Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

In re Facebook, Inc. Securities Litigation

United States District Court, N.D. California, San Jose Division

September 25, 2019




         This lawsuit stems from the revelation that Cambridge Analytica acquired the private Facebook data of millions of users and that, upon learning of this leak, Facebook allegedly attempted to suppress evidence of the breach contrary to its stated privacy policy.

         Plaintiffs are persons who purchased shares of Facebook common stock between February 3, 2017 and July 25, 2018 (the "Class Period"), who believe that Mark Zuckerberg, Sheryl K. Sandberg, and David M. Wehner, collectively Defendants, made materially false and misleading statements and omissions in connection with the purchase and sale of Facebook stock. See Consolidated Complaint ("Compl.") ¶ 1, Dkt. 86. They allege that Defendants violated Section 10(b), 20(a), and 20A of the Securities Exchange Act of 1934 (the "Exchange Act") and Rule 10b-5 promulgated thereunder because Defendants made guarantees that the Cambridge Analytica, and related data-privacy scandals, would not impact Facebook stock while knowing this to be false. Specifically, Plaintiffs focus on Defendants' statements and omissions "concerning Facebook's privacy and data protection practices" and their impact on Facebook's stock price during two time periods: March and July 2018.

         Defendants have filed a motion to dismiss the lawsuit arguing that Plaintiffs have not, and cannot, meet Rule 9(b)'s heightened pleading requirements for securities fraud and instead allege "an overarching hindsight theory." Motion to Dismiss ("Mot.") at 2, Dkt. 93. Defendants make four main arguments all centered around Plaintiffs' inability to meet the elements of securities fraud. First, Defendants argue Plaintiffs have not pled an actionable misstatement or omission because they have not identified any false statements. Defendants argue the 36 "actionable" statements or omissions Plaintiffs raise are, in fact, neither actionable nor fraudulent because Plaintiffs make no attempt to plead that Defendants lied or mislead investors. As explained infra Section III.C.1.a., as to all the allegations, only Statement 22 is actionable.

         Second, Defendants argue Plaintiffs have not pled a strong inference of scienter because Plaintiffs do not (1) relate the alleged misstatements to any conduct establishing scienter or (2) show facts that the Defendants knew the challenged statements were false. Further, Defendants contend that Plaintiffs offer only conclusions without alleging any specific facts to support these conclusions. As explained infra Section III.C.2. the one actionable Statement, Statement 22 lacks scienter because Plaintiffs do not allege with sufficient particularity that Defendant Sandberg made the statement knowing it was false.

         Third, Defendants contend that Plaintiffs fail to plead loss causation since Defendants had already warned investors of a potential stock decline and cannot trace any corrective disclosure to the stock price's drop. Finally, Defendants argue that Plaintiffs cannot show reliance based on a "fraud-on-the market" theory because the Cambridge Analytica scandal was already known a year before the start of the putative class action and so the market already reacted to the data breach. The Court does not reach these arguments because it GRANTS the Motion to Dismiss on alternative grounds.

         Accordingly, the Plaintiffs do not adequately plead a securities fraud violation. Here, it is Plaintiffs' burden to point to plausible and particular facts tending to show fraudulent behavior by Defendants. Without such a showing, Plaintiffs cannot survive the higher evidentiary pleading standard enumerated in Rule 9 of the Federal Rules of Civil Procedure. See Fed. R. Civ. Pro. 9(b). Thus, for the reasons below, Defendants' Motion to Dismiss is GRANTED.

         I. BACKGROUND

         A. Factual Background[1]

         Facebook was founded by Mark Zuckerberg who is now the Chief Executive Officer ("CEO") of the company. Compl. ¶ 28. Sheryl Sandberg is the Chief Organization Officer ("COO") and David Wehner is the Chief Financial Officer ("CFO") of Facebook. Id. ¶¶ 30-31. Facebook is a social-media networking website that allows users to create profiles and share information about themselves to their "community." Id. ¶ 37. The platform also enables third-party developers' applications or websites ("apps") to access users' information. Id. ¶¶ 45-46. Importantly before 2015, a user could consent to an app developer gaining access to their personal data and the personal data of his or her friends (referred to herein as "third-party consent"). Id. ¶46.

         1. Relevant Agreements

         Facebook-User Agreements.

         The use and sharing of data on Facebook are governed by an agreement between Facebook and users, including Facebook's Data Policy (also referred to as the "Data Use Policy" and the "Privacy Policy"), Ex. 24 &35, and the Terms of Service (formerly "Statement of Rights and Responsibilities"), Compl. ¶ 4, 60, 200, 232. These agreements explain how users can control the use of their data. Id. ¶ 301(b).

         Before 2015, Facebook's policies allowed users to share information about their friends with third-party app developers, i.e. "third-party consent." Id. ¶¶ 46, 82. Defendants subsequently announced that they would overhaul Facebook's privacy practices to better protect user data and would tell people if their data was shared with Cambridge Analytica. Id. ¶ 18. Specifically, in 2014, Facebook stated that changes would "dramatically limit the Facebook information apps could access, " and "turn[ed] off users' ability to provide access to their friend's personal data." Id. ¶¶ 79, 251, 266(b), 280. However, in April 2018, it was revealed that Defendants still permitted third parties to access user data, known as "whitelisting." Id. ¶¶ 19, 140.

         Facebook-App Developer Agreements.

         Third-party app developers must agree to Facebook's Platform Policies before offering apps on Facebook. ¶¶ 176, 301. This limits the use and collection of user data and requires developers to explain what type of information they will collect and how it will be used. Id. The policy prohibits developers from selling, licensing, or purchasing user data and from transferring data to advertisers or data brokers. Id. ¶ 301(c).

         2. Relevant Events Allegedly Showing Material Misstatements or Omissions

         Aleksandr Kogan and Cambridge Analytica.

         In 2013, Kogan, a professor and data researcher at Cambridge University, developed an app called "thisisyourdigitallife." Id. ¶ 80-81. This app was a personality quiz; users were told that the results would be used only for academic purposes. Id. ¶ 81. Around 270, 000 people installed the app and consented to the sharing of their data. Id. ¶¶ 81-82. Due to Facebook's privacy policies, app developers were able to access data about "thisisyourdigitallife" user's Facebook friends. Id.

         The December 2015 The Guardian Article and Defendants' Response.

         In December 2015, The Guardian reported that Kogan, through his company Global Science Research ("GSR"), sold information collected through the "thisisyourdigitallife" app to Cambridge Analytica, violating Facebook's policies. Id. ¶¶ 7, 150, 232, 280. This article indicated that Cambridge Analytica developed voter profiles using the data of tens of millions of Facebook users, which were then used for political purposes. Id. ¶¶ 80-81. Once news of the data leak broke, Defendants sent Cambridge Analytica a letter asking it to delete the data and provide confirmation of deletion. Id. ¶¶ 9, 90, 92, 96, 98, 150-51, 176. Defendants made no efforts to verify Cambridge Analytica's assurances that the data was deleted, investigate the extent of the use or distribution of data, or verify that the data had been deleted. Id. ¶ 9.

         Reemergence of the Cambridge Analytica Story in 2018.

         On March 17, 2018, three years after the original Cambridge Analytica story broke, The New York Times and The Guardian reported that Defendants delayed acting to address the Cambridge Analytica data breach and that data had not been deleted but was used in connection with President Donald Trump's campaign. Id. ¶¶ 150, 153-54. These reports allegedly contradicted Defendants' representations of data protection, specifically the fact that user data could still be accessed by developers without user's knowledge or consent, i.e., whitelisting. Id. ¶ 14, 19. Facebook did, however, immediately suspend Cambridge Analytica, its parent company, and Cambridge Analytica employees from the Facebook platform. Id. ¶ 150.

         In response to the stories, Facebook's common stock dropped nearly 7% on Monday, March 19, 2018, the first trading day after the news broke. Id. By March 27, 2018, the stock was trading as low as $152/share, a drop of nearly 18% in value from its price before the stories broke. Id. ¶ 15. The Securities and Exchange Commission ("SEC") began investigating "whether Facebook adequately warned investors that developers and other third parties may have obtained users' data without their permission or in violation of Facebook policies." Id. ¶ 16.

         Facebook's First Quarter 2018 Earnings Report ("1Q18") and the GDPR

         On April 25, 2018, Defendants released a favorable first quarter earnings report, 1Q18, which showed that user growth was unaffected by the continued Cambridge Analytica scandal. Id. ¶ 21. The report had quarterly revenue, earnings, and daily and monthly active user growth exceeding analyst expectations. Id. ¶¶ 21, 186, 188, 190, 270-71. Although a "handful" of advertisers had "paused spend" with Facebook after the Cambridge Analytica news, Defendants reported that this did not appear to reflect a "meaningful trend." Id. ¶ 274. Defendants also told investors that it anticipated expenses to increase year-over-year by "50% [to] 60%, " because of the "significant investments [Facebook was] making in areas like safety and security" and due to increased hiring. Id. ¶ 275. The stock price climbed more than 9% following the release of this report. Id. ¶ 21. By July, Facebook's stock price was trading well above $200 per share. Id.

         The new European privacy legislation, the General Data Protection Regulation[2] (the "GDPR"), became effective the month after 1Q18 was released. Defendants addressed the possible impact of this legislation during the investor call. Id. ¶ 276. Defendants claimed that compliance with the GDPR would not be an issue because Facebook was almost compliant. Id. ¶ 20. On this call, however, Defendants noted that it was "early and difficult to know ... in advance" the business implications of the GDPR and anticipated that Facebook's European daily and monthly user base could "be flat to slightly down." Lutz Ex. 11, at 8, 23, Dkt. 95. Defendants noted that there was potential for impact and that they would monitor it closely. Id.

         Facebook's Second Quarter 2018 Earnings Report ("2Q18").

         The stock price increase ended on July 25, 2018 when Defendants released 2Q18, which showed a decline in total revenues. Id. ¶ 21. There, Defendants reported a significant decline in user-metrics in Europe, zero user growth in the United States, decelerating worldwide growth of active users, lower than expected revenue and earnings, and ballooning expenses affecting profitability. Id. As a result, the common stock price dropped nearly 19% on July 26, 2018, resulting in a single-day loss of approximately $100 billion in market capitalization. Id. ¶ 23. By July 30, 2018, the price of stock had fallen by 21%, shedding around $112 billion in market capitalization. Id.

         Defendants attributed the user growth slowdown to the effects of the "GDPR rollout, consistent with the outlook we gave on the Ql call, " but noted that the "vast majority of people [had continued] opting in to . . . third-party data use." Lutz Ex. 12 at 7, 18. Defendants maintain that this is consistent with their premonition during the Ql call that there would be a "decline" in European users. Motion to Dismiss at 9, Dkt. 93.

         Defendants' Sale of Facebook Stock.

         During the Class Period, Defendant Zuckerberg sold approximately 30, 000 Facebook shares for proceeds of more than $5.3 billion, while Sandberg sold $389 million worth and Wehner $21 million worth during the same period. Compl. ¶ 13. These included large sales during the first quarter of 2018-more than triple what Defendants sold in the last quarter of 2017-before the 2Q18 report was released. Id.

         3. Alleged Misstatements/Omissions

         Plaintiffs allege Defendants made a total of 36 materially misleading statements or omissions in press releases, SEC filings, earnings calls, and public remarks at conferences. The Court has arranged these statements chronologically and by source and bolded/italicized the relevant part of the statement.

         December 2015[3] Statements to The Guardian

         Statement 1

         "[Misleading people or misusing their information is a direct violation of our policies and we will take swift action against companies that do ... "

         Statement 2

         "[I]ncluding banning those companies from Facebook and requiring them to destroy all improperly collected data."

         September 29, 2016 Facebook Privacy Policy

         Statement 3

         "We use the information we have to help verify accounts and activity, and to promote safety and security on and off of our Services, such as by investigating suspicious activity or violations of our terms or policies."

         Statement 4

         "We work hard to protect your account using teams of engineers, automated systems, and advanced technology such as encryption and machine learning"

         Statement 5

         "These partners must adhere to strict confidentiality obligations in a way that is consistent with this Data Policy and the agreements we enter into with them."

         Statement 6

         "Don't sell, license or purchase any data obtained from us or our services. . . . Don't transfer any data that you receive from us (including anonymous, aggregate or derived data) to any ad network, data broker or other advertising or monetization-related service. . . . Enforcement is both automated and manual, and can include disabling your app, restricting you and your app's access to platform functionality, requiring that you delete data, terminating our agreements with you or any other action that we deem appropriate''

         Statement 7

         "We notify our users with context around the status of their account and actionable recommendations if we assess they are at increased risk of future account compromise by sophisticated actors or when we have confirmed their accounts have been compromised''

         Statement 8

         "You own all of the content and information you post on Facebook, and you can control how it is shared through your privacy and application settings. In addition . . . [w]hen you use an application, the application may ask for your permission to access your content and information as well as content and information that others have shared with you. We require applications to respect your privacy, and your agreement with that application will control how the application can use, store, and transfer that content and information. (To learn more about Platform, including how you can control what information other people may share with applications, read our Data Policy and Platform Page.)."

         February 3, 2017 Facebook's 10-K Report: Data Breaches

         Statement 9

         "Security breaches and improper access to or disclosure of our data or user data, or other hacking and phishing attacks on our systems, could harm our reputation and adversely affect our business."

         Statement 10

         "... Any failure to prevent or mitigate security breaches and improper access to or disclosure of our data or user data could result in the loss or misuse of such data, which could harm our business and reputation and diminish our competitive position. In addition, computer malware, viruses, social engineering (predominantly spear phishing attacks), and general hacking have become more prevalent in our industry, have occurred on our systems in the past, and will occur on our systems in the future. As a result of our prominence, we believe that we are a particularly attractive target for such breaches and attacks. Such attacks may cause interruptions to the services we provide, degrade the user experience, cause users to lose confidence and trust in our products, or result in financial harm to us. Our efforts to protect our company data or the information we receive may also be unsuccessful due to software bugs or other technical malfunctions; employee, contractor, or vendor error or malfeasance; government surveillance; or other threats that evolve. In addition, third parties may attempt to fraudulently induce employees or users to disclose information in order to gain access to our data or our users' data."

         Statement 11

         "Although we have developed systems and processes that are designed to protect our data and user data, to prevent data loss, and to prevent or detect security breaches, we cannot assure you that such measures will provide absolute security."

         Statement 12

         "In addition, some of our developers or other partners, such as those that help us measure the effectiveness of ads, may receive or store information provided by us or by our users through mobile or web applications integrated with Facebook. We provide limited information to such third parties based on the scope of services provided to us. However, if these third parties or developers fail to adopt or adhere to adequate data security practices, or in the event of a breach of their networks, our data or our users' data may be improperly accessed, used, or disclosed.

         Statement 13

         "Affected users or government authorities could initiate legal or regulatory actions against us in connection with any security breaches or improper disclosure of data, which could cause us to incur significant expense and liability or result in orders or consent decrees forcing us to modify our business practices. Any of these events could have a material and adverse effect on our business, reputation, or financial results."

         February 3, 2017 Facebook's 10-K Report: Risks Related to Business and Industry

         Statement 14

         "If we fail to retain existing users or add new users, or if our users decrease their level of engagement with our products, our revenue, financial results, and business may be significantly harmed.

         The size of our user base and our users' level of engagement are critical to our success. . . . If people do not perceive our products to be useful, reliable, and trustworthy, we may not be able to attract or retain users or otherwise maintain or increase the frequency and duration of their engagement. ..."

         Statement 15

         "Any number of factors could potentially negatively affect user retention, growth, and engagement, including if:

         • there are decreases in user sentiment about the quality or usefulness of our products or concerns related to privacy and sharing, safety, security, or other factors;"

         Statement 16

         • "[T]echnical or other problems prevent us from delivering our products in a rapid and reliable manner or otherwise affect the user experience, such as security breaches or failure to prevent or limit spam or similar content;"

         Statement 17

         • "[W]e, developers whose products are integrated with our products, or other partners and companies in our industry are the subject of adverse media reports or other negative publicity."

         February 3, 2017 Facebook's 10-K Report: Unfavorable Media and Regulatory Investigations

         Statement 18

         "Unfavorable media coverage could negatively affect our business."

         Statement 19

         " We have been subject to regulatory investigations and settlements, and we expect to continue to be subject to such proceedings and other inquiries in the future, which could cause us to incur substantial costs or require us to change our business practices in a manner materially adverse to our business."

         April 27, 2017 White Paver

         Statement 20

         "Targeted data collection and theft can affect all types of victims .... [t]ypical methods include phishing with malware to infect a person's computer and credential theft to gain access to their online accounts. . . .

         Here are some of the steps we are taking:

         • Notifications to specific people if they have been targeted by sophisticated attackers, with custom ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.