`
`FOR PUBLICATION
`
`UNITED STATES COURT OF APPEALS
`FOR THE NINTH CIRCUIT
`
`No. 20-15638
`
`D.C. No.
`4:18-cv-06245-
`JSW
`
`OPINION
`
`IN RE ALPHABET, INC. SECURITIES
`LITIGATION,
`
`STATE OF RHODE ISLAND, Office of
`the Rhode Island Treasurer on behalf
`of the Employees’ Retirement
`System of Rhode Island; Lead
`Plaintiff, Individually and On Behalf
`of All Others Similarly Situated,
`Plaintiff-Appellant,
`
`v.
`
`ALPHABET, INC.; LAWRENCE E.
`PAGE; SUNDAR PICHAI; RUTH M.
`PORAT; GOOGLE LLC; KEITH P.
`ENRIGHT; JOHN KENT WALKER, JR.,
`Defendants-Appellees.
`
`Appeal from the United States District Court
`for the Northern District of California
`Jeffrey S. White, District Judge, Presiding
`
`Argued and Submitted February 4, 2021
`San Francisco, California
`
`Filed June 16, 2021
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 2 of 38
`
`2
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`Before: Sidney R. Thomas, Chief Judge, and Sandra S.
`Ikuta and Jacqueline H. Nguyen, Circuit Judges.
`
`Opinion by Judge Ikuta
`
`SUMMARY*
`
`Securities Fraud
`
`The panel affirmed in part and reversed in part the district
`court’s dismissal of a securities fraud action for failure to
`state a claim, vacated the district court’s judgment, and
`remanded for further proceedings.
`
`The State of Rhode Island filed a private securities fraud
`action under §§ 10(b) and 20(a) of the Securities Exchange
`Act of 1934 and SEC Rule 10b-5 against Google LLC, its
`holding company Alphabet, Inc., and individual defendants.
`The consolidated amended complaint alleged that defendants
`omitted to disclose security problems with the Google+ social
`network. The complaint referred to the cybersecurity
`problems as the “Three-Year Bug” and the “Privacy Bug.”
`The district court granted defendants’ motion to dismiss on
`the grounds that Rhode Island failed to adequately allege a
`materially misleading misrepresentation or omission and that
`Rhode Island failed to adequately allege scienter.
`
`The panel held that the complaint adequately alleged that
`two statements made by Alphabet in its quarterly reports filed
`
`* This summary constitutes no part of the opinion of the court. It has
`been prepared by court staff for the convenience of the reader.
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 3 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`3
`
`with the SEC on Form 10-Q omitted material facts necessary
`to make the statements not misleading. Applying an
`objective materiality standard to the 10-Qs, the panel held
`that Rhode Island’s complaint plausibly alleged
`the
`materiality of the costs and consequences associated with the
`Privacy Bug, and its public disclosure, and how Alphabet’s
`decision to omit information about the Privacy Bug in its 10-
`Qs significantly altered the total mix of information available
`for decisionmaking by a reasonable investor.
`
`The panel next addressed whether the complaint
`adequately alleged scienter for the materially misleading
`omissions from the 10-Q statements. The panel held that the
`complaint was required to plausibly allege, with the
`particularity required by the Private Securities Litigation
`Reform Act, that the maker of the statements knew about the
`security vulnerabilities and intentionally or recklessly did not
`disclose them. The panel concluded that the complaint’s
`specific allegations, taken as a whole, raised a strong
`inference that defendant Lawrence Page, and therefore
`Alphabet, knew about the Three-Year Bug, the Privacy Bug,
`and a Privacy Bug Memo, and that Alphabet intentionally did
`not disclose this information in its 10-Q statements.
`
`The panel further held that Rhode Island adequately
`alleged falsity, materiality, and scienter for the 10-Q
`statements. The panel therefore reversed the district court’s
`holdings to the contrary. The panel also reversed the district
`court’s dismissal of the complaint’s § 20(a) control-person
`claims based on the 10-Q statements.
`
`As to ten additional statements identified in the
`complaint, the panel concluded that the complaint did not
`plausibly allege that these remaining statements were
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 4 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`isleading material misrepresentations. The panel therefore
`affirmed the district court’s dismissal of claims based on
`these statements.
`
`4 m
`
`Rhode Island argued on appeal that the district court erred
`in dismissing its “scheme liability claim” under Rule 10b-5(a)
`and (c) when it dismissed the complaint in its entirety without
`addressing those claims. The panel held that because
`Alphabet’s motion to dismiss did not target Rhode Island’s
`Rule 10b-5(a) and (c) claims, Rhode Island did not waive
`those claims by failing to address them in opposition to the
`motion to dismiss. Reversing, the panel held that the district
`court erred in sua sponte dismissing the Rule 10b-5(a) and (c)
`claims when Alphabet had not targeted them in its motion to
`dismiss.
`
`COUNSEL
`
`Jason A. Forge (argued), Michael Albert, J. Marco Janoski
`Gray, and Ting H. Liu, Robbins Geller Rudman & Dowd
`LLP, San Diego, California, for Plaintiff-Appellant.
`
`Ignacio E. Salceda (argued), Benjamin M. Crosson, Cheryl
`W. Foung, Stephen B. Strain, and Emily Peterson, Wilson
`Sonsini Goodrich & Rosati, Palo Alto, California; Gideon A.
`Schor, Wilson Sonsini Goodrich & Rosati, New York, New
`York; for Defendants-Appellees.
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 5 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`5
`
`OPINION
`
`IKUTA, Circuit Judge:
`
`In March 2018, amid the furor caused by news that
`Cambridge Analytica improperly harvested user data from
`Facebook’s social network, Google discovered that a security
`glitch in its Google+ social network had left the private data
`of some hundreds of thousands of users (according to
`Google’s estimate) exposed to third-party developers for
`three years and that Google+ was plagued by multiple other
`security vulnerabilities. Warned by its legal and policy staff
`that disclosure of these issues would result in immediate
`regulatory and governmental scrutiny, Google and its holding
`company, Alphabet, chose to conceal this discovery, made
`generic statements about how cybersecurity risks could affect
`their business, and stated that there had been no material
`changes to Alphabet’s risk factors since 2017. This appeal
`raises the question whether, for purposes of a private
`securities fraud action, the complaint adequately alleged that
`Google, Alphabet, and individual defendants made materially
`misleading statements by omitting to disclose these security
`problems and that the defendants did so with sufficient
`scienter, meaning with an intent to deceive, manipulate, or
`defraud.
`
`I A
`
`At the motion to dismiss stage, we start with the facts
`plausibly alleged in the complaint, documents incorporated
`into the complaint by reference, and matters of which a court
`may take judicial notice. See Ashcroft v. Iqbal, 556 U.S. 662,
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 6 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`6 6
`
`78–79 (2009); Tellabs, Inc. v. Makor Issues & Rts., Ltd., 551
`U.S. 308, 322 (2007). The story begins in the 1990s when
`Lawrence Page and Sergey Brin, then students at Stanford
`University, developed Google, a web-based search engine.
`Over the next two decades, Google rapidly expanded beyond
`its search engine services into a range of other internet-related
`services and products, including advertising technology,
`cloud computing, and hardware.
`
`Since its initial public offering prospectus in 2004 and
`throughout Google’s continued rise, Google and
`its
`executives publicly recognized the importance of user privacy
`and user trust to Google’s business. Google executives
`expressed their understanding that Google’s “success is
`largely dependent on maintaining consumers’ trust” so that
`“users will continue to entrust Google with their private data,
`which Google can then monetize.” As one media outlet put
`it, “Google has a strong incentive to position itself as a
`trustworthy guardian of personal information because, like
`Facebook, its financial success hinges on its success to learn
`about the interests, habits and location[s] of its users in order
`to sell targeted ads.” Google and its executives repeatedly
`emphasized that maintaining users’ trust is essential and that
`a significant security failure “would be devastating.”
`Google’s public emphasis on user trust and user privacy
`remained central to its business when, in 2011, Google
`launched Google+ “in an attempt to make a social media
`network to rival that of Facebook and Twitter, and to join all
`users of Google services (i.e., Search, Gmail, YouTube,
`Maps) into a single online identity.”
`
`In October 2015, Google restructured itself from Google,
`Inc. into Google LLC and created Alphabet, Inc. as its parent
`company, which is “essentially a holding company” whose
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 7 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`7
`
`“lifeblood is Google.” Page, who had been the CEO of
`Google, became the CEO of Alphabet. Sundar Pichai, a
`longtime Google senior executive, replaced Page as the CEO
`of Google. Page and Pichai both sat on Alphabet’s Board of
`Directors and served on the board’s three-person Executive
`Committee. Pichai directly reported to Page and maintained
`regular contact with him; Pichai was also directly accountable
`to Page. Pichai also participated in Alphabet’s public
`earnings calls. Page received weekly reports of Google’s
`operating results and continued to make “key operating
`decisions” at Google.
`
`Google’s corporate restructuring did not change the
`central importance of privacy and security. Google and
`Alphabet consistently indicated that Google’s foremost
`competitive advantage against other companies was its
`sophistication in security. Thus, according to Alphabet’s
`Chief Financial Officer in February 2018, security is “clearly
`what we’ve built Google on.”
`
`While highlighting expertise in security and data privacy,
`Google and Alphabet also acknowledged the substantial
`impact that a cybersecurity failure would have on their
`business. According to Alphabet’s 2017 Annual Report on
`Form 10-K filed with the Securities and Exchange
`Commission (SEC), “[c]oncerns about our practices with
`regard to the collection, use, disclosure, or security of
`personal information or other privacy related matters, even if
`unfounded, could damage our reputation and adversely affect
`our operating results.” Alphabet warned that “[i]f our
`security measures are breached resulting in the improper use
`and disclosure of user data” then Alphabet’s “products and
`services may be perceived as not being secure, users and
`customers may curtail or stop using our products and
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 8 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`ervices, and we may incur significant legal and financial
`exposure.” As Pichai explained in January 2018, “users use
`Google because they trust us and it is something easy to lose
`if you are not good stewards of it. So we work hard to earn
`the trust every day.”
`
`8 s
`
`B
`
`“By the spring of 2018, the trustworthiness of technology
`and those who control it were under unprecedented scrutiny.”
`According to the complaint, a trigger for this scrutiny was the
`publication of reports that a research firm, Cambridge
`Analytica, “improperly harvested data from Facebook users’
`profiles” to be used for political advertising. The immediate
`effects of this reporting were “devastating to Facebook and its
`investors,” including a 13% decline in Facebook’s stock
`price, which amounted to a loss of approximately $75 billion
`of market capitalization.
`
`This scandal quickly led to congressional hearings into
`Facebook’s leak of user information to a third-party data
`collector. Facebook was not the only target of scrutiny, as the
`Senate Judiciary Committee, chaired by Senator Grassley,
`requested that Google and Twitter testify at these hearings
`about their data privacy and security practices. In a letter to
`Pichai, Senator Grassley outlined
`the committee’s
`“significant concerns regarding the data security practices of
`large social media platforms and their interactions with third
`party developers and other commercial[] users of such data.”
`According to Senator Grassley, Pichai declined to testify after
`“asserting that the problems surrounding Facebook and
`Cambridge Analytica did not involve Google.”
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 9 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`9
`
`At around the same time, in May 2018, the European
`Union implemented the General Data Protection Regulation
`(GDPR), a new framework for regulating data privacy
`protections in all member states. Among other things, the
`GDPR required prompt disclosure of personal data breaches,
`not later than 72 hours after learning of the breach. On its
`website, Google reaffirmed its commitment to complying
`with the GDPR across all its services and reaffirmed
`Google’s aim “always to keep data private and safe.”
`
`C
`
`While external scrutiny of data privacy and security grew
`in March and April 2018, internal Google investigators had
`discovered a software glitch in the Google+ social network
`that had existed since 2015 (referred to in the complaint as
`the “Three-Year Bug”). Because of a bug in an application
`programming interface for Google+, third-party developers
`could collect certain users’ profile data even if those users
`had relied on Google’s privacy settings to designate such data
`as nonpublic. The exposed private profile data included
`email addresses, birth dates, gender, profile photos, places
`lived, occupations, and relationship status.
`
`Not only did Google’s security protocols fail to detect the
`problem for three years, but Google also had a limited set of
`activity logs that could review only the two most recent
`weeks of user data access. Due to this record-keeping
`limitation, Google “had no way of determining how many
`third-parties had misused its users’ personal private data.”
`And Google “could only estimate that it exposed to third-
`parties the personal private data of hundreds of thousands of
`users” based on “less than 2% of the Three-Year Bug’s
`lifespan.” Despite the efforts of “over 100 of Google’s best
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 10 of 38
`
`10
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`and brightest,” Google “could not confirm the damage from
`[the bug] or determine the number of other bugs.” At the
`same time, this investigation into the Three-Year Bug
`detected other shortcomings in Google’s security systems,
`including “previously unknown, or unappreciated, security
`vulnerabilities that made additional data exposures virtually
`inevitable.” The complaint refers collectively to the Three-
`Year Bug and these additional vulnerabilities as the “Privacy
`Bug.”
`
`Around April 2018, Google’s legal and policy staff
`prepared a memo detailing the Three-Year Bug and the
`additional vulnerabilities (referred to in the complaint as the
`“Privacy Bug Memo”). According to the complaint, the
`Privacy Bug Memo warned that the disclosure of these
`security issues “would likely trigger ‘immediate regulatory
`interest’ and result in defendants ‘coming into the spotlight
`alongside or even instead of Facebook despite having stayed
`under the radar throughout the Cambridge Analytica
`scandal.’” The memo warned that “disclosure ‘almost
`guarantees Sundar [Pichai] will testify before Congress.’”
`
`According to the complaint, Pichai and other senior
`Google executives received and read the memo in early April
`2018. The complaint alleges that key officers and directors,
`including Page and Pichai, chose a strategy of nondisclosure.
`Pichai approved a plan to conceal the existence of the Three-
`Year Bug and other security vulnerabilities described in the
`Privacy Bug Memo “to avoid any additional regulatory
`scrutiny, including having to testify before Congress.”
`Further, despite Google+ having 395 million monthly active
`users, more than either Twitter or Snapchat, Pichai and Page
`approved a plan to shut down the Google+ consumer
`platform.
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 11 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`11
`
`D
`
`Despite the information in the Privacy Bug Memo,
`Alphabet and Google continued to give the public the same
`assurances about security and privacy as before. In
`particular, on April 23, 2018, Alphabet filed its quarterly
`report on Form 10-Q for the period ending March 31, 2018.
`The 10-Q incorporated the risk disclosures from Alphabet’s
`2017 10-K and made no disclosure about the Privacy Bug. It
`stated:
`
`Our operations and financial results are
`subject to various risks and uncertainties,
`including those described in Part I, Item 1A,
`“Risk Factors” in our Annual Report on Form
`10-K for the year ended December 31, 2017,
`which could adversely affect our business,
`financial condition, results of operations, cash
`flows, and the trading price of our common
`and capital stock. There have been no
`material changes to our risk factors since our
`Annual Report on Form 10-K for the year
`ended December 31, 2017.
`
`(emphasis added). Nor did Alphabet make any disclosure
`during an earnings call on the same day. Months later, in July
`2018, Alphabet filed its Form 10-Q for the period ending
`June 30, 2018. This filing included a risk disclosure
`substantially identical to the one in the April 2018 filing; it
`likewise incorporated the 2017 Form 10-K risk factors and
`affirmed that no material changes occurred. Nor did
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 12 of 38
`
`12
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`Alphabet make any disclosure of the problems during its July
`2018 earnings call.1
`
`The complaint identifies statements made by Alphabet,
`Google, and their employees between April and October 2018
`that continued to reference user security and data privacy
`while making the same omission regarding any Google+
`problems. According to the complaint, Alphabet thought that
`this “decision to buy time” would reduce the detrimental
`effects of eventual disclosure by avoiding disclosure at a time
`when Facebook was facing regulatory scrutiny, public
`criticism, and loss of consumer confidence as a result of the
`Cambridge Analytica scandal.
`
`E
`
`Six months after this decision to buy time, the Wall Street
`Journal exposed Google’s discovery of Google+’s security
`vulnerabilities and
`its decision
`to conceal
`those
`vulnerabilities. In October 2018, the Wall Street Journal
`published a lengthy story on the events surrounding the
`Privacy Bug Memo. See Douglas MacMillan & Robert
`McMillan, Google Exposed User Data, Feared
`Repercussions of Disclosing to Public, Wall Street J. (Oct. 8,
`2018). The story reported that “Google exposed the private
`data of hundreds of thousands of users of the Google+ social
`network and then opted not to disclose the issue this past
`spring, in part because of fears that doing so would draw
`regulatory scrutiny and cause reputational damage.” It
`
`1 The complaint alleges that Page signed the 10-Qs and signed
`certifications, under SEC rules promulgated after the Sarbanes-Oxley Act,
`that vouched for the accuracy of the 10-Qs and the adequacy of controls
`for identifying cybersecurity risks.
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 13 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`13
`
`walked the reader through the discovery of the privacy bug,
`explained how Google made “concerted efforts to avoid
`public scrutiny of how it handles user information,
`particularly at a time when regulators and consumer privacy
`groups are leading a charge to hold tech giants accountable
`for the vast power they wield over the personal data of
`billions of people,” and reported that Pichai had been briefed
`on the plan not to notify users.
`
`The day the news broke, Google published a blog post
`acknowledging the “significant challenges” regarding data
`security identified in the Wall Street Journal article. It finally
`admitted to exposing the private data of hundreds of
`thousands of users and announced it was shutting down the
`Google+ social network for consumers.
`
`Condemnation from lawmakers soon followed. Two days
`after the Wall Street Journal article, Democratic senators
`wrote to demand an investigation by the Federal Trade
`Commission. This letter noted that, due to the limitations of
`Google’s internal logs, “we may never know the full extent
`of the damage caused by the failure to provide adequate
`controls and protection to users.” The letter likewise noted
`that the “awareness and approval by Google management to
`not disclose represents a culture of concealment and opacity
`set from the top of the company.” Republican senators also
`wrote a letter to Pichai that questioned Google’s decision “to
`withhold information about a relevant vulnerability for fear
`of public scrutiny” at the same time that Facebook was being
`questioned regarding the Cambridge Analytica scandal. In a
`second letter to Pichai, Senator Grassley complained that
`Google had assured him in April 2018 that it maintained
`robust protection for user data, despite Pichai’s awareness
`that Google+ “had an almost identical feature to Facebook,
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 14 of 38
`
`14
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`which allowed third party developers to access information
`from users.”
`
`Markets reacted to the news. Alphabet’s publicly traded
`share price fell after the Wall Street Journal article.
`According to the complaint, Alphabet’s share price fell
`$11.91 on October 8, $10.75 on October 9, and $53.01 on
`October 10. Financial news reports called Google’s decision
`not to disclose the security breach a “cover-up” and predicted
`forthcoming regulatory scrutiny.
`
`Just weeks later, in December 2018, Google disclosed the
`discovery of another Google+ bug that had exposed user data
`from 52.5 million accounts. Google also announced it was
`accelerating the shutdown of the consumer Google+ platform
`to occur four months earlier than planned.
`
`F
`
`Three days after the Wall Street Journal article, Rhode
`Island filed a securities fraud action, as did other plaintiffs.2
`After the cases were consolidated, Rhode Island was
`designated the lead plaintiff. It filed a consolidated amended
`complaint in April 2019, which now serves as the operative
`complaint. The complaint names Alphabet, Google, Page,
`Pichai, and two other Google senior executives as defendants
`(we refer to the defendants collectively as Alphabet, where
`
`2 Rhode Island refers to the State of Rhode Island, Office of the
`Rhode Island Treasurer on behalf of the Employees’ Retirement System
`of Rhode Island.
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 15 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`15
`
`appropriate, and otherwise by name).3 The complaint alleges
`primary violations of Section 10(b) of the Securities
`Exchange Act of 1934, 15 U.S.C. § 78j(b), and SEC Rule
`10b-5, 17 C.F.R. § 240.10b-5, for securities fraud, as well as
`violations of Section 20(a) of the Exchange Act, 15 U.S.C.
`§ 78t(a), which imposes joint and several liability on persons
`in control of “any person liable under any provision” of
`securities law.
`
`Alphabet moved to dismiss the complaint for failure to
`state a claim. The district court granted the motion after
`determining that the complaint failed to allege any material
`misrepresentation or omission and failed to allege scienter
`sufficiently. Further, the court held that because the
`Section 10(b) claim failed, the Section 20(a) claim for
`controlling-person liability “necessarily fails.”
`
`Although the district court granted leave to amend, Rhode
`Island notified the district court that it did not intend to
`amend, and the district court entered judgment. Rhode Island
`now appeals from that final judgment.
`
`II
`
`We have jurisdiction under 28 U.S.C. § 1291. We review
`the district court’s dismissal of Rhode Island’s complaint for
`failure to state a claim de novo. In re NVIDIA Corp. Sec.
`
`3 The other two individual defendants are Keith P. Enright, who
`served as Google’s Legal Director of Privacy from 2016 until September
`2018 when he became Google’s Chief Privacy Officer, and John Kent
`Walker, Jr., who served as Google’s Vice President and General Counsel
`from 2016 through August 2018 before becoming Senior Vice President
`for Global Affairs.
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 16 of 38
`
`16
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`Litig., 768 F.3d 1046, 1051 (9th Cir. 2014). “To survive a
`motion to dismiss, a complaint must contain sufficient factual
`matter, accepted as true, to ‘state a claim to relief that is
`plausible on its face.’” Iqbal, 556 U.S. at 678 (quoting Bell
`Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). “When
`there are well-pleaded factual allegations, a court should
`assume their veracity and then determine whether they
`plausibly give rise to an entitlement to relief.” Id. at 679. As
`the Supreme Court has explained, “[d]etermining whether a
`complaint states a plausible claim for relief” is “a
`context-specific task that requires the reviewing court to draw
`on its judicial experience and common sense.” Id. In the
`process, we may “disregard ‘[t]hreadbare recitals of the
`elements of a cause of action, supported by mere conclusory
`statements.’” Telesaurus VPC, LLC v. Power, 623 F.3d 998,
`1003 (9th Cir. 2010) (quoting Iqbal, 556 U.S. at 678).
`
`A complaint is plausible on its face “when the plaintiff
`pleads factual content that allows the court to draw the
`reasonable inference that the defendant is liable for the
`misconduct alleged.” Iqbal, 556 U.S. at 678. The
`misconduct alleged here includes claims under two statutory
`sections: primary liability under Section 10(b) of the
`Exchange Act and controlling-person
`liability under
`Section 20(a) of the Exchange Act.
`
`Section 10(b) of the Exchange Act prohibits using or
`employing, “in connection with the purchase or sale of any
`security . . . [,] any manipulative or deceptive device or
`contrivance in contravention of such rules and regulations as
`the [SEC] may prescribe as necessary or appropriate in the
`public interest or for the protection of investors.” 15 U.S.C.
`§ 78j(b). To implement Section 10(b), the SEC prescribed
`Rule 10b-5, which makes it unlawful
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 17 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`17
`
`(a) To employ any device, scheme, or artifice
`to defraud,
`
`(b) To make any untrue statement of a
`material fact or to omit to state a material fact
`necessary in order to make the statements
`made, in the light of the circumstances under
`which they were made, not misleading, or
`
`(c) To engage in any act, practice, or course of
`business which operates or would operate as
`a fraud or deceit upon any person, in
`connection with the purchase or sale of any
`security.
`
`17 C.F.R. § 240.10b-5.
`
`The Supreme Court has interpreted Section 10(b) and
`Rule 10b-5 as providing an implied private cause of action.
`Stoneridge Inv. Partners, LLC v. Scientific-Atlanta, 552 U.S.
`148, 157 (2008). “In a typical § 10(b) private action” based
`on material misrepresentations or omissions, a plaintiff must
`prove “(1) a material misrepresentation or omission by the
`defendant; (2) scienter; (3) a connection between the
`misrepresentation or omission and the purchase or sale of a
`security; (4) reliance upon the misrepresentation or omission;
`(5) economic loss; and (6) loss causation.” Id.
`
`Under Section 10(b) and Rule 10b-5(b), “the maker of a
`statement is the person or entity with ultimate authority over
`the statement, including its content and whether and how to
`communicate it.” Janus Cap. Grp., Inc. v. First Derivative
`Traders, 564 U.S. 135, 142 (2011). Persons “who do not
`‘make’ statements (as Janus defined ‘make’), but who
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 18 of 38
`
`18
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`disseminate false or misleading statements to potential
`investors with the intent to defraud, can be found to have
`violated the other parts of Rule 10b-5, subsections (a) and (c),
`as well as related provisions of the securities laws” including
`Section 10(b). Lorenzo v. SEC, 139 S. Ct. 1094, 1099,
`1100–03 (2019).
`
`The first two elements of a typical Section 10(b) and Rule
`10b-5(b) claim are at issue here. The first element is that a
`defendant omitted “to state a material fact necessary in order
`to make the statements made . . . not misleading,” 17 C.F.R.
`§ 240.10b-5(b). To meet this requirement, the plaintiff must
`prove both that the omission is misleading and that it is
`material. Id.
`
`We apply the objective standard of a “reasonable
`investor” to determine whether a statement is misleading.
`See In re VeriFone Sec. Litig., 11 F.3d 865, 869 (9th Cir.
`1993). Section 10(b) and Rule 10b-5(b) “do not create an
`affirmative duty to disclose any and all material information”
`and instead require disclosure “only when necessary ‘to make
`. . . statements made, in light of the circumstances under
`which they were made, not misleading.’” Matrixx Initiatives,
`Inc. v. Siracusano, 563 U.S. 27, 44 (2011) (quoting 17 C.F.R.
`§ 240.10b-5(b)).
`
`A misleading omission is material if “there is ‘a
`substantial likelihood that [it] would have been viewed by the
`reasonable investor as having significantly altered the “total
`mix” of information made available’ for the purpose of
`decisionmaking by stockholders concerning
`their
`investments.” Retail Wholesale & Dep’t Store Union Loc.
`338 Ret. Fund v. Hewlett-Packard Co., 845 F.3d 1268, 1274
`(9th Cir. 2017) (quoting Basic Inc. v. Levinson, 485 U.S. 224,
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 19 of 38
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`19
`
`231–32 (1988)). The inquiry into materiality is “fact-
`specific,” Matrixx Initiatives, 563 U.S. at 43 (quoting Basic,
`485 U.S. at 236), and “requires delicate assessments of the
`inferences a ‘reasonable shareholder’ would draw from a
`given set of facts and the significance of those inferences to
`him,” Fecht v. Price Co., 70 F.3d 1078, 1080 (9th Cir. 1995)
`(quoting TSC Indus., Inc. v. Northway, Inc., 426 U.S. 438,
`450 (1976)). “[T]hese assessments are peculiarly ones for the
`trier of fact.” Id. (quoting TSC Indus., 426 U.S. at 450). As
`a result, resolving materiality as a matter of law is generally
`appropriate “only if the adequacy of the disclosure or the
`materiality of the statement is so obvious that reasonable
`minds could not differ.” Id. at 1081 (cleaned up); see Khoja
`v. Orexigen Therapeutics, Inc., 899 F.3d 988, 1014 (9th Cir.
`2018) (same).
`
`to
`relating
`In evaluating whether an omission
`cybersecurity is materially misleading, we may consider the
`SEC’s interpretive guidance regarding the adequacy of
`cybersecurity-related disclosures. See Commission Statement
`and Guidance on Public Company Cybersecurity Disclosures,
`Securities Act Release No. 33-10459, Exchange Act Release
`No. 34-82746, 83 Fed. Reg. 8166-01, 8167 (Feb. 26, 2018)
`(“Cybersecurity Disclosures”). Regardless of the degree of
`deference such interpretive guidance may merit, see Kisor v.
`Wilkie, 139 S. Ct. 2400, 2414–18 (2019), an SEC interpretive
`release can “shed further light” on regulatory disclosure
`requirements, NVIDIA, 768 F.3d at 1055.
` Agency
`interpretations, like the SEC interpretive release here, can
`provide “the judgments about the way the real world works”
`that “are precisely the kind that agencies are better equipped
`to make than are courts.” See Pension Benefit Guar. Corp. v.
`LTV Corp., 496 U.S. 633, 651 (1990); see also Kisor, 139 S.
`Ct. at 2413 (“[W]hen new issues demanding new policy calls
`
`
`
`Case: 20-15638, 06/16/2021, ID: 12145545, DktEntry: 42-1, Page 20 of 38
`
`20
`
`IN RE ALPHABET, INC. SECURITIES LITIGATION
`
`come up within that [statutory] scheme, Congress presumably
`wants the same agency, rather than any court, to take the
`laboring oar.”).
`
` “transparently aspirational”
`that
`We have held
`statements, Hewlett-Packard, 845 F.3d at 1278, as well as
`statements of “mere corporate puffery, vague statements of
`optimism like ‘good,’ ‘well-regarded,’ or other feel good
`monikers,” are generally not actionable as a matter of law,
`because “professional investors, and most amateur investors
`as well, know how to devalue the optimism of corporate
`executives,