By Anne Sherry, J.D.
The Supreme Court denied Alphabet’s petition for certiorari to review a Ninth Circuit decision reviving a securities fraud claim against the company. Shareholders alleged that Alphabet knew of a privacy vulnerability in the Google+ social network but concealed that fact, falsely stating in its next quarterly report that its risk factors had not changed. In appealing to the Supreme Court, Alphabet argued that the ruling deepened a six-circuit split over whether risk factors may be solely forward-looking or must include past information (Alphabet Inc. v. Rhode Island, cert den. March 7, 2022).
In 2018, Google discovered a longstanding bug in its software that allowed third parties to collect data from users of Google’s social network without the users’ consent. The discovery coincided with increased regulatory scrutiny of Facebook in the wake of the Cambridge Analytica scandal. In an effort to “buy time,” keep the spotlight on Facebook, and avoid its executives having to testify before Congress, Alphabet decided not to disclose the bug right away. Indeed, it said in its next quarterly report, “There have been no material changes to our risk factors” since the most recent annual report. The Wall Street Journal exposed the bug—and Google’s knowledge of the bug—later in 2018, and Alphabet’s share price declined.
Shareholders sued, and while the district court dismissed the action for failure to state a claim, the Ninth Circuit vacated and remanded for further proceedings. The appellate panel concluded that the complaint’s allegations, taken as a whole, raised a strong inference that Larry Page—and Alphabet by extension—knew about the software vulnerabilities, and that Alphabet intentionally did not disclose the issue in its Form 10-Q. “Risk disclosures that speak entirely of as-yet-unrealized risks and contingencies and do not alert the reader that some of these risks may already have come to fruition can mislead reasonable investors,” the panel reasoned.
In its petition for certiorari, Alphabet argued that risk factor disclosure must not include past risks that have come to fruition. “A ‘risk’ is the possibility of a future harm or loss,” Alphabet wrote, “It captures what might occur, not what has occurred.” The Fourth and Sixth Circuits follow this “common sense” interpretation, while the First, Third, Ninth, and D.C. Circuits, along with the Southern District of New York, require companies to disclose if a past risk has materialized, the petition argued.
But the respondent disagreed with Alphabet’s reading. In the respondent’s view, whether statements or omissions mislead depends on the context; there is no bright-line rule as urged by Alphabet. The brief in opposition quotes the SEC’s interpretive guidance on cybersecurity disclosures as making clear that “companies may need to disclose previous or ongoing cybersecurity incidents or other past events in order to place discussions of these risks in the appropriate context.” Indeed, the respondent sees no conflict among the circuits because they all agree that context is key to whether risk disclosures are materially false. Neither the Fourth nor Sixth Circuit follows a rule that companies never need to include past events in their risk disclosures, according to the brief.
In reply, Alphabet countered that the respondent misreads the leading Sixth Circuit case (Bondali v. Yum! Brands, Inc., 620 F. App'x 483 (6th Cir. 2015)) as undermining, rather than underscoring, the disagreement among circuits. In doing so the respondent ignores the problems raised by the Ninth Circuit’s decision and the plain meaning of “risk” as referring to future events. Alphabet pushed back on the respondent’s arguments on materiality, saying that materiality is not at issue; the question is whether omitting a past event in a risk disclosure constitutes a securities violation in the first place.
The case is No. 21-594.