Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 1 of 38
`
`FOR PUBLICATION
`
`UNITED STATES COURT OF APPEALS
`FOR THE NINTH CIRCUIT
`
`No. 20-15638
`
`D.C. No.
`4:18-cv-06245-
`JSW
`
`OPINION
`
`IN RE ALPHABET, INC. SECURITIES
`LITIGATION,
`
`STATE OF RHODE ISLAND, Office of
`the Rhode Island Treasurer on behalf
`of the Employees’ Retirement
`System of Rhode Island; Lead
`Plaintiff, Individually and On Behalf
`of All Others Similarly Situated,
`Plaintiff-Appellant,
`
`v.
`
`ALPHABET, INC.; LAWRENCE E.
`PAGE; SUNDAR PICHAI; RUTH M.
`PORAT; GOOGLE LLC; KEITH P.
`ENRIGHT; JOHN KENT WALKER, JR.,
`Defendants-Appellees.
`
`Appeal from the United States District Court
`for the Northern District of California
`Jeffrey S. White, District Judge, Presiding
`
`Argued and Submitted February 4, 2021
`San Francisco, California
`
`Filed June 16, 2021
`
`
`
`FOR PUBLICATION
`
`UNITED STATES COURT OF APPEALS
`FOR THE NINTH CIRCUIT
`
`No. 20-15638
`
`D.C. No.
`4:18-cv-06245-
`JSW
`
`OPINION
`
`IN RE ALPHABET, INC. SECURITIES
`LITIGATION,
`
`STATE OF RHODE ISLAND, Office of
`the Rhode Island Treasurer on behalf
`of the Employees’ Retirement
`System of Rhode Island; Lead
`Plaintiff, Individually and On Behalf
`of All Others Similarly Situated,
`Plaintiff-Appellant,
`
`v.
`
`ALPHABET, INC.; LAWRENCE E.
`PAGE; SUNDAR PICHAI; RUTH M.
`PORAT; GOOGLE LLC; KEITH P.
`ENRIGHT; JOHN KENT WALKER, JR.,
`Defendants-Appellees.
`
`Appeal from the United States District Court
`for the Northern District of California
`Jeffrey S. White, District Judge, Presiding
`
`Argued and Submitted February 4, 2021
`San Francisco, California
`
`Filed June 16, 2021
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 2 of 38
`
`2
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`Before: Sidney R. Thomas, Chief Judge, and Sandra S.
`Ikuta and Jacqueline H. Nguyen, Circuit Judges.
`
`Opinion by Judge Ikuta
`
`SUMMARY*
`
`Securities Fraud
`
`The panel affirmed in part and reversed in part the district
`court’s dismissal of a securities fraud action for failure to
`state a claim, vacated the district court’s judgment, and
`remanded for further proceedings.
`
`The State of Rhode Island filed a private securities fraud
`action under §§ 10(b) and 20(a) of the Securities Exchange
`Act of 1934 and SEC Rule 10b-5 against Google LLC, its
`holding company Alphabet, Inc., and individual defendants.
`The consolidated amended complaint alleged that defendants
`omitted to disclose security problems with the Google+ social
`network. The complaint referred to the cybersecurity
`problems as the “Three-Year Bug” and the “Privacy Bug.”
`The district court granted defendants’ motion to dismiss on
`the grounds that Rhode Island failed to adequately allege a
`materially misleading misrepresentation or omission and that
`Rhode Island failed to adequately allege scienter.
`
`The panel held that the complaint adequately alleged that
`two statements made by Alphabet in its quarterly reports filed
`
`* This summary constitutes no part of the opinion of the court. It has
`been prepared by court staff for the convenience of the reader.
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 3 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`3
`
`with the SEC on Form 10-Q omitted material facts necessary
`to make the statements not misleading. Applying an
`objective materiality standard to the 10-Qs, the panel held
`that Rhode Island’s complaint plausibly alleged
`the
`materiality of the costs and consequences associated with the
`Privacy Bug, and its public disclosure, and how Alphabet’s
`decision to omit information about the Privacy Bug in its 10-
`Qs significantly altered the total mix of information available
`for decisionmaking by a reasonable investor.
`
`The panel next addressed whether the complaint
`adequately alleged scienter for the materially misleading
`omissions from the 10-Q statements. The panel held that the
`complaint was required to plausibly allege, with the
`particularity required by the Private Securities Litigation
`Reform Act, that the maker of the statements knew about the
`security vulnerabilities and intentionally or recklessly did not
`disclose them. The panel concluded that the complaint’s
`specific allegations, taken as a whole, raised a strong
`inference that defendant Lawrence Page, and therefore
`Alphabet, knew about the Three-Year Bug, the Privacy Bug,
`and a Privacy Bug Memo, and that Alphabet intentionally did
`not disclose this information in its 10-Q statements.
`
`The panel further held that Rhode Island adequately
`alleged falsity, materiality, and scienter for the 10-Q
`statements. The panel therefore reversed the district court’s
`holdings to the contrary. The panel also reversed the district
`court’s dismissal of the complaint’s § 20(a) control-person
`claims based on the 10-Q statements.
`
`As to ten additional statements identified in the
`complaint, the panel concluded that the complaint did not
`plausibly allege that these remaining statements were
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 4 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`isleading material misrepresentations. The panel therefore
`affirmed the district court’s dismissal of claims based on
`these statements.
`
`4 m
`
`Rhode Island argued on appeal that the district court erred
`in dismissing its “scheme liability claim” under Rule 10b-5(a)
`and (c) when it dismissed the complaint in its entirety without
`addressing those claims. The panel held that because
`Alphabet’s motion to dismiss did not target Rhode Island’s
`Rule 10b-5(a) and (c) claims, Rhode Island did not waive
`those claims by failing to address them in opposition to the
`motion to dismiss. Reversing, the panel held that the district
`court erred in sua sponte dismissing the Rule 10b-5(a) and (c)
`claims when Alphabet had not targeted them in its motion to
`dismiss.
`
`COUNSEL
`
`Jason A. Forge (argued), Michael Albert, J. Marco Janoski
`Gray, and Ting H. Liu, Robbins Geller Rudman & Dowd
`LLP, San Diego, California, for Plaintiff-Appellant.
`
`Ignacio E. Salceda (argued), Benjamin M. Crosson, Cheryl
`W. Foung, Stephen B. Strain, and Emily Peterson, Wilson
`Sonsini Goodrich & Rosati, Palo Alto, California; Gideon A.
`Schor, Wilson Sonsini Goodrich & Rosati, New York, New
`York; for Defendants-Appellees.
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 5 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`5
`
`OPINION
`
`IKUTA, Circuit Judge:
`
`In March 2018, amid the furor caused by news that
`Cambridge Analytica improperly harvested user data from
`Facebook’s social network, Google discovered that a security
`glitch in its Google+ social network had left the private data
`of some hundreds of thousands of users (according to
`Google’s estimate) exposed to third-party developers for
`three years and that Google+ was plagued by multiple other
`security vulnerabilities. Warned by its legal and policy staff
`that disclosure of these issues would result in immediate
`regulatory and governmental scrutiny, Google and its holding
`company, Alphabet, chose to conceal this discovery, made
`generic statements about how cybersecurity risks could affect
`their business, and stated that there had been no material
`changes to Alphabet’s risk factors since 2017. This appeal
`raises the question whether, for purposes of a private
`securities fraud action, the complaint adequately alleged that
`Google, Alphabet, and individual defendants made materially
`misleading statements by omitting to disclose these security
`problems and that the defendants did so with sufficient
`scienter, meaning with an intent to deceive, manipulate, or
`defraud.
`
`I A
`
`At the motion to dismiss stage, we start with the facts
`plausibly alleged in the complaint, documents incorporated
`into the complaint by reference, and matters of which a court
`may take judicial notice. See Ashcroft v. Iqbal, 556 U.S. 662,
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 6 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`6 6
`
`78–79 (2009); Tellabs, Inc. v. Makor Issues & Rts., Ltd., 551
`U.S. 308, 322 (2007). The story begins in the 1990s when
`Lawrence Page and Sergey Brin, then students at Stanford
`University, developed Google, a web-based search engine.
`Over the next two decades, Google rapidly expanded beyond
`its search engine services into a range of other internet-related
`services and products, including advertising technology,
`cloud computing, and hardware.
`
`Since its initial public offering prospectus in 2004 and
`throughout Google’s continued rise, Google and
`its
`executives publicly recognized the importance of user privacy
`and user trust to Google’s business. Google executives
`expressed their understanding that Google’s “success is
`largely dependent on maintaining consumers’ trust” so that
`“users will continue to entrust Google with their private data,
`which Google can then monetize.” As one media outlet put
`it, “Google has a strong incentive to position itself as a
`trustworthy guardian of personal information because, like
`Facebook, its financial success hinges on its success to learn
`about the interests, habits and location[s] of its users in order
`to sell targeted ads.” Google and its executives repeatedly
`emphasized that maintaining users’ trust is essential and that
`a significant security failure “would be devastating.”
`Google’s public emphasis on user trust and user privacy
`remained central to its business when, in 2011, Google
`launched Google+ “in an attempt to make a social media
`network to rival that of Facebook and Twitter, and to join all
`users of Google services (i.e., Search, Gmail, YouTube,
`Maps) into a single online identity.”
`
`In October 2015, Google restructured itself from Google,
`Inc. into Google LLC and created Alphabet, Inc. as its parent
`company, which is “essentially a holding company” whose
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 7 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`7
`
`“lifeblood is Google.” Page, who had been the CEO of
`Google, became the CEO of Alphabet. Sundar Pichai, a
`longtime Google senior executive, replaced Page as the CEO
`of Google. Page and Pichai both sat on Alphabet’s Board of
`Directors and served on the board’s three-person Executive
`Committee. Pichai directly reported to Page and maintained
`regular contact with him; Pichai was also directly accountable
`to Page. Pichai also participated in Alphabet’s public
`earnings calls. Page received weekly reports of Google’s
`operating results and continued to make “key operating
`decisions” at Google.
`
`Google’s corporate restructuring did not change the
`central importance of privacy and security. Google and
`Alphabet consistently indicated that Google’s foremost
`competitive advantage against other companies was its
`sophistication in security. Thus, according to Alphabet’s
`Chief Financial Officer in February 2018, security is “clearly
`what we’ve built Google on.”
`
`While highlighting expertise in security and data privacy,
`Google and Alphabet also acknowledged the substantial
`impact that a cybersecurity failure would have on their
`business. According to Alphabet’s 2017 Annual Report on
`Form 10-K filed with the Securities and Exchange
`Commission (SEC), “[c]oncerns about our practices with
`regard to the collection, use, disclosure, or security of
`personal information or other privacy related matters, even if
`unfounded, could damage our reputation and adversely affect
`our operating results.” Alphabet warned that “[i]f our
`security measures are breached resulting in the improper use
`and disclosure of user data” then Alphabet’s “products and
`services may be perceived as not being secure, users and
`customers may curtail or stop using our products and
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 8 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`ervices, and we may incur significant legal and financial
`exposure.” As Pichai explained in January 2018, “users use
`Google because they trust us and it is something easy to lose
`if you are not good stewards of it. So we work hard to earn
`the trust every day.”
`
`8 s
`
`B
`
`“By the spring of 2018, the trustworthiness of technology
`and those who control it were under unprecedented scrutiny.”
`According to the complaint, a trigger for this scrutiny was the
`publication of reports that a research firm, Cambridge
`Analytica, “improperly harvested data from Facebook users’
`profiles” to be used for political advertising. The immediate
`effects of this reporting were “devastating to Facebook and its
`investors,” including a 13% decline in Facebook’s stock
`price, which amounted to a loss of approximately $75 billion
`of market capitalization.
`
`This scandal quickly led to congressional hearings into
`Facebook’s leak of user information to a third-party data
`collector. Facebook was not the only target of scrutiny, as the
`Senate Judiciary Committee, chaired by Senator Grassley,
`requested that Google and Twitter testify at these hearings
`about their data privacy and security practices. In a letter to
`Pichai, Senator Grassley outlined
`the committee’s
`“significant concerns regarding the data security practices of
`large social media platforms and their interactions with third
`party developers and other commercial[] users of such data.”
`According to Senator Grassley, Pichai declined to testify after
`“asserting that the problems surrounding Facebook and
`Cambridge Analytica did not involve Google.”
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 9 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`9
`
`At around the same time, in May 2018, the European
`Union implemented the General Data Protection Regulation
`(GDPR), a new framework for regulating data privacy
`protections in all member states. Among other things, the
`GDPR required prompt disclosure of personal data breaches,
`not later than 72 hours after learning of the breach. On its
`website, Google reaffirmed its commitment to complying
`with the GDPR across all its services and reaffirmed
`Google’s aim “always to keep data private and safe.”
`
`C
`
`While external scrutiny of data privacy and security grew
`in March and April 2018, internal Google investigators had
`discovered a software glitch in the Google+ social network
`that had existed since 2015 (referred to in the complaint as
`the “Three-Year Bug”). Because of a bug in an application
`programming interface for Google+, third-party developers
`could collect certain users’ profile data even if those users
`had relied on Google’s privacy settings to designate such data
`as nonpublic. The exposed private profile data included
`email addresses, birth dates, gender, profile photos, places
`lived, occupations, and relationship status.
`
`Not only did Google’s security protocols fail to detect the
`problem for three years, but Google also had a limited set of
`activity logs that could review only the two most recent
`weeks of user data access. Due to this record-keeping
`limitation, Google “had no way of determining how many
`third-parties had misused its users’ personal private data.”
`And Google “could only estimate that it exposed to third-
`parties the personal private data of hundreds of thousands of
`users” based on “less than 2% of the Three-Year Bug’s
`lifespan.” Despite the efforts of “over 100 of Google’s best
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 10 of 38
`
`10
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`and brightest,” Google “could not confirm the damage from
`[the bug] or determine the number of other bugs.” At the
`same time, this investigation into the Three-Year Bug
`detected other shortcomings in Google’s security systems,
`including “previously unknown, or unappreciated, security
`vulnerabilities that made additional data exposures virtually
`inevitable.” The complaint refers collectively to the Three-
`Year Bug and these additional vulnerabilities as the “Privacy
`Bug.”
`
`Around April 2018, Google’s legal and policy staff
`prepared a memo detailing the Three-Year Bug and the
`additional vulnerabilities (referred to in the complaint as the
`“Privacy Bug Memo”). According to the complaint, the
`Privacy Bug Memo warned that the disclosure of these
`security issues “would likely trigger ‘immediate regulatory
`interest’ and result in defendants ‘coming into the spotlight
`alongside or even instead of Facebook despite having stayed
`under the radar throughout the Cambridge Analytica
`scandal.’” The memo warned that “disclosure ‘almost
`guarantees Sundar [Pichai] will testify before Congress.’”
`
`According to the complaint, Pichai and other senior
`Google executives received and read the memo in early April
`2018. The complaint alleges that key officers and directors,
`including Page and Pichai, chose a strategy of nondisclosure.
`Pichai approved a plan to conceal the existence of the Three-
`Year Bug and other security vulnerabilities described in the
`Privacy Bug Memo “to avoid any additional regulatory
`scrutiny, including having to testify before Congress.”
`Further, despite Google+ having 395 million monthly active
`users, more than either Twitter or Snapchat, Pichai and Page
`approved a plan to shut down the Google+ consumer
`platform.
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 11 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`11
`
`D
`
`Despite the information in the Privacy Bug Memo,
`Alphabet and Google continued to give the public the same
`assurances about security and privacy as before. In
`particular, on April 23, 2018, Alphabet filed its quarterly
`report on Form 10-Q for the period ending March 31, 2018.
`The 10-Q incorporated the risk disclosures from Alphabet’s
`2017 10-K and made no disclosure about the Privacy Bug. It
`stated:
`
`Our operations and financial results are
`subject to various risks and uncertainties,
`including those described in Part I, Item 1A,
`“Risk Factors” in our Annual Report on Form
`10-K for the year ended December 31, 2017,
`which could adversely affect our business,
`financial condition, results of operations, cash
`flows, and the trading price of our common
`and capital stock. There have been no
`material changes to our risk factors since our
`Annual Report on Form 10-K for the year
`ended December 31, 2017.
`
`(emphasis added). Nor did Alphabet make any disclosure
`during an earnings call on the same day. Months later, in July
`2018, Alphabet filed its Form 10-Q for the period ending
`June 30, 2018. This filing included a risk disclosure
`substantially identical to the one in the April 2018 filing; it
`likewise incorporated the 2017 Form 10-K risk factors and
`affirmed that no material changes occurred. Nor did
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 12 of 38
`
`12
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`Alphabet make any disclosure of the problems during its July
`2018 earnings call.1
`
`The complaint identifies statements made by Alphabet,
`Google, and their employees between April and October 2018
`that continued to reference user security and data privacy
`while making the same omission regarding any Google+
`problems. According to the complaint, Alphabet thought that
`this “decision to buy time” would reduce the detrimental
`effects of eventual disclosure by avoiding disclosure at a time
`when Facebook was facing regulatory scrutiny, public
`criticism, and loss of consumer confidence as a result of the
`Cambridge Analytica scandal.
`
`E
`
`Six months after this decision to buy time, the Wall Street
`Journal exposed Google’s discovery of Google+’s security
`vulnerabilities and
`its decision
`to conceal
`those
`vulnerabilities. In October 2018, the Wall Street Journal
`published a lengthy story on the events surrounding the
`Privacy Bug Memo. See Douglas MacMillan & Robert
`McMillan, Google Exposed User Data, Feared
`Repercussions of Disclosing to Public, Wall Street J. (Oct. 8,
`2018). The story reported that “Google exposed the private
`data of hundreds of thousands of users of the Google+ social
`network and then opted not to disclose the issue this past
`spring, in part because of fears that doing so would draw
`regulatory scrutiny and cause reputational damage.” It
`
`1 The complaint alleges that Page signed the 10-Qs and signed
`certifications, under SEC rules promulgated after the Sarbanes-Oxley Act,
`that vouched for the accuracy of the 10-Qs and the adequacy of controls
`for identifying cybersecurity risks.
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 13 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`13
`
`walked the reader through the discovery of the privacy bug,
`explained how Google made “concerted efforts to avoid
`public scrutiny of how it handles user information,
`particularly at a time when regulators and consumer privacy
`groups are leading a charge to hold tech giants accountable
`for the vast power they wield over the personal data of
`billions of people,” and reported that Pichai had been briefed
`on the plan not to notify users.
`
`The day the news broke, Google published a blog post
`acknowledging the “significant challenges” regarding data
`security identified in the Wall Street Journal article. It finally
`admitted to exposing the private data of hundreds of
`thousands of users and announced it was shutting down the
`Google+ social network for consumers.
`
`Condemnation from lawmakers soon followed. Two days
`after the Wall Street Journal article, Democratic senators
`wrote to demand an investigation by the Federal Trade
`Commission. This letter noted that, due to the limitations of
`Google’s internal logs, “we may never know the full extent
`of the damage caused by the failure to provide adequate
`controls and protection to users.” The letter likewise noted
`that the “awareness and approval by Google management to
`not disclose represents a culture of concealment and opacity
`set from the top of the company.” Republican senators also
`wrote a letter to Pichai that questioned Google’s decision “to
`withhold information about a relevant vulnerability for fear
`of public scrutiny” at the same time that Facebook was being
`questioned regarding the Cambridge Analytica scandal. In a
`second letter to Pichai, Senator Grassley complained that
`Google had assured him in April 2018 that it maintained
`robust protection for user data, despite Pichai’s awareness
`that Google+ “had an almost identical feature to Facebook,
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 14 of 38
`
`14
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`which allowed third party developers to access information
`from users.”
`
`Markets reacted to the news. Alphabet’s publicly traded
`share price fell after the Wall Street Journal article.
`According to the complaint, Alphabet’s share price fell
`$11.91 on October 8, $10.75 on October 9, and $53.01 on
`October 10. Financial news reports called Google’s decision
`not to disclose the security breach a “cover-up” and predicted
`forthcoming regulatory scrutiny.
`
`Just weeks later, in December 2018, Google disclosed the
`discovery of another Google+ bug that had exposed user data
`from 52.5 million accounts. Google also announced it was
`accelerating the shutdown of the consumer Google+ platform
`to occur four months earlier than planned.
`
`F
`
`Three days after the Wall Street Journal article, Rhode
`Island filed a securities fraud action, as did other plaintiffs.2
`After the cases were consolidated, Rhode Island was
`designated the lead plaintiff. It filed a consolidated amended
`complaint in April 2019, which now serves as the operative
`complaint. The complaint names Alphabet, Google, Page,
`Pichai, and two other Google senior executives as defendants
`(we refer to the defendants collectively as Alphabet, where
`
`2 Rhode Island refers to the State of Rhode Island, Office of the
`Rhode Island Treasurer on behalf of the Employees’ Retirement System
`of Rhode Island.
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 15 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`15
`
`appropriate, and otherwise by name).3 The complaint alleges
`primary violations of Section 10(b) of the Securities
`Exchange Act of 1934, 15 U.S.C. § 78j(b), and SEC Rule
`10b-5, 17 C.F.R. § 240.10b-5, for securities fraud, as well as
`violations of Section 20(a) of the Exchange Act, 15 U.S.C.
`§ 78t(a), which imposes joint and several liability on persons
`in control of “any person liable under any provision” of
`securities law.
`
`Alphabet moved to dismiss the complaint for failure to
`state a claim. The district court granted the motion after
`determining that the complaint failed to allege any material
`misrepresentation or omission and failed to allege scienter
`sufficiently. Further, the court held that because the
`Section 10(b) claim failed, the Section 20(a) claim for
`controlling-person liability “necessarily fails.”
`
`Although the district court granted leave to amend, Rhode
`Island notified the district court that it did not intend to
`amend, and the district court entered judgment. Rhode Island
`now appeals from that final judgment.
`
`II
`
`We have jurisdiction under 28 U.S.C. § 1291. We review
`the district court’s dismissal of Rhode Island’s complaint for
`failure to state a claim de novo. In re NVIDIA Corp. Sec.
`
`3 The other two individual defendants are Keith P. Enright, who
`served as Google’s Legal Director of Privacy from 2016 until September
`2018 when he became Google’s Chief Privacy Officer, and John Kent
`Walker, Jr., who served as Google’s Vice President and General Counsel
`from 2016 through August 2018 before becoming Senior Vice President
`for Global Affairs.
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 16 of 38
`
`16
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`Litig., 768 F.3d 1046, 1051 (9th Cir. 2014). “To survive a
`motion to dismiss, a complaint must contain sufficient factual
`matter, accepted as true, to ‘state a claim to relief that is
`plausible on its face.’” Iqbal, 556 U.S. at 678 (quoting Bell
`Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). “When
`there are well-pleaded factual allegations, a court should
`assume their veracity and then determine whether they
`plausibly give rise to an entitlement to relief.” Id. at 679. As
`the Supreme Court has explained, “[d]etermining whether a
`complaint states a plausible claim for relief” is “a
`context-specific task that requires the reviewing court to draw
`on its judicial experience and common sense.” Id. In the
`process, we may “disregard ‘[t]hreadbare recitals of the
`elements of a cause of action, supported by mere conclusory
`statements.’” Telesaurus VPC, LLC v. Power, 623 F.3d 998,
`1003 (9th Cir. 2010) (quoting Iqbal, 556 U.S. at 678).
`
`A complaint is plausible on its face “when the plaintiff
`pleads factual content that allows the court to draw the
`reasonable inference that the defendant is liable for the
`misconduct alleged.” Iqbal, 556 U.S. at 678. The
`misconduct alleged here includes claims under two statutory
`sections: primary liability under Section 10(b) of the
`Exchange Act and controlling-person
`liability under
`Section 20(a) of the Exchange Act.
`
`Section 10(b) of the Exchange Act prohibits using or
`employing, “in connection with the purchase or sale of any
`security . . . [,] any manipulative or deceptive device or
`contrivance in contravention of such rules and regulations as
`the [SEC] may prescribe as necessary or appropriate in the
`public interest or for the protection of investors.” 15 U.S.C.
`§ 78j(b). To implement Section 10(b), the SEC prescribed
`Rule 10b-5, which makes it unlawful
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 17 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`17
`
`(a) To employ any device, scheme, or artifice
`to defraud,
`
`(b) To make any untrue statement of a
`material fact or to omit to state a material fact
`necessary in order to make the statements
`made, in the light of the circumstances under
`which they were made, not misleading, or
`
`(c) To engage in any act, practice, or course of
`business which operates or would operate as
`a fraud or deceit upon any person, in
`connection with the purchase or sale of any
`security.
`
`17 C.F.R. § 240.10b-5.
`
`The Supreme Court has interpreted Section 10(b) and
`Rule 10b-5 as providing an implied private cause of action.
`Stoneridge Inv. Partners, LLC v. Scientific-Atlanta, 552 U.S.
`148, 157 (2008). “In a typical § 10(b) private action” based
`on material misrepresentations or omissions, a plaintiff must
`prove “(1) a material misrepresentation or omission by the
`defendant; (2) scienter; (3) a connection between the
`misrepresentation or omission and the purchase or sale of a
`security; (4) reliance upon the misrepresentation or omission;
`(5) economic loss; and (6) loss causation.” Id.
`
`Under Section 10(b) and Rule 10b-5(b), “the maker of a
`statement is the person or entity with ultimate authority over
`the statement, including its content and whether and how to
`communicate it.” Janus Cap. Grp., Inc. v. First Derivative
`Traders, 564 U.S. 135, 142 (2011). Persons “who do not
`‘make’ statements (as Janus defined ‘make’), but who
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 18 of 38
`
`18
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`disseminate false or misleading statements to potential
`investors with the intent to defraud, can be found to have
`violated the other parts of Rule 10b-5, subsections (a) and (c),
`as well as related provisions of the securities laws” including
`Section 10(b). Lorenzo v. SEC, 139 S. Ct. 1094, 1099,
`1100–03 (2019).
`
`The first two elements of a typical Section 10(b) and Rule
`10b-5(b) claim are at issue here. The first element is that a
`defendant omitted “to state a material fact necessary in order
`to make the statements made . . . not misleading,” 17 C.F.R.
`§ 240.10b-5(b). To meet this requirement, the plaintiff must
`prove both that the omission is misleading and that it is
`material. Id.
`
`We apply the objective standard of a “reasonable
`investor” to determine whether a statement is misleading.
`See In re VeriFone Sec. Litig., 11 F.3d 865, 869 (9th Cir.
`1993). Section 10(b) and Rule 10b-5(b) “do not create an
`affirmative duty to disclose any and all material information”
`and instead require disclosure “only when necessary ‘to make
`. . . statements made, in light of the circumstances under
`which they were made, not misleading.’” Matrixx Initiatives,
`Inc. v. Siracusano, 563 U.S. 27, 44 (2011) (quoting 17 C.F.R.
`§ 240.10b-5(b)).
`
`A misleading omission is material if “there is ‘a
`substantial likelihood that [it] would have been viewed by the
`reasonable investor as having significantly altered the “total
`mix” of information made available’ for the purpose of
`decisionmaking by stockholders concerning
`their
`investments.” Retail Wholesale & Dep’t Store Union Loc.
`338 Ret. Fund v. Hewlett-Packard Co., 845 F.3d 1268, 1274
`(9th Cir. 2017) (quoting Basic Inc. v. Levinson, 485 U.S. 224,
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 19 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`19
`
`231–32 (1988)). The inquiry into materiality is “fact-
`specific,” Matrixx Initiatives, 563 U.S. at 43 (quoting Basic,
`485 U.S. at 236), and “requires delicate assessments of the
`inferences a ‘reasonable shareholder’ would draw from a
`given set of facts and the significance of those inferences to
`him,” Fecht v. Price Co., 70 F.3d 1078, 1080 (9th Cir. 1995)
`(quoting TSC Indus., Inc. v. Northway, Inc., 426 U.S. 438,
`450 (1976)). “[T]hese assessments are peculiarly ones for the
`trier of fact.” Id. (quoting TSC Indus., 426 U.S. at 450). As
`a result, resolving materiality as a matter of law is generally
`appropriate “only if the adequacy of the disclosure or the
`materiality of the statement is so obvious that reasonable
`minds could not differ.” Id. at 1081 (cleaned up); see Khoja
`v. Orexigen Therapeutics, Inc., 899 F.3d 988, 1014 (9th Cir.
`2018) (same).
`
`to
`relating
`In evaluating whether an omission
`cybersecurity is materially misleading, we may consider the
`SEC’s interpretive guidance regarding the adequacy of
`cybersecurity-related disclosures. See Commission Statement
`and Guidance on Public Company Cybersecurity Disclosures,
`Securities Act Release No. 33-10459, Exchange Act Release
`No. 34-82746, 83 Fed. Reg. 8166-01, 8167 (Feb. 26, 2018)
`(“Cybersecurity Disclosures”). Regardless of the degree of
`deference such interpretive guidance may merit, see Kisor v.
`Wilkie, 139 S. Ct. 2400, 2414–18 (2019), an SEC interpretive
`release can “shed further light” on regulatory disclosure
`requirements, NVIDIA, 768 F.3d at 1055.
` Agency
`interpretations, like the SEC interpretive release here, can
`provide “the judgments about the way the real world works”
`that “are precisely the kind that agencies are better equipped
`to make than are courts.” See Pension Benefit Guar. Corp. v.
`LTV Corp., 496 U.S. 633, 651 (1990); see also Kisor, 139 S.
`Ct. at 2413 (“[W]hen new issues demanding new policy calls
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 20 of 38
`
`20
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`come up within that [statutory] scheme, Congress presumably
`wants the same agency, rather than any court, to take the
`laboring oar.”).
`
` “transparently aspirational”
`that
`We have held
`statements, Hewlett-Packard, 845 F.3d at 1278, as well as
`statements of “mere corporate puffery, vague statements of
`optimism like ‘good,’ ‘well-regarded,’ or other feel good
`monikers,” are generally not actionable as a matter of law,
`because “professional investors, and most amateur investors
`as well, know how to devalue the optimism of corporate
`executives,
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
