer strong capabilities including end-to-end encryption, secure login, administrative controls, and role-based access controls.” The Court found that the CEO “made” the statement because he signed the Registration Statement. The Court determined that the plaintiff had properly alleged that the statement was false and misleading in light of an April 2020 blog post from the CEO that stated that the company had “failed to meet the security and privacy expectations of the community, nor our own “, and another post that apologized “for the confusion we caused by incorrectly suggesting that Zoom meetings were capable of using endpoint encryption.” mo to extreme . . . While we never intended to mislead any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”
The defendants argued that the apology was not an admission that Zoom had knowingly misled investors. The Court disagreed, noting that the plaintiff had properly argued that the statement “[w]We offer strong security capabilities, including end-to-end encryption…” was done with intent to defraud or, at a minimum, with deliberate recklessness, based on the CEO’s possession of (1) an advanced engineering degree, ( 2) previous position as a founding engineer on a web conferencing platform, (3) leading role in “the effort to design the Zoom Meetings platform,” and (4) identification on “several patents that relate specifically to encryption techniques.” Defendants have requested permission to file a partial reconsideration motion of the court order.
On March 7, 2022, two weeks after the Northern District of California resolved the motion to dismiss in zoomthe US Supreme Court refused to consider Alphabet’s appeal of the 9th Circuit’s decision in another cybersecurity-related case, Alphabet Inc. vs. Rhode Island, without further explanation. Alphabet’s litigation dates back to October 2018, when investors sued Google LLC, its parent company Alphabet Inc. and several executives after reports revealed the company discovered two software bugs that potentially exposed the personal data of certain individuals. users of the social network Google+.
The plaintiff shareholders allege that Alphabet misled investors when it allegedly disclosed in its SEC filings a risk that the company I might will suffer from cybersecurity threats in the future, but did not disclose that it had previously identified a software bug related to the Google + social network that exposed user data. Although the district court initially dismissed most of the claims, the Ninth Circuit investedholding that “[r]Risk disclosures that speak entirely of risks and contingencies not yet realized and do not alert the reader that some of these risks may have already materialized may mislead reasonable investors.” The Supreme Court declined to weigh in on the debate, leaving intact the 9th Circuit’s decision to revive the proposed class action lawsuit. This case, along with zoomis another important data point in the unfolding story of whether securities litigation will continue to be a new front on which to litigate cybersecurity and data privacy issues.