`
`In the Supreme Court of the United States
`
`ALPHABET INC., ET AL.,
`PETITIONERS
`v.
`
`STATE OF RHODE ISLAND, ET AL.,
`
`
`ON PETITION FOR A WRIT OF CERTIORARI
`TO THE UNITED STATES COURT OF APPEALS
`FOR THE NINTH CIRCUIT
`
`
`BRIEF FOR THE CHAMBER OF COMMERCE
`OF THE UNITED STATES OF AMERICA,
`THE SECURITIES INDUSTRY AND FINANCIAL
`MARKETS ASSOCIATION, AND BUSINESS
`ROUNDTABLE AS AMICI CURIAE
`SUPPORTING PETITIONERS
`
`
`PAUL LETTOW
`JANET GALERIA
`U.S. CHAMBER LITIGATION
`CENTER
`1615 H Street NW
`Washington, DC 20062
`
`KEVIN CARROLL
`SECURITIES INDUSTRY AND
`FINANCIAL MARKETS
`ASSOCIATION
`1099 New York Avenue NW
`Washington, DC 20001
`
`
`
`JEFFREY B. WALL
`Counsel of Record
`JUDSON O. LITTLETON
`M. JORDAN MINOT
`SULLIVAN & CROMWELL LLP
`1700 New York Avenue NW
`Washington, DC 20006
`(202) 956-7500
`wallj@sullcrom.com
`
`LIZ DOUGHERTY
`BUSINESS ROUNDTABLE
`1000 Maine Avenue SW
`Washington, DC 20024
`
`
`Counsel for Amici Curiae
`
`
`
`
`
`TABLE OF CONTENTS
`
`Page
`
`Interest of Amici Curiae ..................................................... 1
`
`Introduction .......................................................................... 2
`
`Discussion ............................................................................. 3
`
`A. Risk-disclosure omission claims are the latest
`breed of event-driven securities litigation .............. 3
`
`B. The courts of appeals are confused over how to
`approach materialization-of-risk claims .................. 6
`
`C. The decision below is incorrect .............................. 10
`
`D. The decision below warrants this Court’s
`review ........................................................................ 15
`
`Conclusion ........................................................................... 18
`
`
`
`
`Cases:
`
`TABLE OF AUTHORITIES
`
` Page(s)
`
`Basic Inc. v. Levinson,
`485 U.S. 224 (1988) .................................................. 16
`Bondali v. Yum! Brands, Inc.,
`620 Fed. Appx. 483 (6th Cir. 2015) ......... 7, 10, 11-12
`Brody v. Transitional Hosps. Corp.,
`280 F.3d 997 (9th Cir. 2002) .............................. 13, 14
`Burlington Coat Factory Sec. Litig., In re,
`114 F.3d 1410 (3d Cir. 1997) ................................... 10
`
`(I)
`
`
`
`II
`
`Cases—continued:
`
`ChannelAdvisor Corp. Sec. Litig., In re,
`2016 WL 1381772 (E.D.N.C. April 6, 2016) .......... 12
`Dice v. ChannelAdvisor Corp.,
`671 Fed. Appx. 111 (4th Cir. 2016) .......................... 7
`Employees’ Ret. Sys. of R.I. v. Williams
`Cos., Inc.,
`889 F.3d 1153 (10th Cir. 2018) ................................ 13
`First Am. Fin. Corp., In re,
`2021 WL 4807648 (C.D. Cal. Sept. 22, 2021) ........... 5
`Gallagher v. Abbott Labs.,
`269 F.3d 806 (7th Cir. 2001) .................................... 16
`Hampton v. root9B Techs., Inc.,
`897 F.3d 1291 (10th Cir. 2018) .................................. 5
`Harman Int’l Indus., Inc. Sec. Litig., In re,
`791 F.3d 90 (D.C. Cir. 2015) ..................................... 8
`Intel Corp. Sec. Litig., In re,
`2019 WL 1427660 (N.D. Cal. Mar. 29, 2019) ........... 6
`Intuitive Surgical Sec. Litig., In re,
`65 F. Supp. 3d 821 (N.D. Cal. 2014) ....................... 13
`K-tel Int’l, Inc. Sec. Litig., In re,
`300 F.3d 881 (8th Cir. 2002) .................................... 13
`Karth v. Keryx Biopharmaceuticals,
`6 F.4th 123 (1st Cir. 2021) ......................................... 7
`Marriott Int’l, Inc., Customer
`Data Sec. Breach Litig., In re
`2021 WL 2407518 (D. Md. June 11, 2021) ............. 11
`Matrixx Initiatives, Inc. v. Siracusano,
`563 U.S. 27 (2011) ........................................ 10, 13, 16
`
`
`
`
`
`Cases—continued:
`
`III
`
`Omnicare, Inc. v. Laborers Dist. Council
`Constr. Indus. Pension Fund,
`575 U.S. 175 (2015) .................................................. 10
`Slayton v. American Express,
`604 F.3d 758 (2d Cir. 2010) ..................................... 11
`Time Warner Inc. Sec. Litig., In re,
`9 F.3d 259 (2d Cir. 1993) ......................................... 10
`
`Statutes and regulations:
`
`15 U.S.C.
`78u-4 .......................................................................... 13
`78u-5 ............................................................................ 8
`17 C.F.R
`
`229.105 ............................................................. passim
`240.10b-5 ......................................................... 2, 11, 13
`70 Fed. Reg. 44,722 (Aug. 3, 2005) ................................ 3
`83 Fed. Reg. 8,166 (Feb. 26, 2018) .............................. 16
`85 Fed. Reg. 63,726 (Oct. 8, 2020) ........................... 3, 17
`
`Miscellaneous:
`
`First American Fin. Corp., In re,
` Release No. 92176 (SEC June 14, 2021) .............. 15
`Stephen Klemash, How Cybersecurity Risk
`Disclosures and Oversight Are Evolving in
`2021, Ernst & Young (Oct. 4, 2021) ......................... 4
`Kevin LaCroix, Federal Court Securities Suit
`Filings Remain at Elevated Levels,
`D&O Diary (Jan. 1, 2020) ......................................... 4
`Matt Levine, Everything Everywhere Is Securities
`Fraud, Bloomberg (Jan. 26, 2019) ........................... 5
`
`
`
`Miscellaneous—continued:
`
`IV
`
`James A. Lewis et al., The Hidden Costs
`of Cybercrime,
`Ctr. for Strategic & Int’l Stud. (Dec. 9, 2020) ........ 5
`Elisa Mendoza & Jeffrey Lubitz, Event-Driven
`Sec. Litig.: The New Driver in Class Action
`Growth,
`ISS Sec. Class Action Svcs. (2020) .......................... 5
`Craig A. Newman, When to Report a Cyberattack?
`For Companies, That’s Still A Dilemma,
`N.Y. Times (March 5, 2018) .................................... 16
`U.S. Brief, Cyan, Inc. v. Beaver Cty.
`Emps. Ret. Fund,
`138 S. Ct. 1061 (2018) (No. 15-1439) ........................ 7
`U.S. Chamber Institute for Legal Reform,
`An Update on Securities Litigation,
`ILR Briefly (March 25, 2020) ................................... 4
`
`
`
`
`
`
`
`INTEREST OF AMICI CURIAE*
`
`The Chamber of Commerce of the United States of
`America is the world’s largest business federation. It
`represents approximately 300,000 direct members and
`indirectly represents the interests of more than three
`million companies and professional organizations of
`every size, in every sector, and from every region of the
`country. An important function of the Chamber is to
`represent the interests of its members in matters be-
`fore Congress, the Executive Branch, and the courts.
`To that end, the Chamber regularly files amicus curiae
`briefs in cases that raise issues of concern to the na-
`tion’s business community.
`The Securities Industry and Financial Markets As-
`sociation (SIFMA) is a securities industry trade asso-
`ciation representing the interests of securities firms,
`banks, and asset managers across the globe. SIFMA’s
`mission is to support a strong financial industry while
`promoting investor opportunity, capital formation, job
`creation, economic growth, and trust and confidence in
`the financial markets. SIFMA regularly files amicus
`briefs in cases such as this one that have broad impli-
`cations for financial markets, and frequently has ap-
`peared as amicus curiae in this Court.
`Business Roundtable (BRT) is an association of
`chief executive officers of leading U.S. companies that
`
`
`* Under Rule 37.6, amici affirm that no counsel for any party au-
`thored this brief in whole or in part and that no person or entity other
`than amici curiae, their members, or their counsel made a monetary
`contribution to the brief’s preparation or submission. Counsel for all
`parties received notice of amici’s intention to file this brief at least 10
`days prior to the due date, and have consented to this filing.
`
`(1)
`
`
`
`
`2
`
`
`together have $9 trillion in annual revenues and nearly
`20 million employees. BRT was founded on the belief
`that businesses should play an active and effective role
`in the formulation of public policy. It participates in
`litigation as amicus curiae in a variety of contexts
`where important business interests are at stake.
`Many of the amici’s members are companies subject
`to U.S. securities laws, and will be harmed both by the
`theory of liability adopted by the court of appeals in
`this case and by the uncertainty and division among the
`circuits regarding liability for risk disclosures.
`
`INTRODUCTION
`This case presents a compelling opportunity to re-
`solve a growing and important issue in securities law
`that has divided the lower courts. The SEC requires
`companies to disclose future risks, so that investors are
`aware of “material factors that make an investment in
`the [company] speculative or risky.” 17 C.F.R. 229.105.
`But in cases like this one, plaintiffs have argued that
`those forward-looking disclosures are misleading un-
`less they also include information about past events
`that relate to those future risks. In allowing that type
`of purely backward-looking claim to proceed, the Ninth
`Circuit has opened courthouse doors to the latest wave
`of event-driven and hindsight securities litigation. As
`soon as there is news of some past misfortune (like a
`cyber incident), plaintiffs (and their counsel) bring the
`inevitable claim under Section 10(b) and Rule 10b-5
`that the company should have disclosed it or done so
`sooner.
`To stave off liability, public companies will need to
`disclose information about any past events that might
`with hindsight be even arguably related to future risks.
`Here, it is a past security bug that Google had identi-
`fied and fixed. But no major industry will be spared
`
`
`
`
`
`3
`
`the consequences of the decision below. Will a retailer
`that warns of supply-chain disruptions have to disclose
`past product delays? Will a manufacturer that warns
`of COVID-19 fallout have to disclose the vaccination
`rate of its employees? Plaintiffs will surely say so un-
`der the decision below, and the net effect of those suits
`will be to inundate investors with a slew of information
`about past events rather than future risks. Neither
`Congress nor the SEC has established that type of
`“gotcha” regime, and it should not come to pass without
`this Court’s review.
`
`DISCUSSION
`A. Risk-Disclosure Omission Claims Are The Latest
`Breed Of Event-Driven Securities Litigation
`1. Since 2005, the SEC has required public compa-
`nies to disclose “material factors that make an invest-
`ment in the [company] speculative or risky.” 17 C.F.R.
`229.105 (Item 105). Companies must disclose those
`risk factors in both their annual 10-K reports and their
`quarterly 10-Q reports. See 70 Fed. Reg. 44,722,
`44,786 (Aug. 3, 2005). The SEC has directed companies
`to focus on material risks to their particular businesses
`(rather than generic risks that threaten the entire mar-
`ket), and to explain those risks in a concise, readable
`way (so that they may be readily understood by ordi-
`nary investors). See ibid.; see also 85 Fed. Reg. 63,726,
`63,745-63,746 (Oct. 8, 2020). Item 105 does not require
`companies to attempt to quantify risks or predict the
`likelihood they will occur.
`As much as companies may try to keep risk disclo-
`sures brief and easily digestible, they have come to
`constitute a major part of public companies’ filings.
`The risk-factor discussion in a Fortune 100 company’s
`
`
`
`
`
`4
`
`10-K may run dozens of pages, with paragraphs de-
`voted to each risk. In practice, companies often iden-
`tify many of the same risks—for example, a discussion
`of the risks posed by the COVID-19 pandemic is now
`commonplace. And as especially relevant here, every
`Fortune 100 company that files an annual 10-K lists cy-
`bersecurity as a material risk, explaining how a future
`cybersecurity incident could destabilize operations,
`harm consumer confidence, and invite regulatory scru-
`tiny. See Stephen Klemash, How Cybersecurity Risk
`Disclosures and Oversight Are Evolving in 2021,
`Ernst & Young 2 (Oct. 4, 2021), https://tinyurl.com/EY-
`RiskDisclosures.
`2. Accompanying this increasing prevalence of risk
`disclosures is the ever-present threat of a securities
`fraud claim. As a general matter, the pace of securities
`litigation has spiked over the past decade, with nearly
`9 percent of U.S.-listed companies subject to securities
`suits in 2019—more than 2.5 times the rate from 1997
`to 2018. See Kevin LaCroix, Federal Court Securities
`Suit Filings Remain at Elevated Levels, D&O Diary
`(Jan. 1, 2020), https://www.dandodiary.com/2020/01/ar-
`ticles/securities-litigation/federal-court-securities-sui-
`t-filings-remain-at-elevated-levels. “To put this in the
`simplest terms, the likelihood of a U.S.-listed company
`getting hit with a securities suit is the highest it has
`ever been.” Ibid.; see U.S. Chamber Institute for Le-
`gal Reform, An Update on Securities Litigation, ILR
`Briefly 3 (March 25, 2020), https://instituteforlegalre-
`form.com/research/ilr-briefly-an-update-on-securities-
`litigation/ (noting records in filing activity in each of
`the three years 2017 to 2019).
`A growing proportion of those suits stem from so-
`called event-driven litigation. Plaintiffs seize on a
`
`
`
`
`
`5
`
`headline-grabbing negative event that harms a com-
`pany (and its stock price) and allege that the company
`misled investors about some aspect of the event. See
`U.S. Chamber Institute for Legal Reform, Petition to
`U.S. Securities and Exchange Commission for Rule-
`making on COVID-19 Related Litigation 3 (Oct. 30,
`2020) (Petition for Rulemaking); see also Matt Levine,
`Everything Everywhere Is Securities Fraud, Bloom-
`berg (Jan. 26, 2019), https://www.bloomberg.com/opin-
`ion/articles/2019-06-26/everything-everywhere-is-sec-
`urities-fraud. That type of event-driven litigation ac-
`counts for an increasing number of securities lawsuits
`every year—involving everything from data privacy to
`the environment, opioids, and COVID-19. See Elisa
`Mendoza & Jeffrey Lubitz, Event-Driven Sec. Litig.:
`The New Driver in Class Action Growth, ISS Sec.
`Class Action
`Svcs.
`3-4
`(Dec.
`1,
`2020),
`https://www.issgovernance.com/file/publication-s/ISS-
`SCAS-Event-Driven-Securities-Litigation.pdf.
`Unsurprisingly, cybersecurity incidents are on the
`leading edge of that wave.
` Cyberattacks, data
`breaches, and security bugs are an omnipresent risk
`for companies. Nearly every major business experi-
`ences some sort of cyber incident in a given year. See
`James A. Lewis et al., The Hidden Costs of Cyber-
`crime, Ctr. for Strategic & Int’l Stud. 4 (Dec. 9, 2020),
`https://www.csis.org/analysis/hidden-costs-cybercrime
`(observing that only 4 percent of 1,500 companies sur-
`veyed did not report experiencing a cyber incident in
`2019). As this case shows, the new model is for plain-
`tiffs’ counsel and their clients (like the institutional in-
`vestors here) to await news of a cyber incident, and
`then bring suit claiming that the company failed to ad-
`equately disclose the incident itself or the risk it posed
`to the company. See, e.g., Hampton v. root9B Techs.,
`
`
`
`
`
`6
`
`Inc., 897 F.3d 1291, 1301 (10th Cir. 2018) (affirming
`dismissal of complaint alleging misstatements in wake
`of hacking attack); In re First Am. Fin. Corp., 2021
`WL 4807648, at *12 (C.D. Cal. Sept. 22, 2021) (dismiss-
`ing complaint filed after SEC enforcement action re-
`lated to cyber risk disclosures); In re Intel Corp. Sec.
`Litig., 2019 WL 1427660, at *2 (N.D. Cal. Mar. 29,
`2019) (dismissing complaint that centered on identified
`security vulnerabilities but did not allege any breach).
`Those claims virtually never take the form that the
`company’s disclosures about the risks posed by a cyber
`incident were themselves inaccurate or misleading.
`This case is a prime example. Alphabet warned inves-
`tors—accurately—that a breach of its cybersecurity
`measures might lead to a loss of consumer confidence
`and Alphabet might incur “significant legal and finan-
`cial exposure” and “damage [to its] reputation.”
`Pet. App. 55a. Those statements were true, and re-
`spondents do not appear to contend otherwise. An in-
`vestor deciding whether to purchase Alphabet stock
`who read the relevant 10-K and 10-Qs was on clear no-
`tice that a security bug might cause the value of her
`stock to decline. Instead, plaintiffs in this and other
`cases have claimed that when a company truthfully dis-
`closes future risks, it must also disclose any past or
`current information about the company that purport-
`edly bears on whether those risks have materialized.
`As explained below, the circuits have reacted to these
`materialization-of-risk claims with confusion.
`B. The Courts Of Appeals Are Confused Over How
`To Approach Materialization-Of-Risk Claims
`The courts of appeals have diverged in their treat-
`ment of materialization-of-risk claims, but the problem
`here is about more than the usual circuit split: courts
`are generally confused about how to approach such
`
`
`
`
`
`7
`
`claims. See U.S. Br. at 17-18, Cyan, Inc. v. Beaver Cty.
`Emps. Ret. Fund, 138 S. Ct. 1061 (No. 15-1439) (argu-
`ing for review in light of the substantial confusion in
`the lower courts). The decision below only adds to the
`confusion. It adopts the most extreme position to date
`by allowing a claim that a company misled investors by
`not disclosing a past event that allegedly relates to an
`identified future risk. No other circuit has permitted
`that type of purely backward-looking claim to proceed.
`1. At one end of the spectrum, the Sixth Circuit has
`rejected arguments that Item 105 risk disclosures—
`which by definition inform investors about future
`risks—can mislead reasonable investors about what
`occurred in the past. Because “[r]isk disclosures like
`the ones accompanying 10-Qs and other SEC filings
`are inherently prospective in nature,” the Sixth Circuit
`has reasoned, they inform investors about “what harms
`may come to their investment,” not “what harms are
`currently affecting the company.” Bondali v. Yum!
`Brands, Inc., 620 Fed. Appx. 483, 491 (2015). The
`Fourth Circuit has affirmed a district court that
`adopted the same reasoning. Dice v. ChannelAdvisor
`Corp., 671 Fed. Appx. 111 (2016).
`2. By contrast, the First, Third, and D.C. Circuits
`allow some materialization-of-risk claims where the
`identified risk is imminent or already materializing.
`The First Circuit, for instance, has held that a com-
`pany’s disclosure of a “merely hypothetical” future risk
`is misleading if, at the time the statement was made,
`the company understood that “the alleged risk had a
`‘near certainty’ of causing ‘financial disaster’ to the
`company.”
` Karth v. Keryx Biopharmaceuticals,
`6 F.4th 123, 137-138 (2021). In that situation, the com-
`pany “is at the edge of the Grand Canyon and must
`warn investors of an imminent cliff.” Id. at 138. The
`
`
`
`
`
`8
`
`First Circuit further held that a company must also
`“disclose a relevant risk if that risk had already begun
`to materialize.” Ibid.
`The Third Circuit has also adopted that latter ap-
`proach. In Williams v. Globus Med., Inc., a company
`that relied in part on independent contractors warned
`that terminating those relationships could harm its
`sales. See 869 F.3d 235, 241 (3d Cir. 2017). What the
`company did not disclose is that it was already shifting
`business from independent contractors to its in-house
`sales team. But the Third Circuit nevertheless held
`that the company’s identification of that risk was not
`misleading because the shift had not yet affected the
`company’s sales. In other words, the company’s disclo-
`sure remained true at the time it was made: terminat-
`ing contractor relationships might hurt the company’s
`bottom line in the future (but had not yet begun to do
`so). The company had not misled investors about any
`future risk, because the risk had not already begun to
`materialize.
`Like the Third Circuit, the D.C. Circuit has held
`that a company may be liable if, at the time of disclo-
`sure, a company knew a risk “was materializing.” In re
`Harman Int’l Indus., Inc. Sec. Litig., 791 F.3d 90, 104,
`106 (2015). The court addressed the issue in the con-
`text of the PSLRA’s safe-harbor provision, which
`guards against liability for forward-looking statements
`that are accompanied by “meaningful” cautionary lan-
`guage. 15 U.S.C. 78u-5(c)(1)(A)(i). The D.C. Circuit
`reasoned that “cautionary language cannot be ‘mean-
`ingful’ if it is ‘misleading in light of historical fact[s].’”
`In re Harman, 791 F.3d at 102. Although the disclo-
`sures there covered the risk that the company’s prod-
`ucts could become obsolete, they “did not convey that
`inventory was [already] obsolete.” Id. at 104. The D.C.
`
`
`
`
`
`9
`
`Circuit also borrowed the First Circuit’s Grand Can-
`yon analogy, id. at 103, suggesting that it might deem
`relevant whether a risk was imminent, even if the risk
`had not yet begun to materialize.
`3. In the decision below, the Ninth Circuit went
`much further than the First, Third, and D.C. Circuits.
`Alphabet warned investors that “[i]f our security
`measures are breached resulting in the improper use
`and disclosure of user data,” “customers may curtail or
`stop using our products and services, and we may incur
`significant
`legal
`and
`financial
`exposure.”
`Pet. App. 55a. The Ninth Circuit held that Alphabet’s
`warning “of risks that ‘could’ or ‘may’ occur is mislead-
`ing to a reasonable investor when Alphabet knew that
`those risks had materialized.” Pet. App. 25a. But un-
`like the First, Third, and D.C. Circuits, the Ninth Cir-
`cuit did not even ask whether some harm from the past
`security bug was imminent or coming to fruition at the
`time of the disclosure. After all, the security bug had
`been fixed. The Ninth Circuit instead held that a com-
`pany may be liable for the failure to disclose any past
`event related to a risk discussed in a forward-looking
`disclosure—regardless of whether harms to the com-
`pany are imminent or already materializing.
`4. To be sure, the Sixth Circuit’s decision in
`Bondali, though well reasoned, is unpublished (as is
`the Fourth Circuit’s decision in Dice). Respondents
`may therefore try to minimize the extent of the disa-
`greement in the circuits. But there is no reason to be-
`lieve the Sixth Circuit (or the Fourth Circuit) will
`change course. And even if there were, that would not
`affect the need for review here. Alphabet also would
`have prevailed under the approach taken by the First,
`Third, and D.C. Circuits. Moreover, the Ninth Cir-
`cuit’s extreme position will affect securities filings for
`
`
`
`
`
`10
`
`any major American business, which itself warrants
`this Court’s review. See infra, Part D. And perhaps
`more importantly, for the reasons explained below, the
`Sixth Circuit’s approach is the correct one. Item 105
`disclosures notify investors about “factors that make
`an investment in the [company] speculative or risky.”
`17 C.F.R. 229.105. Their express purpose is to notify
`investors about future risks. Hence, those disclosures
`are misleading only when a reasonable investor would
`not understand “what harms may come to their invest-
`ment.” Bondali, 620 Fed. Appx. at 491.
`C. The Decision Below Is Incorrect
`Securities law imposes no “general duty on the part
`of a company to provide the public with all material in-
`formation.” In re Burlington Coat Factory Sec. Litig.,
`114 F.3d 1410, 1432 (3d Cir. 1997). That is true even
`for material information that “a reasonable investor
`would very much like to know.” In re Time Warner
`Inc. Sec. Litig., 9 F.3d 259, 267 (2d Cir. 1993). Absent
`an affirmative duty to disclose, a securities plaintiff
`basing its claims on the contention that a company im-
`permissibly failed to share information with the public
`must identify a particular statement that was rendered
`misleading by that omission. See Matrixx Initiatives,
`Inc. v. Siracusano, 563 U.S. 27, 44-45 (2011). “Whether
`a statement is misleading depends on the perspective
`of a reasonable investor.” Omnicare, Inc. v. Laborers
`Dist. Council Constr. Indus. Pension Fund, 575 U.S.
`175, 186 (2015) (internal quotation marks omitted).
`Here, Item 105 required Alphabet to concisely dis-
`cuss—not quantify or attempt to predict— “material
`factors that make an investment in the [company] spec-
`ulative or risky.” 17 C.F.R. 229.105. Alphabet com-
`plied with Item 105. It disclosed both the risk of a fu-
`
`
`
`
`
`11
`
`ture security bug and the harms (financial and reputa-
`tional) that could cause. See Pet. App. 22a. What plain-
`tiffs claim—and the Ninth Circuit accepted—is that Al-
`phabet had to disclose more in order to avoid running
`afoul of Section 10(b) and Rule 10b-5. The Ninth Cir-
`cuit’s reasoning for that conclusion is not entirely clear.
`But its opinion could be read to suggest that Alphabet’s
`failure to disclose the Google+ software bug was mis-
`leading about one of three different things: (1) the past
`state of affairs at the company (by implying no security
`bug had yet occurred), see id. at 25a; (2) the current
`state of affairs (because the problems with security
`controls were ongoing), see id. at 26a; or (3) the future
`state of affairs (by understating the risks that a signif-
`icant security bug would pose), see id. at 26a-27a.
`None of those theories is correct.
`1. Alphabet’s disclosures about future risks did not
`mislead reasonable investors about what had happened
`in the past or was then happening in the present. For-
`ward-looking statements necessarily differ from repre-
`sentations about the present or past. See generally
`Slayton v. American Express, 604 F.3d 758, 765 (2d
`Cir. 2010) (discussing the PLSRA “statutory safe-har-
`bor for forward-looking statements”). Saying that a
`person’s valuables may be stolen if her house is burgled
`in the future communicates nothing about the home’s
`current level of security or whether it has been broken
`into before. Given that commonsense distinction, no
`reasonable investor would consult a forward-looking
`risk disclosure to understand a company’s past or cur-
`rent operations.
`That is precisely the reasoning adopted by the Sixth
`Circuit. As that court has explained, “[r]isk disclo-
`sures * * * are inherently prospective in nature. They
`
`
`
`
`
`12
`
`warn an investor of what harms may come to their in-
`vestment. They are not meant to educate investors on
`what harms are currently affecting the company.”
`Bondali, 620 Fed. Appx. at 491; see In re Marriott
`Int’l, Inc., Customer Data Sec. Breach Litig., 2021 WL
`2407518, at *25 (D. Md. June 11, 2021) (“To the extent
`Plaintiff alleges that Marriott’s risk disclosures were
`misleading about its current state of cybersecurity,
`those allegations fail because the risk factor disclo-
`sures are not intended to educate investors about
`harms currently affecting the company.”); In re Chan-
`nelAdvisor Corp. Sec. Litig., 2016 WL 1381772, at *6
`(E.D.N.C. April 6, 2016) (“[I]t is unlikely that a reason-
`able investor would, from that cautionary [risk disclo-
`sure], infer anything about ChannelAdvisor’s current
`contracts.”), aff’d sub nom. Dice v. ChannelAdvisor
`Corp., 671 Fed. Appx. 111 (4th Cir. 2016) (per curiam).
`This case is an excellent example. Alphabet cau-
`tioned investors that “[i]f our security measures are
`breached * * * , or if our services are subject to attacks
`* * * , users may curtail or stop using our products and
`services, and we may incur significant legal and finan-
`cial exposure.” Pet. App. 55a. Alphabet further ex-
`plained that “[a]ny systems failure or compromise of
`our security that results in the release of our users’
`data * * * could seriously harm our reputation and
`brand and, therefore, our business.” Id. at 56a. Alpha-
`bet even warned that “[w]e experience cyber attacks of
`varying degrees on a regular basis” and “[i]f an actual
`or perceived breach of our security occurs, the market
`perception of the effectiveness of our security
`measures could be harmed and we could lose users and
`customers.” Id. at 56a-57a. Every word of those dis-
`closures about future risks is true—and not a single
`word communicates anything about past security bugs
`
`
`
`
`
`13
`
`or present security.
`At bottom, respondents’ and the Ninth Circuit’s ap-
`proach rests on the faulty premise that a company com-
`mits fraud when an investor forms a mistaken impres-
`sion of the company’s past or current operations after
`reading a forward-looking risk disclosure. Securities
`law is focused on specific statements made by a com-
`pany, not vague impressions a litigant later claims to
`have gleaned from those statements. That is why se-
`curities plaintiffs must “specify each statement alleged
`to have been misleading” at the outset of their case,
`15 U.S.C. 78u-4(b)(1), and why a successful omission
`claim requires pointing to specific statements that
`were misleading without the undisclosed information.
`Matrixx Initiatives, 563 U.S. at 44. Here, Alphabet’s
`actual statements about the future risks of a security
`bug could not have misled any reasonable investor
`about whether the company had suffered attacks in the
`past or was vulnerable to attacks at the time of the dis-
`closures.
`2. To the extent respondents are claiming (or the
`Ninth Circuit accepted) that Alphabet’s disclosures
`were misleading about the future risks facing the com-
`pany, that theory too is wrong. A forward-looking dis-
`cussion of a specific risk is not misleading solely be-
`cause it does not also include all information detailing
`the company’s vulnerability to that risk. “Rule 10b-5
`‘prohibit[s] only misleading and untrue statements, not
`statements that are incomplete.’” Employees’ Ret.
`Sys. of R.I. v. Williams Cos., Inc., 889 F.3d 1153, 1164
`(10th Cir. 2018) (quoting Brody v. Transitional Hosps.
`Corp., 280 F.3d 997, 1006 (9th Cir. 2002)). As a result,
`companies need not “dump all known information with
`every public announcement.” In re K-tel Int’l, Inc. Sec.
`Litig., 300 F.3d 881, 898 (8th Cir. 2002). Put simply,
`
`
`
`
`
`14
`
`“Rule 10b-5 does not contain a ‘freestanding complete-
`ness requirement’ because ‘no matter how detailed and
`accurate disclosure statements are, there are likely to
`be additional details that could have been disclosed but
`were not.’” In re Intuitive Surgical Sec. Litig., 65 F.
`Supp. 3d 821, 836 (N.D. Cal. 2014) (quoting Brody, 280
`F.3d at 1006).
`The question is therefore not whether the undis-
`closed Google+ software bug related to Alphabet’s
`cyber-related risks, see Pet. App. 26a, or whether dis-
`closure would have “significantly altered the total mix
`of information” available to investors, id. at 27a (inter-
`nal quotation marks omitted). Rather, the question is
`whether Alphabet’s specific statements regarding its
`future risk were inaccurate or misleading. As ex-
`plained above, they were not. Alphabet accurately de-
`scribed the risks to consumers’ confidence and the
`company’s financial health from a security bug. See
`supra, p. 13. In making those disclosures, Alphabet did
`not take on a duty to provide the investing public with
`all of the information on which its assessment was
`based. There is nothing inconsistent or misleading
`about identifying risks associated with security bugs
`while possessing information about an earlier, reme-
`died bug or the firm’s vulnerabilities to such bugs.
`In short, like virtually every other public company,
`Alphabet recognized that it faces risks from cyberse-
`curity incidents. It thus informed investors of its accu-
`rate assessment of the consequences such an incident
`could have for its business. The mere fact that re-
`spondents, with the benefit of hindsight, would have
`wanted to know about Alphabet’s past security bugs
`does not make Alphabet’s actual risk disclosures mis-
`leading. The Ninth Circuit’s contrary view effectively
`converts the duty not to mislead investors into a duty
`
`
`
`
`
`15
`
`to provide past and present information that is some-
`how related to every future risk disclosed to the public.
`Securities law imposes no such requirement, and as ex-
`plained below, imposing it through the courts will have
`a host of negative consequences.
`D. The Decision Below Warrants This Court’s Re-
`view
`The Ninth Circuit’s approach will harm both inves-
`tors and companies. Start with the fact that it is not
`necessary. If the SEC believes that a company has vi-
`olated Item 105 or other disclosure provisions of the
`securities laws, it may levy civil monetary penalties.
`See In re First American Fin. Corp., Release No.
`92176 (SEC June 14, 2021) (concluding that First
`American had failed to maintain adequat