Case: 20-15638, 06/30/2021, ID: 12159672, DktEntry: 45, Page 1 of 65
`
`No. 20-15638
`
`
`UNITED STATES COURT OF APPEALS
`FOR THE NINTH CIRCUIT
`
`
`
`
`
`
`
`
`
`
`
`In re ALPHABET INC. SECURITIES LITIGATION
`STATE OF RHODE ISLAND, Office of the Rhode Island Treasurer on
`behalf of the Employees’ Retirement System of Rhode Island; Lead Plaintiff,
`Individually and On Behalf of All Others Similarly Situated,
`Plaintiff – Appellant,
`
`v.
`ALPHABET INC., LAWRENCE E. PAGE, SUNDAR PICHAI, RUTH M.
`PORAT, GOOGLE LLC, KEITH P. ENRIGHT and JOHN KENT WALKER, JR.,
`
`Defendants – Appellees.
`
`
`
`
`
`
`
`
`On Appeal from the United States District Court,
`Northern District of California, No. 4:18-cv-06245-JSW,
`The Honorable Jeffrey S. White
`
`
`
`DEFENDANTS-APPELLEES’
`PETITION FOR REHEARING OR REHEARING EN BANC
`
`
`IGNACIO E. SALCEDA
`BENJAMIN M. CROSSON
`BETTY CHANG ROWE
`STEPHEN B. STRAIN
`EMILY A. PETERSON
`WILSON SONSINI GOODRICH &
`ROSATI
`Professional Corporation
`650 Page Mill Road
`Palo Alto, CA 94304-1050
`Telephone: (650) 493-9300
`Facsimile:
`(650) 565-5100
`Email:
`isalceda@wsgr.com
`Attorneys for Defendants-Appellees
`
`GIDEON A. SCHOR
`WILSON SONSINI GOODRICH &
`ROSATI
`Professional Corporation
`1301 Avenue of the Americas
`40th Floor
`New York, NY 10019-6022
`Telephone: (212) 999-5800
`Facsimile:
`(212) 999-5899
`Email:
`gschor@wsgr.com
`
`
`
`
`
`

`

`Case: 20-15638, 06/30/2021, ID: 12159672, DktEntry: 45, Page 2 of 65
`
`
`
`CORPORATE DISCLOSURE STATEMENT
`
`
`Pursuant to Federal Rule of Appellate Procedure 26.1, Defendant-Appellees
`
`Alphabet Inc. (“Alphabet”) and Google LLC (“Google”) certify as follows:
`
`Google is a subsidiary of XXVI Holdings Inc., which is a subsidiary of
`
`Alphabet. Alphabet has no parent corporation, and no publicly held corporation
`
`owns 10% or more of Alphabet’s stock.
`
`
`
`-i-
`
`

`

`Case: 20-15638, 06/30/2021, ID: 12159672, DktEntry: 45, Page 3 of 65
`
`TABLE OF CONTENTS
`
`B.
`
`Page
`INTRODUCTION AND RULE 35 STATEMENT .................................................. 1
`BACKGROUND ....................................................................................................... 3
`REASONS FOR GRANTING THE PETITION ....................................................... 4
`I.
`The Panel’s Expansive Materialization-of-Risk Approach
`Conflicts with Supreme Court and Ninth Circuit Precedent. ................ 6
`A.
`The Panel’s Decision Eviscerates Section 10(b)’s
`Requirement That a Statement Must Be False at the Time
`It Was Made. ............................................................................... 7
`By Erroneously Conflating Materiality with Falsity, the
`Panel’s Decision Manufactures a Novel Duty to Disclose
`Based on “Trust” That Is Inconsistent with Supreme
`Court and This Circuit’s Precedents. ........................................ 10
`The Panel’s Decision Is Inconsistent with Ninth and
`Sixth Circuit Precedent. ............................................................ 14
`This Case Raises Questions of “Exceptional Importance.” ................ 17
`II.
`CONCLUSION ........................................................................................................ 18
`CERTIFICATE OF COMPLIANCE
`
`ADDENDUM
`
`CERTIFICATE OF SERVICE
`
`
`C.
`
`
`
`-ii-
`
`

`

`Case: 20-15638, 06/30/2021, ID: 12159672, DktEntry: 45, Page 4 of 65
`
`TABLE OF AUTHORITIES
`CASES
`
`Basic Inc. v. Levinson,
`485 U.S. 224 (1988)........................................................................... 11, 12, 18
`
`Berson v. Applied Signal Tech., Inc.,
`527 F.3d 982 (9th Cir. 2008) ................................................................. 7, 8, 13
`
`Bondali v. Yum! Brands, Inc.,
`620 F. App’x 483 (6th Cir. 2015) ...........................................................passim
`
`Brody v. Transitional Hosp. Corp.,
`280 F.3d 997 (9th Cir. 2002) ......................................................................... 12
`
`Dice v. ChannelAdvisor Corp.,
`671 F. App’x 111 (4th Cir. 2016) .................................................................. 16
`
`Howard v. Arconic Inc.,
`395 F. Supp. 3d 516 (W.D. Pa. 2019) ........................................................... 16
`
`In re ChannelAdvisor Corp. Sec. Litig.,
`No. 15-CV-000307-F, 2016 WL 1381772
`
`
`(E.D.N.C. Apr. 6, 2016) ................................................................................ 15
`In re LeapFrog Enters., Inc. Sec. Litig.,
`527 F. Supp. 2d 1033 (N.D. Cal. 2007) ................................................... 17, 18
`
`In re Marriott Int’l, Inc. Customer Data Security Breach Litig. Sec. Actions,
`No. 19-MD-2879, 2021 WL 2407518
`(D. Md. June 11, 2021) .................................................................................. 16
`
`In re NVIDIA Corp. Sec. Litig.,
`768 F.3d 1046 (9th Cir. 2014) ....................................................................... 18
`
`In re Rigel Pharm., Inc. Sec. Litig.,
`697 F.3d 869 (9th Cir. 2012) ........................................................... 5, 7, 11, 12
`
`In re Silicon Graphics Inc. Sec. Litig.,
`183 F.3d 970 (9th Cir. 1999), abrogated on other grounds, S.
`
`Ferry LP, No. 2 v. Killinger, 542 F.3d 779 (9th Cir. 2008) .......................... 10
`In re Volkswagen “Clean Diesel” Marketing, Sales Practices, and Prod.
`Liab. Litig., 480 F. Supp. 3d 1050 (N.D. Cal. 2020) ..................................... 16
`Khoja v. Orexigen Therapeutics, Inc.,
`899 F.3d 988 (9th Cir. 2018) ........................................................................... 8
`
`Lloyd v. CVB Fin. Corp.,
`811 F.3d 1200 (9th Cir. 2016) ................................................................passim
`
`-iii-
`
`
`
`

`

`Case: 20-15638, 06/30/2021, ID: 12159672, DktEntry: 45, Page 5 of 65
`
`
`
`Matrixx Initiatives, Inc. v. Siracusano,
`563 U.S. 27 (2011)..................................................................................passim
`
`Metzler Inv. GMBH v. Corinthian Colleges, Inc.,
`540 F.3d 1049 (9th Cir. 2008) ....................................................................... 10
`
`Ronconi v. Larkin,
`253 F.3d 423 (9th Cir. 2001) ............................................................. 2, 5, 7, 18
`
`Siracusano v. Matrixx Initiatives, Inc.,
`585 F.3d 1167 (9th Cir. 2009),
`
`
`aff’d, 563 U.S. 27 (2011) ................................................................................. 8
`Tellabs, Inc. v. Makor Issues & Rights, Ltd.,
`551 U.S. 308 (2007)....................................................................................... 10
`
`TSC Indus., Inc. v. Northway, Inc.,
`426 U.S. 438 (1976)............................................................................... 6, 8, 18
`
`Wochos v. Tesla, Inc.,
`985 F.3d 1180 (9th Cir. 2021) ............................................................. 2, 12, 13
`
`
`STATUTES
`15 U.S.C. § 78j(b) .............................................................................................passim
`
`RULES
`Fed. R. App. P. 35(a) ............................................................................................. 5, 6
`
`
`-iv-
`
`

`

`Case: 20-15638, 06/30/2021, ID: 12159672, DktEntry: 45, Page 6 of 65
`
`INTRODUCTION AND RULE 35 STATEMENT
`
`The panel’s decision raises critical and recurring issues concerning the
`
`fundamental disclosure obligations that public companies face when they
`
`identify—and fix—internal problems with their products. Under the panel’s
`
`holding, if a company’s “business model is based on trust,” it must disclose
`
`historical problems that have already been remediated, even in the absence of
`
`related false or misleading statements. That ruling conflicts with Supreme Court
`
`and Circuit precedent and has implications for every publicly traded company.
`
`The case arises from allegations that Alphabet’s risk disclosures in SEC
`
`Form 10-Qs were misleading for failing to mention a software bug in Alphabet’s
`
`Google+ social network (the “Bug”) that had been addressed and corrected prior to
`
`the disclosures. The district court dismissed the complaint, explaining that the Bug
`
`had been remediated before the statements were ever made, and that the relevant
`
`Form 10-Qs contained no affirmative statements touting security measures or
`
`claiming that Google+ or Alphabet had not already experienced software bugs.
`
`But the panel reversed, announcing that the failure to mention the already-cured
`
`bug—even if untethered to any challenged statement—could support liability.
`
`Why? Because “Google’s business model is based on trust.” Op. 27, ECF No. 42-
`
`1.
`
`
`
`-1-
`
`

`

`Case: 20-15638, 06/30/2021, ID: 12159672, DktEntry: 45, Page 7 of 65
`
`
`
`
`
`That decision conflicts with the decisions of the Supreme Court, this Court,
`
`and other circuits, as it:
`
`● Disregards the well-established “contemporaneous” requirement of Section
`10(b), which requires that a statement or omission must be false at the time
`it was made. E.g., Ronconi v. Larkin, 253 F.3d 423, 432 (9th Cir. 2001).
`● Disregards the fundamental principle that there is no “affirmative duty to
`disclose any and all material information.” Matrixx Initiatives, Inc. v.
`Siracusano, 563 U.S. 27, 44-45 (2011).
`● Mints a novel duty to disclose prior, remediated concerns solely because the
`company’s business is “based on trust.”
`● Conflicts with recent Circuit precedent that rejected the materialization of
`risk argument where the risk disclosure contained no representation that the
`company had not already experienced the risks. Wochos v. Tesla, Inc., 985
`F.3d 1180, 1196 (9th Cir. 2021).
`● Conflicts with Ninth and Sixth Circuit holdings that prospective risk
`disclosures do not mislead about a company’s current state of affairs. Lloyd
`v. CVB Fin. Corp., 811 F.3d 1200, 1207 (9th Cir. 2016); Bondali v. Yum!
`Brands, Inc., 620 F. App’x 483, 490 (6th Cir. 2015) (unpublished).
`Both doctrinally and practically, these issues are critically important to how
`
`every public company evaluates its disclosure obligations. By eviscerating the
`
`“contemporaneous” requirement and manufacturing a novel duty to disclose past
`
`issues, the panel’s decision puts at risk every public company that does not
`
`disclose a past remediated problem, regardless of whether it is tied to any actual
`
`alleged false statement, simply because its business is “based on trust.” Most
`
`businesses are based on trust, from accountants to pharmaceuticals and everything
`
`in between. The securities laws have never been read this way.
`
`-2-
`
`

`

`Case: 20-15638, 06/30/2021, ID: 12159672, DktEntry: 45, Page 8 of 65
`
`
`
`The full Court should intervene.
`
`BACKGROUND
`
`This case involves a software bug (the “Bug”) in Google+, a social
`
`network. As a result of the Bug, Google+ app developers may have been able to
`
`see certain additional, non-sensitive profile fields that users voluntarily shared with
`
`an app user but that were not shared publicly. SER25-27; SER34. The Complaint
`
`alleges no actual harm to users, no misuse of user data, and no material harm to
`
`Alphabet’s business.
`
`In March 2018, Google discovered the bug and promptly fixed it – before
`
`the challenged Form 10-Q statements were issued. Nonetheless, the Complaint
`
`alleges that Alphabet’s April and July 2018 Form 10-Qs, which incorporated risk
`
`factors from Alphabet’s 2017 Form 10-K, were misleading for failure to disclose
`
`the fully-remediated Bug.
`
`The district court dismissed the Complaint on both falsity and scienter
`
`grounds, holding “[t]here is no support for the position that a remediated
`
`technological problem which is no longer extant must be disclosed in the
`
`company’s future-looking disclosures.” ER15. The district court also concluded
`
`that the exposed data did “not [include] inherently sensitive information” and that
`
`Plaintiff failed to allege that the Bug affected Alphabet’s earnings or was material
`
`-3-
`
`

`

`Case: 20-15638, 06/30/2021, ID: 12159672, DktEntry: 45, Page 9 of 65
`
`
`
`to Alphabet’s business. ER16. The court further held that Plaintiff failed to allege
`
`falsity as to other challenged statements. Id.
`
`The panel reversed on both falsity and scienter grounds as to the Form 10-Q
`
`risk disclosures, reasoning that the Complaint plausibly alleged that the omission
`
`of the Bug (or other unspecified “security vulnerabilities”) made those statements
`
`materially misleading (Op. 24) because Alphabet “knew that those risks had
`
`materialized.” Id. at 27; see id. at 24. The panel failed to engage with the
`
`undisputed fact that the Bug had been remediated before the Form 10-Q statements
`
`were made, and that Alphabet had not otherwise made affirmative statements on
`
`those issues. In so finding, the panel skipped over the threshold questions of
`
`falsity, or whether Alphabet otherwise had a duty to disclose the Bug, focusing
`
`exclusively on the supposed materiality of the Bug and “other security
`
`vulnerabilities.” See id. at 18-20, 23-29. According to the panel, “[g]iven that
`
`Google’s business model is based on trust, the material implications of a bug …
`
`were not eliminated merely by plugging the hole in Google+’s security.” Id. at 27.
`
`REASONS FOR GRANTING THE PETITION
`
`The panel’s decision conflicts with Supreme Court and Circuit precedent on
`
`the scope of Section 10(b) liability, and also raises an issue of exceptional
`
`importance. See FRAP 35(a). If not reversed, every public company whose
`
`“business model is based on trust” (Op. at 27) will be subjected to a novel,
`
`-4-
`
`

`

`Case: 20-15638, 06/30/2021, ID: 12159672, DktEntry: 45, Page 10 of 65
`
`
`
`affirmative duty to disclose in SEC filings any and all problems it has
`
`experienced—even if the problems no longer exist at the time of disclosure, and
`
`even if the relevant public statements were in no way false. The panel’s sweeping
`
`decision threatens to eliminate Section 10(b)’s requirement that Plaintiff plead the
`
`“false or misleading nature of the statements when made.” Ronconi, 253 F.3d at
`
`432. En banc review is warranted on that basis alone.
`
`There is more. The panel also improperly collapsed the requisite falsity and
`
`duty-of-disclosure analysis into its assessment of materiality. But as this Court’s
`
`past decisions confirm, “[t]he materiality of information is different from the issue
`
`of whether a statement is false or misleading.” In re Rigel Pharm., Inc. Sec. Litig.,
`
`697 F.3d 869, 880 n.8 (9th Cir. 2012). Indeed, it is well settled that Section 10(b)
`
`and Rule 10b-5(b) “do not create an affirmative duty to disclose any and all
`
`material information.” Matrixx, 563 U.S. at 44-45. Rather, disclosure is required
`
`“only when necessary ‘to make … statements made, in the light of the
`
`circumstances under which they were made, not misleading.’” Id. at 44 (quoting
`
`17 CFR § 240.10b-5(b)). That duty typically arises where the defendant has touted
`
`a specific subject, which the Complaint does not allege here.
`
`In reaching this extraordinary result, the panel expressly “decline[d] to
`
`follow the Sixth Circuit’s unpublished decision in Bondali, which held that a
`
`statement disclosing future harms generally would not mislead a reasonable
`
`-5-
`
`

`

`Case: 20-15638, 06/30/2021, ID: 12159672, DktEntry: 45, Page 11 of 65
`
`
`
`investor about the current state of a corporation’s operations.” Op. 27 n.6 (citing
`
`Bondali, 620 F. App’x at 490-91). The panel gave no substantive reason for
`
`brushing off Bondali—which has been followed by numerous district courts in four
`
`jurisdictions—saying only that it did so “[i]n light of our precedent.” Id. No other
`
`circuit has declined to follow the Sixth Circuit; indeed, Ninth Circuit precedent
`
`holds that allegedly misleading risk disclosures are not actionable where the risk
`
`does not materialize. Lloyd, 811 F.3d at 1207.
`
`The need for en banc review is especially clear in that risk disclosures are
`
`ubiquitous in SEC filings. Insofar as every business is in some important sense
`
`“based on trust” (Op. 27), the panel’s decision threatens not only technology
`
`companies in Silicon Valley but all public companies. Absent review, the panel’s
`
`decision will drive management to “bury the shareholders in an avalanche of trivial
`
`information” (TSC Indus., Inc. v. Northway, Inc., 426 U.S. 438, 448-49 (1976)) in
`
`hopes of avoiding the risk of perpetual securities litigation, expanding liability far
`
`beyond what Congress ever intended. See FRAP 35(a)(2).
`
`I.
`
`The Panel’s Expansive Materialization-of-Risk Approach Conflicts with
`Supreme Court and Ninth Circuit Precedent.
`The panel’s decision conflicts with Supreme Court and Circuit precedent in
`
`at least three respects. First, by predicating falsity on a remediated problem, the
`
`panel erased Section 10(b)’s requirement that falsity is determined at the time the
`
`statement was made. Second, in recognizing a novel stand-alone duty to disclose
`
`-6-
`
`

`

`Case: 20-15638, 06/30/2021, ID: 12159672, DktEntry: 45, Page 12 of 65
`
`
`
`based on an amorphous notion of “trust,” the panel conflated materiality with
`
`falsity. Third, the panel’s decision conflicts with Ninth and Sixth Circuit precedent
`
`holding that mere risk disclosures do not support a Section 10(b) claim.
`
`A. The Panel’s Decision Eviscerates Section 10(b)’s Requirement
`That a Statement Must Be False at the Time It Was Made.
`
`
`It is well settled that, to support Section 10(b) liability, alleged
`
`misstatements must be false or misleading “at the time they were made.” Rigel,
`
`697 F.3d at 876 (emphasis added); accord Ronconi, 253 F.3d at 429-31
`
`(complaints must allege that statements “were known to be false or misleading at
`
`[the] time by the people who made them”). Put another way, “the complaint must
`
`contain allegations of specific ‘contemporaneous statements or conditions.’” Id. at
`
`432 (emphasis added). Without contemporaneous falsity, there can be no fraud.
`
`By holding that Plaintiff may base a 10b-5 claim on Alphabet’s non-
`
`disclosure of a software bug that did not exist as of the time of the alleged
`
`omission, the panel eradicated the contemporaneousness requirement. The panel
`
`reasoned that Alphabet’s risk disclosures may be misleading if they warn of things
`
`that may already have come to fruition. Op. 26-27. Yet the very Ninth Circuit
`
`precedent cited by the panel confirms that this principle is applicable only where
`
`the risk came to fruition and remained in existence at the time of the disclosure.
`
`For example, Berson v. Applied Signal Tech., Inc., 527 F.3d 982, 986-87
`
`(9th Cir. 2008), held that risk disclosures regarding sales backlog failed to “alert[]
`
`-7-
`
`

`

`Case: 20-15638, 06/30/2021, ID: 12159672, DktEntry: 45, Page 13 of 65
`
`
`
`the reader that some of these risks may already have come to fruition” where
`
`undisclosed work-stop orders “were still in effect when defendants touted the
`
`company’s backlog.” Id. at 985 (emphasis added). Similarly, in Siracusano v.
`
`Matrixx Initiatives, Inc., 585 F.3d 1167, 1172 (9th Cir. 2009), aff’d, 563 U.S. 27
`
`(2011), the company warned that it might incur significant product liability costs—
`
`when in fact it had both already been sued and was incurring ongoing costs. And
`
`in Khoja v. Orexigen Therapeutics, Inc., 899 F.3d 988, 1016 (9th Cir. 2018), the
`
`company represented that its share price might be impacted by clinical trials, when
`
`it had failed to disclose new adverse trial data (and thus the threat to share price
`
`remained extant). In each of these cases, the risk had not merely occurred; it was
`
`occurring.
`
`The panel was not able to cite a single case like this one, where the
`
`undisclosed problem (here, the Bug) had been remediated and no longer existed at
`
`the time of the alleged omission. Nor is that surprising. For example, if the stop
`
`work orders in Berson had been withdrawn before the company’s statements, and
`
`its backlog was as strong as represented, should the company nonetheless have
`
`been required to disclose that past concern as a present risk to the business? The
`
`panel’s decision suggests the answer is yes, contrary to the Supreme Court’s
`
`admonition to avoid “bury[ing] the shareholders in an avalanche of trivial
`
`information.” TSC Industries, 426 U.S. at 448-49.
`
`-8-
`
`

`

`Case: 20-15638, 06/30/2021, ID: 12159672, DktEntry: 45, Page 14 of 65
`
`
`
`The panel’s erroneous decision thus conflicts with the very cases it cites for
`
`support. Without further citation to any legal authority, however, the panel
`
`brushed off Alphabet’s remediation of the Bug on the theory that “Google’s
`
`business model is based on trust”—which, the panel reasoned, meant the
`
`“implications” of user data exposure were not eliminated “merely by plugging the
`
`hole in Google+’s security.” Op. 27. That analysis is both untethered to any legal
`
`principle or precedent and breathtaking in scope. Insofar as all businesses are
`
`based largely on trust, a holding that such facts trigger a duty to disclose knows no
`
`limiting principle. The panel’s holding threatens to create a novel, expansive duty
`
`to disclose based on nebulous concepts of “trust” and the “implications” of a
`
`problem that has been solved—a risk for every public company. See infra at 10-
`
`14.
`
`Indeed, in Lloyd, 811 F.3d at 1207, this Court declined to find falsity when a
`
`previous risk had been ameliorated. There, the defendant had disclosed in its 10-Q
`
`there was “no basis for ‘serious doubts’ about [its largest borrower’s] ability to
`
`pay” loans, which plaintiff alleged was false because the borrower had previously
`
`told defendant about its financial difficulties. Id. at 1207. This Court rejected the
`
`plaintiff’s argument because prior to the 10-Q being filed, the loan had been
`
`restructured and thus the concern no longer existed. Id. Similarly here, a past bug
`
`-9-
`
`

`

`Case: 20-15638, 06/30/2021, ID: 12159672, DktEntry: 45, Page 15 of 65
`
`
`
`was cured by a fix. There is nothing false in either case. Absent correction, the
`
`panel’s reasoning leaves Ninth Circuit precedent in conflict.
`
`Nor is it any answer for the panel to invoke alleged but unspecified
`
`“additional security vulnerabilities.” Op. 27-28. The Complaint fails to identify a
`
`single one, let alone with particularity. “[T]his Circuit has consistently held that
`
`the PSLRA’s falsity requirement is not satisfied by conclusory allegations.”
`
`Metzler Inv. GMBH v. Corinthian Colleges, Inc., 540 F.3d 1049, 1070 (9th Cir.
`
`2008). Thus, to the extent the panel allowed such conclusory allegations of
`
`“additional security vulnerabilities” to save Plaintiff’s complaint, the decision
`
`threatens to eviscerate the PSLRA’s “[e]xacting pleading requirements,” in conflict
`
`with Supreme Court and Circuit precedent. Tellabs, Inc. v. Makor Issues & Rights,
`
`Ltd., 551 U.S. 308, 313 (2007); see also In re Silicon Graphics Inc. Sec. Litig., 183
`
`F.3d 970, 974, 984-85 (9th Cir. 1999) (plaintiffs must plead “particular facts” to
`
`satisfy “the heightened pleading standard under the PSLRA”), abrogated on other
`
`grounds, S. Ferry LP, No. 2 v. Killinger, 542 F.3d 779 (9th Cir. 2008).
`
`B.
`
`By Erroneously Conflating Materiality with Falsity, the Panel’s
`Decision Manufactures a Novel Duty to Disclose Based on “Trust”
`That Is Inconsistent with Supreme Court and This Circuit’s
`Precedents.
`
`
`En banc review is also warranted because the panel’s decision focused
`
`exclusively on the materiality of the alleged omission, at the expense of the falsity
`
`requirement. The panel concluded that, because the undisclosed Bug and “other
`
`-10-
`
`

`

`Case: 20-15638, 06/30/2021, ID: 12159672, DktEntry: 45, Page 16 of 65
`
`
`
`security vulnerabilities” were material, their omission rendered the risk disclosures
`
`in the Form 10-Qs misleading. See Op. 27 (rejecting Alphabet’s argument that any
`
`omission was “not misleading” because “the material implications” of a cured bug
`
`were “not eliminated” by the cure); id. at 18-20, 23-29. In so doing, however, the
`
`panel ignored a threshold question for Plaintiff’s claim: Which affirmative
`
`statements were rendered false or misleading by that alleged omission? The
`
`decision effectively imposed on Alphabet a free-standing, novel affirmative duty to
`
`disclose all “security vulnerabilities” that arise, even when they have been resolved
`
`and even when Alphabet was silent on the subject, because it deemed the Bug or
`
`“other security vulnerabilities” material. That reasoning conflicts with settled
`
`precedent.
`
`As this Court has recognized, “[t]he materiality of information is different
`
`from the issue of whether a statement is false or misleading.” Rigel, 697 F.3d at
`
`880 n.8. And as the Supreme Court put it in Matrixx, “[Section] 10(b) and Rule
`
`10b-5(b) do not create an affirmative duty to disclose any and all material
`
`information.” 563 U.S. at 44-45. Disclosure is required “only when necessary ‘to
`
`make … statements made, in light of the circumstances under which they were
`
`made, not misleading.’” Id. (citation omitted); Basic Inc. v. Levinson, 485 U.S.
`
`224, 239 n.17 (1988) (omissions not actionable absent duty to disclose). If an
`
`omission does not “make the actual statement misleading,” a company need not
`
`-11-
`
`

`

`Case: 20-15638, 06/30/2021, ID: 12159672, DktEntry: 45, Page 17 of 65
`
`
`
`supplement the statement “even if investors would consider the omitted
`
`information significant.” Rigel, 697 F.3d at 880 n.8. Alphabet made no statements
`
`that its security system was bulletproof. Thus, Alphabet was under no affirmative
`
`obligation to disclose the remediated Bug absent a duty to do so. See Basic, 485
`
`U.S. at 239 n.17 (“Silence, absent a duty to disclose, is not misleading under Rule
`
`10b-5.”). Yet the panel never even discussed the question of whether Alphabet had
`
`a duty to disclose absent an affirmative statement that would be misleading by
`
`itself.
`
`Specifically, the panel never analyzed how the alleged omission of the Bug
`
`created “an impression of a state of affairs that differs in a material way from the
`
`one that actually exists.” Brody v. Transitional Hosp. Corp., 280 F.3d 997, 1006
`
`(9th Cir. 2002). Nor could it have, as the Bug no longer existed, and the Form 10-
`
`Qs did not represent or imply that Alphabet had never experienced a software bug
`
`or security vulnerabilities. Because the Form 10-Qs did not speak to the subject,
`
`there was no false “impression” that Google+ was—and had always been—bug-
`
`free.
`
`This Court’s recent decision in Tesla is instructive. In that case, this Court
`
`rejected the notion that a company’s statements regarding potential challenges in
`
`meeting production goals constituted misleading omissions “about current or past
`
`challenges” because some of the types of risks allegedly “had already been
`
`-12-
`
`

`

`Case: 20-15638, 06/30/2021, ID: 12159672, DktEntry: 45, Page 18 of 65
`
`
`
`experienced.” 985 F.3d at 1195-96. In so holding, the Court reasoned that “these
`
`challenged statements contain no explicit or implicit representations that Tesla had
`
`not already experienced such issues.” Id. at 1196. Likewise here, the Form 10-Qs
`
`contained no explicit or implicit representation that Google+ or Alphabet had not
`
`experienced a software glitch.
`
`Even Berson, the panel’s own authority, undercuts the panel’s improper
`
`expansion of the duty to disclose. There, after accepting the plaintiff’s
`
`materialization-of-risk argument, this Court added that “[n]one of this means that
`
`defendants had an affirmative duty to disclose the stop-work orders.” 527 F.3d at
`
`987 (emphasis added). As the Court explained, “[h]ad defendants released no
`
`backlog reports, their failure to mention the stop-work order might not have misled
`
`anyone.” Id. “But once defendants chose to tout the company’s backlog, they
`
`were bound to do so in a manner that wouldn’t mislead investors as to what that
`
`backlog consisted of.” Id.
`
`Here, the Form 10-Qs did not “tout” Google+ or Alphabet’s security
`
`measures. To the contrary, they referenced the 2017 Form 10-K, which warned
`
`against risks associated with security vulnerabilities—including but not limited to
`
`“security breaches” due to “system errors or vulnerabilities,” “systems failure or
`
`compromise of our security,” cyber-attacks “we experience” “on a regular basis,”
`
`and “[f]rom time to time, concerns … about whether our products, services, or
`
`-13-
`
`

`

`Case: 20-15638, 06/30/2021, ID: 12159672, DktEntry: 45, Page 19 of 65
`
`
`
`processes compromise the privacy of users, customers, and others.” SER43. No
`
`reasonable investor could conclude from these disclosures that Alphabet’s security
`
`measures were perfect or that a software bug had never occurred.
`
`C. The Panel’s Decision Is Inconsistent with Ninth and Sixth Circuit
`Precedent.
`
`
`The panel’s holding that “Alphabet’s warning in each Form 10-Q of risks
`
`that ‘could’ or ‘may’ occur is misleading to a reasonable investor when Alphabet
`
`knew that those risks had materialized” (Op. 27) likewise conflicts with both Ninth
`
`Circuit and Sixth Circuit precedent.
`
`In Lloyd, this Court rejected the contention that CVB committed securities
`
`fraud by describing the real estate market in SEC filings as “a ‘risk factor’ that
`
`‘could’ affect the ability of loan customers to repay ‘in the future,’ when in fact
`
`that risk had already come to fruition.” 811 F.3d at 1207. “[I]n context,” the Court
`
`explained, “there is nothing misleading about these statements.” Id.
`
`Lloyd is consistent with Sixth Circuit authority holding that forward-looking
`
`risk disclosures generally are not independently actionable. In Bondali, 620 F.
`
`App’x at 490, the plaintiff claimed that a risk disclosure was misleading because it
`
`warned of the possibility of food safety issues, when in fact certain issues had
`
`already occurred. In rejecting this claim, the Sixth Circuit explained that risk
`
`disclosures “are inherently prospective in nature.” Id. at 491. Risk disclosures
`
`“warn an investor of what harms may come to their investment. They are not
`
`-14-
`
`

`

`Case: 20-15638, 06/30/2021, ID: 12159672, DktEntry: 45, Page 20 of 65
`
`
`
`meant to educate investors on what harms are currently affecting the company.”
`
`Id. Thus, a reasonable investor would unlikely infer anything regarding the
`
`company’s “current state” of affairs “from a statement intended to educate the
`
`investor on future harms.” Id.
`
`The panel expressly “decline[d] to follow the Sixth Circuit’s unpublished
`
`decision” “[i]n light of our precedent.” Op. 27 n.6. The “precedent” cited,
`
`however, does not support the panel’s decision. Supra at 7-8. Nor does it discuss
`
`the principle, embraced by the Sixth Circuit, that risk disclosures are inherently
`
`prospective and thus say nothing about a company’s current condition. No other
`
`Court of Appeals has declined to follow the Sixth Circuit, and several district
`
`courts have expressly followed it.
`
`For example, In re ChannelAdvisor Corp. Sec. Litig., No. 15-CV-000307-F,
`
`2016 WL 1381772, at *5-6 (E.D.N.C. Apr. 6, 2016), dismissed the allegation that
`
`the risk disclosure accompanying revenue projections was false because it
`
`disclosed as a mere risk a condition that the company knew already existed (a shift
`
`of its customers to fixed pricing contracts). Citing Bondali, the court concluded
`
`that a reasonable investor would not likely “infer anything about ChannelAdvisor’s
`
`current contracts” from a risk disclosure. Id. at *6 (emphasis added). The Fourth
`
`Circuit affirmed. Dice v. ChannelAdvisor Corp., 671 F. App’x 111 (4th Cir. 2016)
`
`(unpublished).
`
`-15-
`
`

`

`Case: 20-15638, 06/30/2021, ID: 12159672, DktEntry: 45, Page 21 of 65
`
`
`
`Other district courts have also approved Bondali, including in the data
`
`security context. In re Marriott Int’l, Inc. Customer Data Security Breach Litig.
`
`Sec. Actions, No. 19-MD-2879, 2021 WL 2407518 (D. Md. June 11, 2021),
`
`involved a significant breach of (not a mere bug in) the guest reservations
`
`database. The court dismissed the securities complaint, holding, inter alia, “[t]o
`
`the extent Plaintiff alleges that Marriott’s risk factor disclosures were misleading
`
`about its current state of cybersecurity, those allegations fail because the risk factor
`
`disclosures are not intended to educate investors about harms currently affecting
`
`the company.” Id. at *25.1 Furthermore, Bondali is consistent with district courts
`
`(including in this Circuit) that likewise have found risk disclosures not actionable
`
`under Section 10(b) and Rule 10b-5. See In re Volkswagen “Clean