`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`No. 21-15785
`
`IN THE UNITED STATES COURT OF APPEALS
`FOR THE NINTH CIRCUIT
`
`LOCAL 353, I.B.E.W. PENSION FUND,
`On Behalf of Itself and All Others Similarly Situated,
`Plaintiff-Appellant,
`v.
`ZENDESK, INC.; MIKKEL SVANE; ELENA
`GOMEZ,
`Defendants-Appellees.
`On Appeal from the United States District
`Court for the Northern District of California
`No. 3:19-cv-06968-CRB
`Honorable Charles R. Breyer
`
`ANSWERING BRIEF OF DEFENDANTS-APPELLEES
`
`Sara B. Brody
`sbrody@sidley.com
`Tyler R. Wolfe
`tyler.wolfe@sidley.com
`SIDLEY AUSTIN LLP
`555 California Street, Suite 2000
`San Francisco, CA 94104
`Telephone: (415) 772-1200
`
`
`
`
`Robin Wechkin
`rwechkin@sidley.com
`SIDLEY AUSTIN LLP
`8426 316th Pl SE
`Issaquah, WA 98027
`Telephone: (415) 439-1799
`Robert N. Hochman
`rhochman@sidley.com
`SIDLEY AUSTIN LLP
`One South Dearborn
`Chicago, IL 60603
`Telephone: (312) 853-2936
`
`Attorneys for Defendants-Appellees
`
`
`
`
`
`Case: 21-15785, 10/13/2021, ID: 12256363, DktEntry: 27, Page 2 of 70
`
`RULE 26.1 DISCLOSURE STATEMENT
`Zendesk, Inc. is a corporation with no parent corporation. No publicly held
`
`corporation owns 10% or more of Zendesk’s stock.
`
`
`
`
`
`
`
`i
`
`
`
`Case: 21-15785, 10/13/2021, ID: 12256363, DktEntry: 27, Page 3 of 70
`
`TABLE OF CONTENTS
`
`Page
`
`II.
`
`
`JURISDICTIONAL STATEMENT ......................................................................... 1
`PRELIMINARY STATEMENT .............................................................................. 1
`STATEMENT OF ISSUES PRESENTED .............................................................. 3
`STATEMENT OF THE CASE ................................................................................ 3
`I.
`Factual Background ............................................................................... 3
`II.
`Procedural History ................................................................................. 6
`A.
`The FAC And The SAC .............................................................. 6
`B.
`The Five Statements Challenged In The SAC ............................ 6
`C.
`The District Court’s Ruling ......................................................10
`ARGUMENT ........................................................................................................17
`I.
`Standard Of Review And The Heightened Pleading
`Standards Of The PLSRA ...................................................................17
`Plaintiff Failed To Identify A False Or Misleading Statement ...........18
`A.
`Plaintiff Failed To Plead Facts Demonstrating That
`Zendesk’s Two Business Statements Were False Or
`Misleading .................................................................................18
`1.
`Plaintiff’s claim fails on chronological grounds—
`and because Zendesk disclosed the very facts
`Plaintiff accused the Company of concealing ................20
`Zendesk’s generalized statements about the
`strength of its security program are nonactionable
`under this Court’s Alphabet decision .............................25
`Plaintiff Failed To Plead Facts Demonstrating That
`Zendesk’s Three Risk Disclosures Were False Or
`Misleading .................................................................................29
`Plaintiff Misapprehends The Applicable Section 10(b)
`Framework In Multiple Ways ...................................................35
`1.
`Section 10(b) imposes no liability for omissions
`standing alone ..................................................................35
`
`2.
`
`B.
`
`C.
`
`
`
`ii
`
`
`
`Case: 21-15785, 10/13/2021, ID: 12256363, DktEntry: 27, Page 4 of 70
`
`2.
`
`3.
`
`Plaintiff’s “duty” arguments are factually baseless
`and legally erroneous .......................................................37
`The District Court did not usurp any jury
`function by applying the heightened pleading
`standards of the PSLRA ...................................................39
`Plaintiff Failed To Plead Facts Supporting A Strong Inference
`Of Deliberate Fraud .............................................................................42
`A. Overview ...................................................................................42
`B.
`Plaintiff’s Core Operations Theory Fails ..................................44
`C.
`Plaintiff’s Corporate Scienter Theory Fails ..............................47
`D.
`Plaintiff Failed To Create A Strong Inference Of
`Deliberate Recklessness ............................................................48
`A Holistic Analysis Confirms Plaintiff’s Failure To
`Create A Strong Inference Of Deliberate Fraud .......................50
`IV. Plaintiff Failed To Plead Loss Causation With Respect
`To Any Of The Three Purported Corrective Disclosures ...................52
`CONCLUSION .......................................................................................................60
`
`III.
`
`E.
`
`
`
`
`
`iii
`
`
`
`Case: 21-15785, 10/13/2021, ID: 12256363, DktEntry: 27, Page 5 of 70
`
`TABLE OF AUTHORITIES
`
` Page(s)
`
`Decisions
`In re Alphabet, Inc., Sec. Litig.,
`1 F.4th 687 (9th Cir. 2021) ..........................................................................passim
`Berson v. Applied Signal Tech., Inc.,
`527 F.3d 982 (9th Cir. 2008) ........................................................................ 32, 45
`In re BofI Holding, Inc. Sec. Litig.,
`977 F.3d 781 (9th Cir. 2020) .............................................................................. 58
`Colyer v. AcelRx Pharm., Inc.,
`2015 WL 7566809 (N.D. Cal. Nov. 25, 2015) ............................................. 36, 44
`In re Convergent Techs. Sec. Litig.,
`948 F.2d 507 (9th Cir. 1991) .............................................................................. 32
`Curry v. Yelp, Inc.,
`875 F.3d 1219 (9th Cir. 2017) ............................................................................ 59
`Daniels-Hall v. Nat’l Educ. Ass’n,
`629 F.3d 992 (9th Cir. 2010) .............................................................................. 52
`Dura Pharms., Inc. v. Broudo,
`544 U.S. 336 (2005) ...................................................................................... 52, 53
`Eng v. Edison Int’l,
`2018 WL 1367419 (S.D. Cal. Mar. 16, 2018), aff’d, 786 F. App’x
`685 (9th Cir. 2019) .............................................................................................. 58
`In re Facebook, Inc. Sec. Litig.,
`405 F. Supp. 3d 809 (N.D. Cal. 2019) .......................................................... 27, 33
`Glazer Capital Mgmt., L.P. v. Magistri,
`549 F.3d 736 (9th Cir. 2008) ......................................................................... 47, 48
`Howard v. Everex Sys., Inc.,
`228 F.3d 1057 (9th Cir. 2000) ............................................................................ 49
`
`
`
`iv
`
`
`
`Case: 21-15785, 10/13/2021, ID: 12256363, DktEntry: 27, Page 6 of 70
`
`In re Intel Corp. Sec. Litig.,
`2019 WL 1427660 (N.D. Cal. March 29, 2019) ................................................. 27
`Iron Workers Local 580 Joint Funds v. NVIDIA Corp.,
`2020 WL 1244936 (N.D. Cal. Mar. 16, 2020) ................................................... 45
`Khoja v. Orexigen Therapeutics, Inc.,
`899 F.3d 988 (9th Cir. 2018) .............................................................................. 38
`Kim v. Advanced Micro Devices, Inc.,
`2019 WL 2232545 (N.D. Cal. May 23, 2019) .................................................... 31
`Matrixx Initiatives, Inc. v. Siracusano,
`563 U.S. 27 (2011) .................................................................................. 35, 36, 37
`Metzler Inv. GmbH v. Corinthian Colls, Inc.,
`540 F.3d 1049 (9th Cir. 2008) ............................................................................ 59
`Mineworkers’ Pension Scheme v. First Solar Inc.,
`881 F.3d 750 (9th Cir. 2018) .............................................................................. 53
`Nguyen v. Endologix, Inc.,
`962 F.3d 405 (9th Cir. 2020) ........................................................................ 18, 42
`No. 84 Emp.-Teamster Joint Council Pension Tr. Fund v. Am. W.
`Holding Corp.,
`320 F.3d 920 (9th Cir. 2003) .............................................................................. 46
`Nuveen Mun. High Income Opportunity Fund v. City of Alameda,
`730 F.3d 1111 (9th Cir. 2013) ...................................................................... 53, 54
`In re NVIDIA Corp. Sec. Litig.,
`768 F.3d 1046 (9th Cir. 2014) ............................................................................ 47
`Or. Pub. Emp. Ret. Fund v. Apollo Grp. Inc.,
`774 F.3d 598 (9th Cir. 2014) .............................................................................. 53
`Padgett v. Wright,
`587 F.3d 983 (9th Cir. 2009) .............................................................................. 42
`Police Ret. Sys. of St. Louis v. Intuitive Surgical, Inc.,
`759 F.3d 1051 (9th Cir. 2014) ............................................................................ 45
`
`
`
`v
`
`
`
`Case: 21-15785, 10/13/2021, ID: 12256363, DktEntry: 27, Page 7 of 70
`
`Prime Mover Capital Partners L.P. v. Elixir Gaming Tech.,
`898 F. Supp. 2d 673 (S.D.N.Y. 2012) ................................................................ 56
`Prodanova v. H.C. Wainwright & Co.,
`993 F.3d 1097 (9th Cir. 2021) ............................................................................ 43
`In re Rigel Pharm., Inc. Sec. Litig.,
`697 F.3d 869 (9th Cir. 2012) .......................................................................passim
`Ronconi v. Larkin,
`253 F.3d 423 (9th Cir. 2001) .............................................................................. 40
`South Ferry L.P No. 2 v. Killinger,
`542 F.3d 776 (9th Cir. 2008) .............................................................................. 45
`Tellabs, Inc. v. Makor Issues & Rights, Ltd.,
`551 U.S. 308 (2007) ...................................................................................... 17, 18
`TSC Indus. v. Northway, Inc.,
`426 U.S. 438 (1976) ............................................................................................ 39
`In re VeriFone Holdings, Inc. Sec. Litig.,
`704 F. 3d 694 (9th Cir. 2012) ....................................................................... 49, 50
`Williams v. Globus Med., Inc.,
`869 F.3d 235 (3d Cir. 2017) ......................................................................... 31, 32
`Wochos v. Tesla, Inc.,
`985 F.3d 1180 (9th Cir. 2021) ............................................................................ 59
`In re Worlds of Wonder Sec. Litig.,
`35 F.3d 1407 (9th Cir. 1994) .............................................................................. 51
`Zucco Partners, LLC v. Digimarc Corp.,
`552 F.3d 981 (9th Cir. 2009) .................................................................. 17, 43, 49
`Statutes and Rules
`15 U.S.C. § 78j(b) (Section 10(b) of the Securities Exchange Act) .................passim
`15 U.S.C. § 78t-(1)(a) (Section 20(a) of the Securities Exchange Act) .................. 59
`15 U.S.C. § 78u-4(b)(1)(B) ...................................................................................... 17
`
`
`
`vi
`
`
`
`Case: 21-15785, 10/13/2021, ID: 12256363, DktEntry: 27, Page 8 of 70
`
`15 U.S.C. § 78u-4(b)(2)(A) ................................................................................ 17, 42
`17 C.F.R. § 240.10b-5(b) (Rule 10b-5) ....................................................... 21, 25, 36
`Fed. R. Civ. P. 9(b) ............................................................................................ 41, 53
`Fed. R. Civ. P. 12(b)(6) ...................................................................................... 17, 49
`
`
`
`
`
`vii
`
`
`
`Case: 21-15785, 10/13/2021, ID: 12256363, DktEntry: 27, Page 9 of 70
`
`JURISDICTIONAL STATEMENT
`The Appellees agree with the jurisdictional statement in Plaintiff-
`
`Appellant’s Opening Brief. There are three Appellees—Zendesk, Inc., which is a
`
`publicly traded software company, and two of Zendesk’s officers, Mikkel Svane
`
`and Elena Gomez. For the convenience of the Court, we adopt the nomenclature
`
`used in the Plaintiff-Appellant’s Opening Brief and accordingly refer to Plaintiff-
`
`Appellant as “Plaintiff.” We likewise refer to Appellees collectively as “Zendesk,”
`
`“the Company” or “Defendants.”
`
`PRELIMINARY STATEMENT
`Zendesk, a global software company, suffered a data breach in November
`
`2016. Zendesk first learned of the breach in 2019 and promptly reported it to
`
`customers and investors. Plaintiff nevertheless claims that five statements Zendesk
`
`made about its security program before it learned of the breach were misleading
`
`and hence violated Section 10(b) of the Securities Exchange Act of 1934.
`
`Plaintiff does not allege that Zendesk failed to timely disclose the breach:
`
`Plaintiff concedes that Zendesk did not know about the breach when it made the
`
`challenged statements between February and August 2019. Plaintiff’s theory is
`
`that Zendesk should have told investors in 2019, even before it knew about the
`
`2016 breach, that certain features of its current security program were not yet in
`
`place in 2016. Plaintiff claims that because Zendesk purportedly concealed this
`
`
`
`
`
`Case: 21-15785, 10/13/2021, ID: 12256363, DktEntry: 27, Page 10 of 70
`
`fact from investors, its stock price became inflated and remained so until the
`
`breach was disclosed.
`
`The District Court rightly dismissed Plaintiff’s claims. The challenged 2019
`
`statements did not refer to the state of Zendesk’s security program in 2016.
`
`Zendesk did comment generally on the history of its security program, but in doing
`
`so disclosed to investors, in every public filing Plaintiff challenges, that it had
`
`discovered breaches and vulnerabilities in the past, and that additional breaches
`
`could remain undetected for extended periods. On these facts—which appear on
`
`the face of the complaint and documents incorporated by reference—Zendesk
`
`plainly made no false or misleading statement about its 2016 security program.
`
`For similar reasons, the District Court correctly concluded that Plaintiff
`
`failed to plead facts supporting the statutorily-required strong inference of
`
`scienter—that is, a cogent and compelling inference that Zendesk intended to
`
`mislead investors or recklessly disregarded the danger that its statements would do
`
`so. Plaintiff pled no facts suggesting that Defendants sought to make the public
`
`believe anything untrue or misleading about its 2016 security program.
`
`Although the District Court did not reach the issue, this Court can also
`
`affirm dismissal on causation grounds. Plaintiff failed to plead facts showing that
`
`its alleged losses were triggered by the revelation of the information it claims
`
`
`
`2
`
`
`
`Case: 21-15785, 10/13/2021, ID: 12256363, DktEntry: 27, Page 11 of 70
`
`Zendesk wrongfully concealed—that is, not that a breach had occurred but that
`
`certain features of Zendesk’s security system were not yet in place in 2016.
`
`STATEMENT OF ISSUES PRESENTED
`1. Under the heightened particularity requirements of the Private Securities
`Litigation Reform Act (PSLRA), did the District Court correctly
`conclude that Plaintiff failed to plead facts showing that the challenged
`2019 statements were false or misleading, given that Zendesk did not
`purport to describe the state of its 2016 security program?
`
`
`2. Did the District Court correctly conclude that Plaintiff failed to satisfy
`the PSLRA’s demanding requirement to plead particularized facts
`creating a strong inference of intentional fraud, given that Zendesk did
`not purport to address in the challenged 2019 statements the nature of its
`2016 security program, and explicitly disclosed that it had discovered
`breaches and vulnerabilities in its program in the past, and that additional
`breaches could remain undetected?
`
`
`3. Did Plaintiff sufficiently plead loss causation with the required
`particularity, given that the disclosures that purportedly triggered
`Zendesk’s stock price decline did not reveal the allegedly omitted details
`about the state of Zendesk’s 2016 security program?
`STATEMENT OF THE CASE
`Factual Background
`I.
`Zendesk is a global software company with headquarters in San Francisco.
`
`ER-25 ¶ 5. Zendesk provides customer service products to companies, and in so
`
`doing collects, stores and transmits proprietary information, including personal
`
`identifiable information, or PII. ER-26 ¶ 9. Zendesk described the risks associated
`
`with handling PII in its 2018 Form 10-K (filed on February 14, 2019), which
`
`contains each of the five statements Plaintiff has challenged. In the Form 10-K,
`
`
`
`3
`
`
`
`Case: 21-15785, 10/13/2021, ID: 12256363, DktEntry: 27, Page 12 of 70
`
`Zendesk advised investors that it had “previously experienced significant breaches
`
`and identified significant vulnerabilities” in its security program. SER-71.
`
`Zendesk also warned that its products were at risk for future breaches, and that
`
`breaches “may remain undetected for an extended period.” ER-38 ¶ 44.
`
`In 2016, Zendesk began hosting its data through a cloud computing platform
`
`furnished by Amazon Web Services (AWS). ER-26 ¶ 8. Users of AWS, including
`
`Zendesk, access the platform through AWS keys, which function much like
`
`passwords. Zendesk completed its transition to the AWS platform in 2019. Id.
`
`On October 2, 2019, Zendesk posted on its website an “Important Notice
`
`Regarding 2016 Security Incident.” ER-42-43 ¶ 55; SER-87-92. In that post,
`
`Zendesk explained that a third party had recently told the Company that its
`
`customer accounts had been breached on or before November 1, 2016. Id. After
`
`investigating the matter, Zendesk said, it had concluded that approximately 10,000
`
`accounts had been breached. Id. Zendesk’s stock price fell 3.9% on October 2,
`
`2019. ER-49 ¶ 73. On October 4, 2019, when Zendesk provided an update
`
`increasing its estimate of breached accounts to 15,000, its stock price rose, closing
`
`higher than it had been before the October 2, 2019 announcement. ER-45 ¶ 61;
`
`SER-104.
`
`Zendesk provided the market with further information during its October 29,
`
`2019 earnings call, explaining that in 2016, “Zendesk was in a very different state
`
`
`
`4
`
`
`
`Case: 21-15785, 10/13/2021, ID: 12256363, DktEntry: 27, Page 13 of 70
`
`of security than we are today.” ER-45-46 ¶ 62. Plaintiff did not challenge this
`
`explanation; on the contrary, Plaintiff characterized it as an admission. Id.
`
`Plaintiff also did not allege any stock drop in connection with this statement, and in
`
`fact Zendesk’s stock price rose 4.4% between October 29, 2019 and October 30,
`
`2019. SER-103.
`
`Zendesk published an update regarding the 2016 breach on November 22,
`
`2019, explaining that the person or persons who perpetrated the breach had used a
`
`small number of Zendesk’s AWS keys, which Zendesk had shared with a third-
`
`party vendor. ER-46-47 ¶ 64. Zendesk also reported that it had no evidence that
`
`the improperly accessed customer information was actually misused. Id. As it had
`
`done on October 29, 2019, Zendesk referred to improvements it had made to its
`
`security program between 2016 and 2019, now specifying that these improvements
`
`included expanded single and multifactor authentication (rolled out in 2016-2017)
`
`and increased security monitoring and logging. Id. Although this is the
`
`information Plaintiff claims Zendesk should have disclosed during the putative
`
`class period, Plaintiff does not allege that Zendesk’s stock price fell in response to
`
`Zendesk’s November 22, 2019 report. And in fact Zendesk’s stock was essentially
`
`flat, closing at $78.81 on November 21, 2019 and $78.90 on November 22, 2019.
`
`SER-103.
`
`
`
`
`
`5
`
`
`
`Case: 21-15785, 10/13/2021, ID: 12256363, DktEntry: 27, Page 14 of 70
`
`II.
`
`Procedural History
`A. The FAC And The SAC
`Plaintiff filed its first Amended Complaint (FAC) on April 14, 2020,
`
`asserting claims under Section 10(b) against Zendesk and several of its executives.
`
`In addition to statements about Zendesk’s security program, Plaintiff challenged a
`
`number of the Company’s statements related to financial results and guidance.
`
`Zendesk moved to dismiss the FAC, and the District Court granted that motion on
`
`November 9, 2020. Pl’s Br. 12.
`
`On January 8, 2021, Plaintiff filed the Second Amended Complaint—the
`
`SAC, which is the operative complaint on appeal. In the SAC, Plaintiff abandoned
`
`its deficient attack on Zendesk’s statements about financial results and dropped one
`
`of the three individual defendants. The remaining defendants are Zendesk itself
`
`and the Company’s current CEO (Mikkel Svane) and former CFO (Elena Gomez).
`
`The sole theory of fraud in the SAC is that when Zendesk discussed its security
`
`program in 2019, the Company misleadingly omitted details about alleged flaws in
`
`the program as it had existed in 2016. ER-25 ¶ 4. Plaintiff sought in the SAC to
`
`represent a class of investors who purchased Zendesk stock between February 15,
`
`2019 and October 1, 2019. ER-24 ¶ 2.
`
`The Five Statements Challenged In The SAC
`B.
`Plaintiff challenged five statements in Zendesk’s 2018 Form 10-K (filed
`
`February 14, 2019). Two statements are contained in the “business” section of that
`6
`
`
`
`
`
`Case: 21-15785, 10/13/2021, ID: 12256363, DktEntry: 27, Page 15 of 70
`
`filing and three in the risk disclosure section. SER-60, 63, 66-67, 71. Plaintiff
`
`challenged the identical risk disclosure statements in Zendesk’s two subsequent
`
`Forms 10-Q, filed May 2, 2019 and August 2, 2019. ER-39-40 ¶¶ 47, 49; SER-78,
`
`84.
`
`Business statements. The first of the two challenged business statements
`
`was included under the heading “Technology.” There, Zendesk described various
`
`features of its technology, including “Security”:
`
`Security. Each of our products are designed to host a large quantity of
`customer data. We maintain a comprehensive security program
`designed to help safeguard the security and integrity of our customers’
`data. We regularly review our security system. In addition, we
`regularly obtain third-party security audits and examinations of our
`technical operations and practices covering data security.
`ER-37 ¶ 43; SER-63. On appeal, Plaintiff does not dispute the factual accuracy of
`
`these statements. Plaintiff’s claim instead is that the statements were misleading—
`
`notwithstanding their accuracy—because they conveyed an “impression” of
`
`Zendesk’s 2016 security program at odds with “inner reality.” Pl’s Br. 18-20, 36.
`
`
`
`The second challenged business statement appeared under the heading
`
`“Regulatory Considerations.” In that section, Zendesk described issues related to
`
`privacy regulations, explaining that it was required to monitor and comply with a
`
`host of legal obligations in multiple jurisdictions. SER-66. Zendesk also reminded
`
`investors that two years earlier, in June 2017, it had announced its completion of a
`
`milestone within the European Union’s regulatory framework:
`
`
`
`7
`
`
`
`Case: 21-15785, 10/13/2021, ID: 12256363, DktEntry: 27, Page 16 of 70
`
`In June 2017, we announced that we completed the EU approval
`process for our global Binding Corporate Rules . . . as a data processor
`and controller. This significant regulatory approval validated our
`implementation of the highest possible standards for protecting PII
`globally, covering both the PII of our customers and employees.
`ER-37 ¶ 43; SER-66. Plaintiff again does not argue on appeal that this regulatory
`
`compliance statement was false; again, Plaintiff’s theory is that the statement was
`
`misleading notwithstanding its accuracy.
`
`Risk disclosures. Plaintiff also challenged three sentences contained within
`
`a risk disclosure related to security breaches and their possible consequences. We
`
`reproduce the most pertinent statements in that risk disclosure below, highlighting
`
`the three sentences Plaintiff challenged:
`
`If our network or computer systems are breached or unauthorized
`access to customer data is otherwise obtained, our products may be
`perceived as insecure, we may lose existing customers or fail to
`attract new customers, and we may incur significant liabilities.
`
`Use of our products involves the storage, transmission, and processing
`of our customers’ proprietary data, including personal or identifying
`information regarding their customers or employees. Unauthorized
`access to or security breaches of our products could result in the loss
`of data, loss of intellectual property or trade secrets, loss of business,
`severe reputational damage adversely affecting customer or investor
`confidence, regulatory investigations and orders, litigation or
`indemnity obligations. . . . . We have incurred, and expect to continue
`to incur, significant expenses to prevent, investigate, and remediate
`security breaches and vulnerabilities . . . .
`
`We have previously experienced significant breaches and identified
`significant vulnerabilities of our security measures and the security
`measures deployed by third-party vendors upon which we rely, and
`our products are at risk for future breaches as a result of third-party
`
`
`
`8
`
`
`
`Case: 21-15785, 10/13/2021, ID: 12256363, DktEntry: 27, Page 17 of 70
`
`actions, employee, vendor or contractor error, malfeasance, or other
`factors.
`. . .
`Because the techniques used and vulnerabilities exploited to obtain
`unauthorized access to or sabotage systems change frequently and
`generally are not identified until they are launched against a target, we
`may be unable to anticipate these techniques or vulnerabilities or to
`implement adequate preventative measures. We may also experience
`security breaches that may remain undetected for an extended
`period.
`ER-38 ¶ 44; SER-71, 78, 84.1 In challenging these statements, Plaintiff alleged
`
`that Zendesk had misleadingly characterized risks that had already materialized as
`
`mere contingencies, by using the terms “if” and “may.” ER-38 ¶ 44.
`
`Statements that were not challenged. These five statements are the only
`
`statements Plaintiff challenged, and Plaintiff obviously cannot expand the universe
`
`of challenged statements on appeal. ER-41 ¶ 50; ER-10 n.4. In its brief in this
`
`Court, Plaintiff nevertheless refers repeatedly to multiple unchallenged statements:
`
`• Zendesk’s purported “assur[ance] . . . that Zendesk followed industry best
`practices.” Pl’s Br. 2.
`
`• Zendesk’s purported advice to its own customers to “never give out
`passwords, routinely audit and monitor accounts, and use multi-factor
`identification.” Pl’s Br. 4.
`
`• Zendesk’s purported further advice to customers that “even the best
`security practices will fall short if they are not followed.” Id.
`
`
`1 The first highlighted statement in block text was also highlighted in Zendesk’s
`filings. Id.
`
`
`
`9
`
`
`
`Case: 21-15785, 10/13/2021, ID: 12256363, DktEntry: 27, Page 18 of 70
`
`• Zendesk’s purported statement in its Binding Corporate Rules that it
`“would comply with its own data-security policies.” Pl’s Br. 8.
`
`• Zendesk’s purported “claim[] to have patched the former vulnerability,”
`i.e., an alleged vulnerability that led to a breach in 2013. Pl’s Br. 17-18.
`Zendesk made this statement in February 2013—six years before the
`February-October 2019 putative class period. ER-29 ¶ 16.
`Plaintiff also refers to a list of “best practices” purportedly provided by
`
`AWS in 2016, which included advice that AWS customers not share keys. E.g.,
`
`Pl’s Br. 20. Zendesk, of course, did not write AWS’s list, and Plaintiff did not
`
`allege that Zendesk referred to the list in any challenged statement, much less that
`
`Zendesk told investors that it had adopted every practice recommended by AWS.
`
`C. The District Court’s Ruling
`Zendesk moved to dismiss the SAC, arguing that Plaintiff had failed to
`
`adequately plead falsity, scienter and loss causation. The District Court granted
`
`the motion on March 2, 2021. ER-4-22. Before summarizing that ruling, we pause
`
`to identify a key point Plaintiff conceded in opposing Zendesk’s motion to dismiss
`
`the SAC and a second key point Plaintiff conceded in the SAC itself.
`
`Plaintiff’s two concessions. First, Plaintiff conceded that Zendesk did not
`
`know of the 2016 data breach at the time of the challenged 2019 statements.
`
`Plaintiff argued in its opposition to Zendesk’s motion to dismiss the SAC that the
`
`Company “did not even discover” the breach until it was “alerted by a third party”
`
`in September 2019. SER-20. Plaintiff repeats this concession on appeal, stating
`
`
`
`10
`
`
`
`Case: 21-15785, 10/13/2021, ID: 12256363, DktEntry: 27, Page 19 of 70
`
`that Zendesk “confirm[ed]” that the 2016 breach “went undetected for three years.”
`
`Pl’s Br. 4.
`
`Second, Plaintiff conceded that Zendesk improved its security program
`
`between 2016, when the breach occurred, and 2019, when the Company made the
`
`challenged statements. Plaintiff alleged that Zendesk “admitted,” when discussing
`
`the breach on October 29, 2019, that its 2016 security program was “in a very
`
`different state” than its current program. ER-45-46 ¶ 62. Plaintiff takes the same
`
`position on appeal, asking this Court to “[a]ccept[] as true Defendants’ admission
`
`that best practices weren’t put into place until 2016-2017.” Pl’s Br. 41. Plaintiff
`
`has thereby embraced the view that Zendesk’s security program was different—
`
`and better—at the time of the challenged 2019 statements than at the time of the
`
`2016 breach.
`
`The District Court’s dismissal. The District Court granted Zendesk’s
`
`motion on falsity and scienter grounds. The court did not reach loss causation.
`
`The District Court first ruled that Plaintiff had not adequately alleged that
`
`Zendesk’s statements about the strength of its security program were false. The
`
`court reasoned that in the challenged statements, Zendesk had described its current
`
`security program, not the program in place at the time of the breach—and Plaintiff
`
`had conceded that the program improved between 2016 and 2019. ER-16. The
`
`District Court noted that the only indication that Zendesk’s 2019 program was
`
`
`
`11
`
`
`
`Case: 21-15785, 10/13/2021, ID: 12256363, DktEntry: 27, Page 20 of 70
`
`flawed was the failure of the program to discover, retrospectively, the 2016 breach.
`
`Id. But because Zendesk had specifically cautioned investors about undetected
`
`breaches, that possible contemporaneous flaw did not render the challenged
`
`statements false. ER-17.
`
`The District Court separately considered whether Plaintiff had adequately
`
`pled that the challenged statements were misleading by way of omission. Here too,
`
`the court concluded that the SAC fell short:
`
`The challenged statements discussed Zendesk’s recent and
`contemporaneous data security practices. They did not imply that
`Zendesk had not suffered an undetected breach or that Zendesk’s
`employees had unfailingly complied with AWS best practices during
`and since 2016. Indeed, Zendesk’s warnings that it may experience
`an undetected data breach implied the possibility that, at some point,
`Zendesk’s data security measures had failed.
`ER-17. Having concluded that Plaintiff had failed to identify a false or misleading
`
`statement, the Court did not reach the element of materiality. ER-19 n.12.
`
`The District Court also concluded that Plaintiff had failed to plead facts
`
`sufficient to support the required strong inference of intentional fraud. Plaintiff
`
`had conceded that Zendesk did not determine that a breach had occurred until
`
`September 2019, and “given Zendesk’s lack of knowledge surrounding the data
`
`breach, the inference that Zendesk’s officers acted with fraudulent intent when
`
`failing to disclose Zendesk’s past security mistakes rests on a multitude of dubious
`
`premises.” ER-20. By the same token, Plaintiff had failed to plead facts showing
`
`
`
`12
`
`
`
`Case: 21-15785, 10/13/2021, ID: 12256363, DktEntry: 27, Page 21 of 70
`
`deliberate recklessness—that is, facts supporting the inference that Zendesk had
`
`“consciously disregarded a risk” that the allegedly undisclosed facts about flaws in
`
`its 2016 security program “made its general statements about data security in 2019
`
`misleading.” Id.
`
`The District Court rejected Plaintiff’s remaining scienter theories as well.
`
`Plaintiff asserted a “substanti