United States: Recent Updates on Two Closely Watched Class Actions for Cybersecurity Fraud and Privacy-Related Securities Fraud

To print this article, all you need to do is be registered or log in to Mondaq.com.

Observers are awaiting rulings in a number of cybersecurity and securities privacy fraud class actions with potentially significant implications for corporate liability. In recent weeks, critical developments have emerged in two of these cases: the defendants’ motion to dismiss was granted in part and dismissed in part in In re Zoom Securities Litigationand the Supreme Court dismissed the certificate of the Ninth Circuit’s decision reviving the claims in Alphabet Inc. vs. Rhode Island.

On February 16, 2022, Judge James Donato of the U.S. District Court for the Northern District of California issued an order granting in part and denying in part the Zoom Defendants’ motion to dismiss.

Shareholder plaintiffs sued Zoom in April 2020, after widespread adoption of Zoom’s video communications software led to a series of reports claiming to undermine the company’s claims that it offered end-to-end encryption and was examining the company’s data collection practices. The plaintiff shareholders alleged that Zoom, its CEO and its chief financial officer violated federal securities laws by making false and misleading statements and omissions about the company’s data security capabilities in certain introductory documents. stock Exchange. In December 2020, the lead plaintiff filed a consolidated complaint on behalf of shareholders who purchased or acquired Zoom securities between April 18, 2019 and April 6, 2020.

In particular, the complaint challenged 15 of the company’s statements. With respect to 14 of the 15 impugned statements, the Court dismissed the Plaintiff Shareholder’s claims for failing to adequately allege that the Defendants acted with scientific or fraudulent intent. The court initially ruled that the complaint did not contain a claim against Zoom’s CEO and CFO because the disputed statements regarding the extent of the company’s collection and use of personal customer data were loosely attributed to Zoom or the “defendants”, as opposed to a specific individual. Additionally, the Court ruled that the complaint did not make a claim against Zoom because there was no allegation that Zoom’s public statements were “so material and so dramatically untrue ‘that they created’ a strong inference that at least some company officials knew of their falsity”. at the time of publication.” Accordingly, the Court held that in the absence of allegations that specific individuals made or published the impugned statements, there could be no finding of intent or knowledge of wrongdoing by society.

However, the Court allowed Plaintiff’s request to sue Zoom and Zoom’s CEO with respect to a single alleged misrepresentation that appeared in Zoom’s April 18, 2019 registration statement and prospectus that: “We offer robust security capabilities, including end-to-end encryption, secure login, administrative controls, and role-based access controls.” The Court found that the CEO “made” the statement because he signed the registration statement. The Court found that the plaintiff had adequately argued that the statement was false and misleading in light of an April 2020 blog post by the CEO stating that the company had “failed to meet community expectations. — and ours — on privacy and security” and another post that apologized “for the confusion we caused by falsely suggesting that Zoom meetings were capable of using end-to-end encryption. .. While it was never our intention to deceive any of our customers, we recognize that there is a gap between the accepted definition of end-to-end encryption and how we use it.”

The defendants argued that the apology was not an admission that Zoom knowingly misled investors. The Court disagreed, noting that the plaintiff had sufficiently pleaded that the statement “[w]We offer robust security capabilities, including end-to-end encryption…” was made with intent to defraud or at minimum with willful recklessness, based on the CEO’s possession (1) of a advanced degree in engineering, (2) previous role as a founding engineer of a web conferencing platform, (3) leading role in the “Zoom Meetings Platform Design Effort”, and ( 4) identification on “several patents relating specifically to encryption techniques” file a motion for partial reconsideration of the Court’s order.

On March 7, 2022, two weeks after the Northern District of California resolved the motion to dismiss by Zoomthe U.S. Supreme Court declined to consider Alphabet’s appeal of the Ninth Circuit’s decision in another cybersecurity-related case, Alphabet Inc. vs. Rhode Island, without further explanation. The Alphabet litigation dates back to October 2018, when investors sued Google LLC, its parent company Alphabet Inc., and various executives after reports emerged that the company discovered two software bugs that potentially exposed the personal data of some users of the Alphabet. Google+ social network.

Plaintiff shareholders allege Alphabet misled investors when it allegedly disclosed in its SEC filings a risk the company could face cybersecurity threats in the future, but did not disclose that it had previously identified a software bug related to the Google+ social network that exposed user data. Although the District Court initially denied the majority of the claims, the Ninth Circuit vacated, finding that “[r]Risk disclosures that speak entirely of risks and contingencies not yet realized and do not alert the reader that some of those risks may have already materialized may mislead reasonable investors. The Supreme Court declined to rule on the debate, leaving alone the Ninth Circuit’s decision to revive the proposed class action lawsuit. Zoomis yet another important data point in the developing story about whether securities litigation will remain a new front on which to litigate cybersecurity and data privacy issues.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.


State Law Privacy Alert – Major Compliance Updates

Wilmer Hale

As those legislative sessions draw to a close, Utah is the only state to join California, Colorado and Virginia as one of the few jurisdictions in the nation with a comprehensive privacy law. private life.


Keysight Technologies: 5 Truths About AI-Based Software Testing


Software testing: Automation of installations and functional testing

Check Also