Case 3:19-cv-06968-CRB Document 70 Filed 03/02/21 Page 1 of 19
`
`
`
`
`
`
`
`
`
`
`
`
`
`IN THE UNITED STATES DISTRICT COURT
`
`FOR THE NORTHERN DISTRICT OF CALIFORNIA
`
`CHARLES REIDINGER,
`
`Plaintiff,
`
`v.
`
`ZENDESK, INC., et al.,
`
`Case No. 19-cv-06968-CRB
`
`
`ORDER GRANTING MOTION TO
`DISMISS WITH LEAVE TO AMEND
`
`
`
`
`
`Defendants.
`
`A class of Zendesk, Inc. stock purchasers led by Local 353, I.B.E.W. Pension Fund
`
`(“the Pension Fund”) is suing Zendesk and two Zendesk officers (collectively, “Zendesk”)
`
`for securities fraud under §§ 10(b) and 20(a) of the Securities Exchange Act of 1934 and
`
`Securities and Exchange Commission (SEC) Rule 10b-5. The Court previously dismissed
`
`the Pension Fund’s First Amended Complaint under Rule 12(b)(6) of the Federal Rules of
`
`Civil Procedure for failure to state a claim for which relief may be granted. The Court
`
`gave the Pension Fund leave to amend. In its Second Amended Complaint, the Pension
`
`Fund alleges that Zendesk made false and misleading statements relating to Zendesk’s data
`
`security, resulting in harm to investors after the public learned that Zendesk had suffered a
`
`data breach that went undetected for nearly three years.
`
`Zendesk has moved to dismiss the Pension Fund’s Second Amended Complaint for
`
`failure to state a claim for which relief may be granted. The Court has determined that oral
`
`argument is unnecessary and vacates the hearing previously scheduled for March 5, 2021.
`
`The Court grants Zendesk’s motion to dismiss because the Pension Fund has not
`
`adequately pleaded a material misstatement or omission, and the Pension Fund’s
`
`allegations do not give rise to a strong inference that Zendesk or its officers acted with
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`

`

`Case 3:19-cv-06968-CRB Document 70 Filed 03/02/21 Page 2 of 19
`
`
`
`scienter, i.e., fraudulent intent. The Court grants the Pension Fund leave to amend to cure
`
`these deficiencies.
`
`I.
`
`BACKGROUND
`
`A.
`
`Procedural History
`
`On January 24, 2020, the Court consolidated two putative securities class action
`
`lawsuits against Zendesk and appointed the Pension Fund as lead plaintiff. See Order
`
`Consolidating Cases (dkt. 42). The Pension Fund then filed an Amended Class Action
`
`Complaint on behalf of all purchasers of Zendesk common stock between February 6,
`
`2019 and October 1, 2019, inclusive (the Class Period). See FAC (dkt. 51) at 1. The First
`
`Amended Complaint alleged that Zendesk and three officers—Chief Executive Officer
`
`Mikkel Svane, Chief Financial Officer Elena Gomez, and Senior Vice President of
`
`Worldwide Sales Norman Gennaro—committed securities fraud in violation of § 10(b) of
`
`the Securities Exchange and SEC Rule 10b-5. See id. ¶¶ 34–36, 124–127. The Pension
`
`Fund also alleged that the individual defendants violated § 20(a) of the Securities
`
`Exchange Act as control persons liable for any fraud committed by Zendesk and its
`
`employees. See id. ¶¶ 128–131.
`
`The Pension Fund’s original claims centered on Zendesk’s public statements during
`
`the class period in relation to two events: (1) subpar performance in the Europe, Middle
`
`East, and Africa (EMEA) and Asia-Pacific (APAC) regions during Q2 2019; and (2) the
`
`September 24, 2019 discovery and subsequent disclosure of a data breach that had been
`
`ongoing for three years. See Order Dismissing FAC (dkt. 63) at 2.
`
`The Court dismissed the Pension Fund’s claims with respect to subpar regional
`
`performance because the Pension Fund had not adequately pleaded any false or misleading
`
`statement, or facts supporting a strong inference of scienter—that is, Zendesk’s intent to
`
`deceive, manipulate, or defraud. Id. at 13–18. The Court dismissed the Pension Fund’s
`
`claim with respect to the data breach because Zendesk’s failure to disclose the breach was
`
`the only potentially material misstatement or omission that the Pension Fund alleged, and
`
`the Pension Fund’s allegations did not suggest that Zendesk or its officers intended to
`
`2
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`

`

`Case 3:19-cv-06968-CRB Document 70 Filed 03/02/21 Page 3 of 19
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`deceive investors about the breach. Id. at 21–22. The Court granted the Pension Fund
`
`leave to amend. Id. at 22.1
`
`On January 8, 2021, the Pension Fund filed a Second Amended Complaint. See
`
`SAC (dkt. 64). The Pension Fund noted that it had “not renewed its allegations
`
`concerning” Zendesk’s regional performance or its claims against Zendesk Senior Vice
`
`President of Worldwide Sales Norman Gennaro. Id. at 2 n.2. Instead, the Pension Fund
`
`supplemented its allegations regarding the data breach.
`
`B.
`
`Zendesk and the Data Breach
`
`Zendesk sells customer service software to companies. See id. ¶¶ 5–7. In doing so,
`
`Zendesk collects, stores, and transmits sensitive customer, agent, and end-user data,
`
`including personal identifiable information (PII). Id. ¶ 9. The Pension Fund alleges that
`
`Zendesk began hosting its data through Amazon Web Services (AWS)’s cloud computing
`
`platform in 2016 and completed its transition to hosting data there in 2019. Id. ¶ 8.
`
`But according to the Pension Fund, in 2016 Zendesk “did not follow basic
`
`precautions to secure data hosted by AWS.” Id. ¶ 19(a). Before Zendesk had experienced
`
`the data breach at issue, AWS had published a list of “best practices.” Id. ¶ 27. The list
`
`warned customers to “never share” their “AWS . . . access keys with anyone.” Id. AWS
`
`also instructed customers to “enable multifactor authentication for . . . users who are
`
`
`1 One aspect of the Court’s Order dismissing the First Amended Complaint warrants clarification,
`if not revision. See Fed. R. Civ. P. 54(b). The Court stated that the Pension Fund’s First
`Amended Complaint had not alleged “any material misstatement or omission.” See Order
`Dismissing FAC at 1. But the Court also said that the Pension Fund “alleged a material omission”
`to the extent that the data breach “would have been viewed by the reasonable investor as
`significant,” though no allegations supported the inference that Zendesk had acted with scienter in
`relation to the data breach. See id. at 21 (citation omitted). The Court should have made its
`seemingly contradictory reasoning clearer, and does so now. The Court recognizes that
`significance to a reasonable investor is necessary, but not sufficient, to establish a materially
`misleading omission. See infra part II.B; In re Yahoo! Inc. Sec. Litig., 2012 WL 3282819, at *7
`(N.D. Cal. Aug. 10, 2012) (“Silence, absent a duty to disclose, is not misleading under Rule 10b-
`5.”) (quoting Basic, Inc. v. Levinson, 485 U.S. 224, 239 n.17 (1988)). The Court’s conclusion that
`reasonable investors would have viewed the data breach as significant was thus insufficient to
`establish the further conclusion that Zendesk had materially omitted information about the breach.
`In effect, the Court assumed that the Pension Fund had plausibly alleged a material omission and
`relied on the Pension Fund’s more obvious failure to allege facts giving rise to the required
`“strong inference” that Zendesk or its officers had acted with scienter. See Order Dismissing FAC
`at 21.
`
`3
`
`Northern District of California
`
`United States District Court
`
`

`

`Case 3:19-cv-06968-CRB Document 70 Filed 03/02/21 Page 4 of 19
`
`
`
`allowed access to sensitive resources.” Id. AWS further explained that customers could
`
`“use logging features in AWS” to detect nefarious activity by determining “the actions
`
`users have taken . . . and the resources that were used.” Id. The Pension Fund alleges that
`
`despite these “clear directions,” which were consistent (if not identical) with Zendesk’s
`
`own avowed security best practices,2 Zendesk “shared AWS keys” with “a third party
`
`vendor.” Id. ¶¶ 19(a), 25. A “small number” of those keys “were compromised,” which
`
`allowed “hackers to access customer service data.” Id. Zendesk also implemented
`
`multifactor authentication only “after it had provided AWS keys to others and . . . had been
`
`breached as a result.” Id. ¶ 19(b). And Zendesk “failed to properly use logging features”
`
`that could have enabled Zendesk to detect the breach. Id. As a result, Zendesk suffered a
`
`data breach in November 2016 and discovered the breach only after nearly three years had
`
`passed. Id. ¶ 51. The Pension Fund alleges that after the breach was discovered and
`
`revealed, Zendesk’s stock price fell. Id. ¶¶ 22, 24.3
`
`After the data breach, Zendesk made various public statements regarding the
`
`breach’s nature and scale. On October 2, 2019, Zendesk published an “Important Notice
`
`regarding 2016 Security Incident” (the Notice) on its website. Id. ¶ 25. The Complaint
`
`incorporates relevant parts of the Notice:
`
`Important Notice regarding 2016 Security Incident
`We recently were alerted by a third party regarding a security matter that
`
`
`2 On April 1, 2019, Zendesk posted a “Security Best Practices” article on its website, instructing
`its customers that they could “reduce the risk of a security breach” by following certain best
`practices. SAC ¶ 46. The post noted that “even the best security policies will fall short if they are
`not followed.” Id. It went on to suggest that customers implement “2-factor authentication for all
`agents and admins,” “never give out user names, email addresses, or passwords,” “routinely audit”
`their Zendesk accounts “for suspicious activity,” and “encourage agents to monitor their user
`account[s].” Id.
`
` 3
`
` On September 24, 2019—the date that the Pension Fund alleges Zendesk discovered the
`breach—Zendesk’s stock price declined from $77.23 to $73.60 “on unusually high [trading]
`volume.” SAC ¶ 22. On September 27, 2019—the date by which the Pension Fund alleges that
`Zendesk would have been required to notify its customers of the breach under its internal
`policies—Zendesk’s stock price declined from $74.08 to $72.08 on unusually high volume. Id.
`¶¶ 53–54. And after Zendesk published a notice on its website regarding the breach on October 2,
`2019, Zendesk’s stock price declined from $72.71 to $69.81, again on unusually high volume.
`Id. ¶ 24.
`
`4
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`

`

`Case 3:19-cv-06968-CRB Document 70 Filed 03/02/21 Page 5 of 19
`
`
`
`may have affected the Zendesk Support and Chat products and customer accounts
`of those products activated prior to November of 2016. . . .
`
`
`*
`
`*
`
`*
`
`On September 24 [2019], we identified approximately 10,000 Zendesk
`Support and Chat accounts . . . whose account information was accessed without
`authorization prior to November of 2016. Information accessed included some [PII]
`and other service data.
`
`For impacted customers, the information accessed from these databases
`includes the following data:
`
`-Email addresses, names and phone numbers of agents and end-users of
`certain Zendesk products.
`-Agent and end user passwords that were hashed and salted—a security
`technique used to make them difficult to decipher, potentially up to
`November 2016. . . .
`
`We have also determined that certain authentication information was
`accessed for a much smaller set of approximately 700 customer accounts, including
`expired trial accounts and accounts that are no longer active. . . .
`
`Id. ¶ 55.
`
`On October 4, 2019, Zendesk updated the Notice to reflect a total of ~22,000
`
`breached customer accounts: ~15,000 Support and Chat accounts, with authentication
`
`information accessed for approximately ~7,000 customer accounts. Id. ¶ 61. Because
`
`Zendesk’s customers often have many end-users, the breach may have affected many more
`
`persons’ data. See id. ¶ 56.
`
`On October 29, 2019, Zendesk held its Q3 2019 investor conference call, during
`
`which Mikkel Svane, Zendesk’s CEO, stated that the breach occurred when “Zendesk was
`
`in a very different state of security.” Id. ¶ 62. Similarly, Zendesk updated an “FAQ” page
`
`on its website to include Chief Security Officer Maarten Van Horenbeeck’s statement that
`
`“Zendesk has significantly invested in its security program since 2016 . . . including rolling
`
`out additional protection of sensitive personal data.” Id. ¶ 63.
`
`On November 22, 2019, Zendesk revealed the data breach’s cause. Id. ¶ 64. While
`
`investigating the breach, Zendesk “discovered that a small number of AWS keys” had been
`
`5
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`

`

`Case 3:19-cv-06968-CRB Document 70 Filed 03/02/21 Page 6 of 19
`
`
`
`“compromised after having been provided to a third party vendor. These keys were then
`
`used to access customer service data.” Id. The statement also indicated that Zendesk had
`
`expanded its use of multifactor authentication “during 2016 and 2017” and had
`
`“[i]increased security monitoring and logging” during the period “since 2016.” Id.
`
`C.
`
`Zendesk Statements During the Class Period, Before the Breach Was
`Disclosed
`
`The Pension Fund alleges that AWS best practices, the breach, and Zendesk’s
`
`statements following the breach indicate that Zendesk misled investors during the class
`
`period, before the breach was disclosed. As the Pension Fund puts it, Zendesk “repeatedly
`
`(and falsely) assured its customers and investors that its data security methodologies were
`
`comprehensive and of the highest quality.” Id. ¶ 10. This case thus centers on the
`
`significance of Zendesk’s alleged statements and omissions during the class period. The
`
`Pension Fund challenges the following statements:
`
`1.
`
`February 14, 2019 Form 10-K for Fiscal year 2018
`
`This filing stated that Zendesk maintains a “comprehensive security program
`
`designed to help safeguard the security and integrity of our customers’ data.” It added that
`
`Zendesk “regularly review[s]” its “security program” and regularly “obtain[s] third-party
`
`security audits and examinations” of Zendesk’s “technical operations and practices
`
`covering data security.” Id. ¶ 43. Zendesk also noted that in June 2017 it had announced
`
`its completion of the EU approval process for using Binding Corporate Rules “as a data
`
`processor and controller.” Id. This “significant regulatory approval validated [Zendesk’s]
`
`implementation of the highest possible standards for protecting PII globally, covering both
`
`the PII of [Zendesk’s] customers and employees.” Id.
`
`The filing also warned investors that “if” a data breach were to occur, Zendesk’s
`
`“products may be perceived as insecure,” Zendesk “may lose existing customers or fail to
`
`attract new customers,” and Zendesk “may incur significant liabilities.” Id. ¶ 44.
`
`“Unauthorized access to or security breaches of [Zendesk’s] products could result in the
`
`loss of data,” and Zendesk “may also experience security breaches that may remain
`
`6
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`

`

`Case 3:19-cv-06968-CRB Document 70 Filed 03/02/21 Page 7 of 19
`
`
`
`undetected for an extended period.” Id.
`
`2. May 2, 2019 Form 10-Q for Q1 2019 and August 2, 2019 Form 10-
`Q for Q2 2019
`
`These filings provided investors with the same warnings regarding the risks that
`
`“could” occur “if” Zendesk suffered a data breach, and the possibility that Zendesk “may”
`
`experience undetected data breaches. Id. ¶¶ 47, 49.
`
`*
`
`
`
`The Pension Fund alleges that these statements were “materially false and
`
`misleading” because Zendesk “knew or deliberately disregarded and failed to disclose”
`
`several facts. Id. ¶ 50.4 First, contrary to Zendesk’s claim that it had a “comprehensive
`
`security system” that was up to the “highest possible standards,” Zendesk “did not follow
`
`basic precautions to secure data hosted by AWS.” Id. ¶ 50(a). Second, Zendesk
`
`implemented multifactor authentication only “after it had provided AWS keys to others
`
`and after it had been breached as a result,” and failed to properly “use logging features in
`
`AWS.” Id. ¶ 50(b). Third, Zendesk had “already suffered a significant breach” caused by
`
`“its failure to implement basic data security standards and best practices.” Id. ¶ 50(c).
`
`D.
`
`The Instant Motion
`
`
`
`Zendesk has moved to dismiss the Pension Fund’s Second Amended Complaint.
`
`See Mot. to Dismiss SAC (dkt. 65). The Motion is fully briefed, see Opp. (dkt. 68); Reply
`
`(dkt. 69), and the Court has determined that oral argument is unnecessary.
`
`II.
`
`LEGAL STANDARD
`
`A. Rule 12(b)(6)
`
`Under Rule 12(b)(6) of the Federal Rules of Civil Procedure, a complaint may be
`
`dismissed for failure to state a claim for which relief may be granted. Fed. R. Civ. P.
`
`12(b)(6). Rule 12(b)(6) applies when a complaint lacks either “a cognizable legal theory”
`
`
`4 The Pension Fund points to other statements made on Zendesk’s website and elsewhere during
`the class period, see SAC ¶¶ 13, 14; Opp. at 6 n.6, but the Pension Fund’s claims arise from the
`specific statements described above, see SAC ¶ 50. The Court notes that its analysis of the
`statements that the Pension Fund expressly challenges would apply equally to the other class
`period statements mentioned in the Second Amended Complaint.
`7
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`

`

`Case 3:19-cv-06968-CRB Document 70 Filed 03/02/21 Page 8 of 19
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`or “sufficient facts alleged” under such a theory. Godecke v. Kinetic Concepts, Inc., 937
`
`F.3d 1201, 1208 (9th Cir. 2019). Evaluating a motion to dismiss, the Court “must presume
`
`all factual allegations of the complaint to be true and draw all reasonable inferences in
`
`favor of the nonmoving party.” Usher, 828 F.2d at 561. “[C]ourts must consider the
`
`complaint in its entirety, as well as other sources courts ordinarily examine when ruling on
`
`Rule 12(b)(6) motions to dismiss, in particular, documents incorporated into the complaint
`
`by reference, and matters of which a court may take judicial notice.” Tellabs, Inc. v.
`
`Makor Issues & Rights, Ltd., 551 U.S. 308, 322 (2007).5
`
`If a court dismisses a complaint for failure to state a claim, it should “freely give
`
`leave” to amend “when justice so requires.” Fed. R. Civ. P. 15(a)(2). A court nevertheless
`
`has discretion to deny leave to amend due to, among other things, “repeated failure to cure
`
`deficiencies by amendments previously allowed, undue prejudice to the opposing party by
`
`virtue of allowance of the amendment, [and] futility of amendment.” Leadsinger, Inc. v.
`
`BMG Music Pub., 512 F.3d 522, 532 (9th Cir. 2008) (citing Foman v. Davis, 371 U.S.
`
`178, 182 (1962)).
`
`B. Claims under Section 10(b) of the Securities Exchange Act and Rule 10b-5
`
`Section 10(b) of the Securities Exchange Act of 1934 forbids the “use or employ, in
`
`connection with the purchase or sale of any security . . . [of] any manipulative or deceptive
`
`device or contrivance in contravention of such rules and regulations as the [SEC] may
`
`prescribe as necessary or appropriate in the public interest or for the protection of
`
`investors.” 15 U.S.C. § 78j(b). SEC Rule 10b-5 implements § 10(b) and declares it
`
`unlawful:
`
`(a) To employ any device, scheme, or artifice to defraud,
`(b) To make any untrue statement of a material fact or to omit to state a
`material fact necessary in order to make the statements made . . . not
`misleading, or
`
`
`5 The Court grants Zendesk’s Request for Judicial Notice (dkt. 66) because the relevant documents
`are either incorporated by reference in the Second Amended Complaint or not subject to
`reasonable dispute under Rule 201(b) of the Federal Rules of Evidence. The Court notes,
`however, that its reasoning does not rely on any of the noticed exhibits.
`8
`
`Northern District of California
`
`United States District Court
`
`

`

`Case 3:19-cv-06968-CRB Document 70 Filed 03/02/21 Page 9 of 19
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`(c) To engage in any act, practice, or course of business which operates or
`would operate as a fraud or deceit upon any person, in connection with
`the purchase or sale of any security.
`
`17 C.F.R. § 240.10b-5.
`
`The Supreme Court has implied a right of action to stock purchasers or sellers
`
`injured by a violation of § 10(b) and Rule 10b-5. See Dura Pharms., Inc. v. Broudo, 544
`
`U.S. 336, 341 (2005). To state a claim, plaintiffs must plead “(1) a material
`
`misrepresentation (or omission); (2) scienter, i.e., a wrongful state of mind; (3) a
`
`connection with the purchase or sale of a security; (4) reliance . . .; (5) economic loss; and
`
`(6) ‘loss causation,’ i.e., a causal connection between the material misrepresentation and
`
`the loss.” Id. at 341–42 (citation omitted). The first two elements are particularly relevant
`
`here.
`
`The first element of a Rule 10b-5 claim is a material false statement or omission.
`
`Id. at 341. A plaintiff can establish “[f]alsity” by pointing to “statements that directly
`
`contradict what the defendant knew at that time.” Khoja v. Orexigen Therapeutics, Inc.,
`
`899 F.3d 988, 1008 (9th Cir. 2008). A plaintiff can establish a material omission by
`
`pointing to the defendant’s “silence” despite a “duty to disclose.” Matrixx Initiatives, Inc.
`
`v. Siracusano, 563 U.S. 27, 45 (2011) (quoting Basic Inc. v. Levinson, 485 U.S. 224, 239
`
`n.17 (1988)). Such a duty arises from a statement that, although “not false,” is
`
`“misleading” because it “omits material information.” Khoja, 899 F.3d at 1008–09.
`
`“Disclosure is required only when necessary to make [the] statements made, in the light of
`
`the circumstances under which they were made, not misleading.” Id. at 1009 (quoting
`
`Matrixx, 563 U.S. at 44) (internal quotation marks and alterations omitted). 6 Of course, a
`
`party “fails to disclose material information” to investors only when the party in question
`
`actually “has [the] information that” investors are “entitled to know.” Chiarella v. United
`
`
`6 “Companies can control what they have to disclose . . . by controlling what they say to the
`market.” Matrixx, 563 U.S. at 45. But once a company communicates “positive information to
`the market,” that company is “bound to do so in a manner that wouldn’t mislead investors.”
`Schueneman v. Arena Pharm., Inc., 840 F.3d 698, 705–06 (9th Cir. 2016) (quoting Berson v.
`Applied Signal Tech., Inc., 527 F.3d 982, 987 (9th Cir. 2008)).
`
`
`9
`
`Northern District of California
`
`United States District Court
`
`

`

`Case 3:19-cv-06968-CRB Document 70 Filed 03/02/21 Page 10 of 19
`
`
`
`States, 445 U.S. 222, 228 (1980).
`
`“Whether its allegations concern an omission or a misstatement,” a plaintiff must
`
`also allege “materiality.” Khoja, 899 F.3d at 1009. A false statement or omission’s
`
`materiality depends on whether “there is a substantial likelihood that a reasonable
`
`shareholder would consider” the information to be “important.” Basic, 485 U.S. at 231
`
`(quoting TSC Indus., Inc. v. Northway, Inc., 426 U.S. 438, 449 (1976)). This inquiry is
`
`“inherently fact-specific.” Matrixx, 563 U.S. at 39. For an omission, “there must be a
`
`substantial likelihood that the disclosure of the omitted fact would have been viewed by
`
`the reasonable investor as having significantly altered the ‘total mix’ of information made
`
`available.” Basic, 485 U.S. at 231–32 (quoting TSC Indus., 426 U.S. at 449). This
`
`standard is not “too low,” because a “minimal standard might bring an overabundance of
`
`information within its reach, and lead management simply to bury shareholders in an
`
`avalanche of trivial information.” Id. at 231 (citation omitted).
`
`The second element of a Rule 10b-5 claim is a sufficiently culpable state of mind,
`
`or “scienter.” See Ernst & Ernst v. Hochfelder, 425 U.S. 185, 197–99 (1976). Because
`
`§ 10(b) covers only “manipulative or deceptive” conduct, and Rule 10b-5 implements (and
`
`thus cannot extend more broadly than) § 10(b), a Rule 10b-5 claim must allege conduct
`
`involving manipulation or deceit. Santa Fe Indus., Inc. v. Green, 430 U.S. 462, 473–74
`
`(1977). Accordingly, a plaintiff must allege that the defendant had the “intent to deceive,
`
`manipulate, or defraud.” Ernst & Ernst, 425 U.S. at 188.
`
`Knowledge of falsity or deception is enough to satisfy this standard. See Gebhart v.
`
`SEC, 595 F.3d 1034, 1041 (9th Cir. 2010). And although the Supreme Court has never
`
`addressed whether recklessness establishes scienter under Rule 10b-5, see Tellabs, 551
`
`U.S. at 319 n.3, the Ninth Circuit has held that “deliberate . . . or conscious recklessness”
`
`as to the statement’s false or misleading character establishes scienter. SEC v. Platforms
`
`Wireless Int’l Corp., 617 F.3d 1072, 1093 (9th Cir. 2010) (quoting Gebhart, 595 F.3d at
`
`1041–42). That is because deliberate, conscious recklessness is “a form of intentional or
`
`knowing misconduct.” Id. (quoting In re Silicon Graphics Inc. Sec. Litig., 183 F.3d 970,
`
`10
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`

`

`Case 3:19-cv-06968-CRB Document 70 Filed 03/02/21 Page 11 of 19
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`976 (9th Cir. 1999)). The defendant must have subjectively “appreciate[d] the gravity of
`
`the risk of misleading others” and “consciously disregarded” that risk. Id. (quoting
`
`Gebhart, 595 F.3d at 1042 n.11).7
`
`Even when individual officers lack the requisite scienter, the Ninth Circuit has left
`
`open whether a corporation may be liable for securities fraud under a “collective scienter”
`
`theory that imputes the cumulative knowledge of a corporation’s agents to the corporation.
`
`See Glazer Capital Mgmt., LP v. Magistri, 549 F.3d 736, 744 (9th Cir. 2008); Nordstrom,
`
`Inc. v. Chubb & Son, Inc., 54 F.3d 1424, 1435 (9th Cir. 1995). “[S]ome form of collective
`
`scienter pleading might be appropriate,” but only when “a company’s public statements
`
`were so important and so dramatically false that they would create a strong inference that
`
`at least some corporate officials knew of the falsity upon publication.” Glazer, 549 F.3d at
`
`744 (emphasis in original).
`
`Special pleading requirements apply to the (1) material misstatement or omission
`
`and (2) scienter elements of a Rule 10b-5 claim. Tellabs, 551 U.S. at 313. The Private
`
`Securities Litigation Reform Act of 1995 (PSLRA) requires plaintiffs to “specify each
`
`statement alleged to have been misleading [and] the reason or reasons why the statement is
`
`misleading,” 15 U.S.C. § 78u–4(b)(1), and to “state with particularity facts giving rise to a
`
`strong inference that the defendant acted” with the requisite scienter—that is, the intent “to
`
`deceive, manipulate, or defraud.” Tellabs, 551 U.S. at 313–314 (quoting 15 U.S.C. § 78u–
`
`4(b)(2); Ernst & Ernst, 425 U.S. at 194 & n.12).8 With respect to scienter, the plaintiff
`
`must do more than allege facts from which “a reasonable person could infer that the
`
`defendant acted with the required intent.” Id. at 314 (citation omitted). “To qualify as
`
`‘strong,’ . . . an inference of scienter must be more than merely plausible or reasonable—it
`
`must be cogent and at least as compelling as any opposing inference of fraudulent intent.”
`
`
`7 Although the deliberate or conscious recklessness inquiry is subjective, extreme departures from
`an objective standard of care may support an inference that the defendant was consciously
`reckless. Gebhart, 595 F.3d at 1042.
`8 More generally, Rule 9(b) of the Federal Rules of Civil Procedure requires a party alleging fraud
`to “state with particularity the circumstances constituting fraud.” Fed. R. Civ. P. 9(b).
`11
`
`Northern District of California
`
`United States District Court
`
`

`

`Case 3:19-cv-06968-CRB Document 70 Filed 03/02/21 Page 12 of 19
`
`
`
`Id.9
`
`C. Claims under § 20(a) of the Securities Exchange Act
`
`Under § 20(a), “every person who, directly or indirectly, controls any person
`
`liable” for a violation of § 10(b) “shall also be liable jointly and severally with and to the
`
`same extent as such controlled person.” 15 U.S.C. § 78t(a). Nonetheless, a control person
`
`who “acted in good faith and did not directly or indirectly induce the act or acts
`
`constituting the violation” is not liable. Id.
`
`III. DISCUSSION
`
`Zendesk argues that the Pension Fund has not stated a claim under § 10(b) and Rule
`
`10b-5 because the Pension Fund has not identified any false statement or actionable
`
`omission regarding Zendesk’s data security, see Mot. to Dismiss SAC at 4–9, has failed to
`
`plead facts giving rise to a “strong inference” of scienter, id. at 9–13, and has failed to
`
`plead a causal connection between any material misrepresentation and a loss to investors,
`
`see id. at 13–14. The Pension Fund argues that Zendesk’s statements before the breach
`
`was disclosed were misleading because Zendesk lacked “a comprehensive data security
`
`program that was continuously reviewed and monitored and up to the highest standards,”
`
`and “gave investors the impression that the Company took all possible steps to secure and
`
`protect sensitive information.” Opp. at 5 (internal quotation marks omitted). The Pension
`
`Fund also argues that its allegations support a strong inference of scienter because Zendesk
`
`either “knew” about or “recklessly disregarded” its failure to “comply with AWS’s or even
`
`its own best practices” while making public statements about its comprehensive security
`
`program. Opp. at 8.
`
`The Court agrees with Zendesk that the Pension Fund has failed to state a claim for
`
`securities fraud under the PSLRA’s special pleading requirements. The Pension Fund
`
`alleges certain mistakes that resulted in a long-undetected data breach. But although
`
`
`9 If “no reasonable person could deny” that the challenged statement was “materially misleading,”
`and the plaintiff plausibly alleges that the defendant was “aware of the facts that made the
`statement misleading,” then there is a factual dispute as to whether the defendant was at least
`consciously reckless. Platforms Wireless Int’l Corp., 617 F.3d at 1094.
`12
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`

`

`Case 3:19-cv-06968-CRB Document 70 Filed 03/02/21 Page 13 of 19
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`§ 10(b) “is aptly described as a catchall provision . . . what it catches must be fraud.”
`
`Chiarella, 445 U.S. at 235. The Pension Fund has failed to state a claim for securities
`
`fraud for two independent reasons. First, the Pension Fund has not pleaded a material
`
`misstatement or omission because the Pension Fund has neither identified any misleading
`
`statement relating to Zendesk’s data security nor explained how Zendesk could have
`
`disclosed additional information that would have made Zendesk’s statements “not
`
`misleading.” Matrixx, 563 U.S. at 44. Second, as before, the Pension Fund’s allegations
`
`do not give rise to the “strong inference” that Zendesk or its officers acted with the intent
`
`to deceive, manipulate, or defraud investors. Tellabs, 551 U.