Data Privacy & Securities Fraud: The Ninth Circuit Confirms Obligations Regarding Materialized Privacy Risks and Loss Causation Analysis in Data Privacy Context

By Nicholas R. Lange

On December 5, 2023, a three-judge panel in In re Facebook, Inc. Sec. Litig., 87 F.4th 934 (9th Cir. 2023) (“In re Facebook”) voted to deny the defendant appellee Facebook, Inc.’s (“Facebook”) petition for panel rehearing and rehearing en banc of the Ninth Circuit’s October 18, 2023 ruling reversing the dismissal of claims against Facebook. In rejecting Facebook’s request for rehearing and confirming its findings by way of its December 5, 2023 amended order, the Ninth Circuit reiterated, inter alia, two important findings with respect to Facebook’s widely-publicized Cambridge Analytica scandal: 1) companies cannot make reference to data privacy risks as merely hypothetical where those risks have already materialized and 2) loss causation is adequately alleged where disclosures reveal the significance of a company’s fraud to the market, even where the fraud was initially revealed to shareholders four months earlier.

Shareholders commenced this securities fraud action on March 20, 2018 against Facebook and several of its executives, including Mark Zuckerberg, in the wake of the company’s Cambridge Analytica scandal that came to light in 2018. In March 2018, news broke that Cambridge Analytica improperly harvested and retained personal data from millions of Facebook users. Id. at 941. In the months following this news, the public learned that Facebook failed to inform its users of Cambridge Analytica’s misconduct despite being aware of it for over two years. Id. Following this shocking revelation, Facebook’s stock price suffered two drops totaling over $200 billion. Id. Shareholders filed suit, alleging in their operative complaint that Defendants violated Sections 10(b), 20(a), and 20A of the Securities Exchange Act of 1934 by making materially misleading statements and omissions regarding, inter alia, the risk of improper access to Facebook users’ data, Facebook’s internal investigation into Cambridge Analytica, and the control Facebook users have over their data. Id. Ultimately, shareholders filed three amended complaints that the District Court dismissed, the third dismissal being with prejudice. Id. at 946.

False Statements of “Hypothetical” Privacy Risks

            In reversing the District Court’s dismissal of certain claims, the Ninth Circuit described the “essence” of the challenged risk statements as Facebook representing that only hypothetical risks of improper third-party misuse of its users’ data could harm its business, while in reality, Facebook already knew Cambridge Analytica accessed and used its users’ data. Id. at 948.[1] In dismissing claims predicated on these statements, the District Court incorrectly found the statements inactionable because Cambridge Analytica’s misconduct was public knowledge when the statements were made, and because the complaint did not allege that Cambridge Analytica’s scandal was already causing such harm when the statements were made. Id.

            The District Court’s dismissal, however, did not have the benefit of the Ninth Circuit’s recent ruling in another data privacy securities case: In re Alphabet Sec. Litig., 1 F.4th 687, 699 (9th Cir. 2021), which the majority in In re Facebook analogized to. There, Alphabet reiterated risk warnings that its privacy and security practices “could” harm its operations despite learning earlier that year that a privacy bug had threatened thousands of users’ personal data for three years. Id. at 694-696. Like in In re Alphabet, shareholders in In re Facebook alleged more than enough to support Facebook’s knowledge that its purportedly “hypothetical” data privacy concerns had already materialized. In re Facebook, 87 F.4th at 949.

            Writing for the majority in In re Facebook, Circuit Judge McKeown addressed several assertions made in the dissent, including the assertion that Facebook need not have represented that it was free from significant breaches at the time of the filing because Facebook represented that “the risk of improper access […] of Facebook user data” was purely hypothetical. Id (emphasis added). Judge McKeown also found that “[b]ecause Facebook presented the prospect of a breach as purely hypothetical when it had already occurred, such a statement could be misleading even if the harm did not yet materialize or if the magnitude of the ensuring harm was still unknown.” Id. at 950 (emphasis added). And although articles released at the time of Facebook’s false risk warnings may have raised concerns about Cambridge Analytica’s conduct, this was not sufficient to “counterbalance any misleading impression” because the full extent of Cambridge Analytica’s misconduct was not yet public. Id.

            Loss Causation

            The Ninth Circuit also reversed the dismissal of several statements regarding Facebook’s assurances to users that they had full control over their information and privacy settings related to two stock drops. First, with respect to the March 2018 stock drop of over $100 billion, the majority found that the March 2018 revelation about Cambridge Analytica was the first time shareholders were alerted that Facebook users did not have complete control over their own data. Id. at 955. Notably, the majority found loss causation despite the dissent noting that “much of the Cambridge Analytica scandal was already public by the time of the user control statements.” Id. at 963. The majority distinguished the total mix of information available to shareholders prior to March 2018 from the information revealed in the corrective disclosure by noting that prior news reports did not reveal that Cambridge Analytica misused the data. Id. at 955. For example, Facebook’s public response prior to the corrective disclosure was that it was still “carefully investigating” Cambridge Analytica’s use of the data. Id.

            Additionally, the majority reversed on loss causation with respect to the July 2018 stock drop, which also represented a loss of approximately $100 billion and was, at the time, the largest single-day stock price drop in U.S. history. Id. This reversal was noteworthy to the extent it was based on the same Cambridge Analytica news that gave rise to the March 2018 drop. As Defendants argued in their petition for rehearing, by reversing on loss causation with respect to the Cambridge Analytica reports, the Ninth Circuit “embraced the unprecedented theory that the same corrective disclosure—here, the March 2018 Cambridge Analytica reports—caused two separate stock drops four months apart” without identifying “a single case in any jurisdiction endorsing a similar theory of loss causation.” In re Facebook, Inc. Sec. Litig., No. 22-15077, ECF 501, at 13 (9th Cir. Nov. 1, 2023). The majority stood by its reversal order, explaining that although the July 2018 drop was predicated by a disappointing second quarter earnings report detailing “dramatically lowered user engagement, substantially decreased advertising revenue and earnings, and reduced growth expectations going forward”, the July 2018 stock drop revealed new information to the market. In re Facebook, 87 F.4th at 956.[2] Here, the majority clarified that the poor earnings results were “on account of the Cambridge Analytica and whitelisting scandals” and that the poor earnings results constituted new information in that they allowed the public to appreciate for the first time the significance of the scandals. Id.

            Practice Points

  • Companies can be subjected to liability under the Exchange Act for data breaches and violations of privacy policies even if they never affirmatively stated that no such breaches or violations occurred. In re Facebook (and In re Alphabet) demonstrate scenarios in which these privacy risks already materialized, subjecting companies to liabilities for portraying them as mere potentialities.

  • As In re Facebook demonstrates, the loss causation analysis turns on information available to the public at the time of the corrective disclosure. Whether Defendants knew or should have known of fraud or misconduct prior to the corrective disclosure cannot defeat loss causation if such information was not available to the public. See id. at 943, 954-55 (Facebook’s public response was that its investigation was ongoing, despite internally noting that information was collected in violation of policies and requesting privately that Cambridge Analytica delete data).
  • Plaintiff-side practitioners should think twice before excluding corrective disclosures because information was already public. In In re Facebook, loss causation was sustained even where information previously available to the public included: 1) a majority of details underlying the Cambridge Analytica scandal; 2) that Facebook was “carefully investigating” Cambridge Analytica’s use of private data; 3) that misusing user data was a violation of policies; 4) that the company would “take swift action” against third parties found to have misused user data; and 5) that data from Facebook may have been used to benefit the Trump presidential campaign. Even though this information insinuated a misuse of Facebook users’ private data, it was not yet conclusively revealed that Cambridge Analytica actually misused the data. Id. at 943-944, 954.

  • In finding the July 2018 stock drop allowed the market to appreciate the “significance” of scandals that were publicly disclosed two and four months earlier (the latter of which gave rise to the March 2018 stock drop), the court reiterated that there is no bright-line temporal cutoff to loss causation analyses. Plaintiff practitioners should carefully consider all implications of corrective disclosures before excluding corresponding stock drops.

[1] For example, Facebook's 2016 10-K warned that the “failure to prevent or mitigate security breaches and improper access to or disclosure of our data or user data could result in the loss or misuse of such data” and that if “third parties or developers fail to adopt or adhere to adequate data security practices ... our data or our users' data may be improperly accessed, used, or disclosed.” Id.

[2] The Ninth Circuit found two separate groups of corrective disclosures each caused the July 2018 stock drop: the Cambridge Analytica reports giving rise to the March 2018 stock drop and a “whitelisting” revelation that surfaced on June 3, 2018, disclosing to shareholders that Facebook allowed certain applications to override user privacy settings.   Id. at 946, 956.

Sign up to receive expert insights on securities and class action law straight to your inbox.