Page 1
Securities Fraud Action Against Facebook Partly Reinstated
Ninth Circuit Panel’s Majority Faults Statement in Filing That Users’ Data Might Be Harvested When It Had Been
By a MetNews Staff Writer
The Ninth U.S. Circuit Court of Appeals yesterday reinstated the bulk of claims in a securities fraud action against Facebook brought by shareholders, holding that they adequately pled that the social media giant had stated in a 2016 filing that users’ data “could” be compromised while it well knew that massive intrusions had occurred.
“Because Facebook presented the prospect of a breach as purely hypothetical when it had already occurred, such a statement could be misleading even if the magnitude of the ensuing harm was still unknown,” Judge M. Margaret McKeown wrote.
Senior Judge Jay S. Bybee joined in her opinion and Judge Patrick J. Bumatay wrote a partial dissent.
Stock Price Drops
Plaintiffs are those who purchased common stock between Feb. 3, 2017—when Facebook filed with the Securities Exchange Commission (“SEC”) its 2016 SEC Form 10-K containing “risk factor” statements—and July 25, 2018, when, following scandals, it announced low growth and diminishing profits, causing the stock price to plummet nearly 19 percent.
The scandals entailed Facebook’s undisclosed awareness of gaps in its security, as well as false proclamations that users had control over their data when, in fact, it “whitelisted” companies such as Apple, Microsoft, and Samsung, allowing them access to users’ data, without their consent. The whitelisting was in violation of a 20-year consent decree under which it settled an action brought by the Federal Trade Commission (“FTC”) in 2012.
(By virtue of its violations of the decree, it was forced to pay a $5 billion penalty in 2019.)
Newspaper’s Report
Faultiness of its security came to light when The Guardian, a daily London newspaper, reported on Dec. 11, 2015:
“Ted Cruz’s presidential campaign is using psychological data based on research spanning tens of millions of Facebook users, harvested largely without their permission, to boost his surging White House run and gain an edge over Donald Trump and other Republican rivals, the Guardian can reveal.
“A little-known data company, now embedded within Cruz’s campaign and indirectly financed by his primary billionaire benefactor, paid researchers at Cambridge University to gather detailed psychological profiles about the US electorate using a massive pool of mainly unwitting US Facebook users built with an online survey.”
The company was Cambridge Analytica. It harvested users’ personal data from Facebook and sold it not only to the 2016 campaign committee for U.S. Sen. Ted Cruz, R-Texas, for use in his bid for the Republican nomination for president, but to the committee for Donald Trump after he secured the nomination, and to the Brexit Leave campaign which supported a vote in favor of Great Britain withdrawing from the European Union.
Partial Reversal
District Court Judge Edward J. Davila of the Northern District of California dismissed the third amended complaint without leave to amend. In her opinion affirming in part and reversing in part, McKeown said:
“The essence of the challenged risk statements is that, although Facebook knew Cambridge Analytica had improperly accessed and used Facebook users’ data, Facebook represented in its 2016 Form 10-K that only the hypothetical risk of improper third-party misuse of Facebook users’ data could harm Facebook’s business, reputation, and competitive position. For example, Facebook’s 2016 10-K warned that the ‘failure to prevent or mitigate security breaches and improper access to or disclosure of our data or user data could result in the loss or misuse of such data’ and that if ‘third parties or developers fail to adopt or adhere to adequate data security practices...our data or our users’ data may be improperly accessed, used, or disclosed.’ ”
McKeown specified:
“The inadequacy of the risk statements…is not that Facebook did not disclose Cambridge Analytica’s breach of its security practices. Instead, the problem is that Facebook represented the risk of improper access to or disclosure of Facebook user data as purely hypothetical when that exact risk had already transpired. A reasonable investor reading the 10-K would have understood the risk of a third party accessing and utilizing Facebook user data improperly to be merely conjectural.”
Stock Value
Davila ruled that the plaintiffs had not adequately pled causation in connection with two sharp declines in the value of the stock: that which occurred on July 25, 2018, the last date in the class period, and one on March 16, 2018. McKeown, for the most part, disagreed with Davila.
The March falling off of the stock price followed news reports that personal data from millions of users had been harvested and that Facebook had failed to disclose what it knew about security breaches. The July plunge occurred after the New York Times on June 3, 2018, disclosed Facebook’s whitelisting policy and continuing coverage of data-harvesting by Cambridge Analytica.
McKeown said as to the diminished value in March:
“Most of the challenged user control statements occurred after the March 16, 2018 revelation about Cambridge Analytica and thus cannot be pegged to the March 2018 stock price drop. However, the user control statements that preceded the revelation are relevant here, and the shareholders adequately pleaded loss causation as to the statements assuring users that they control their content and information on the platform.”
Addressing the July decline, she wrote:
“[T]he shareholders adequately pleaded that the Cambridge Analytica and whitelisting revelations, not any other factor, caused the July 2018 stock price drop. Although the stock drop occurred nearly two months after the whitelisting revelation, the shareholders sufficiently allege that the drop was caused by ‘dramatically lowered user engagement, substantially decreased advertising revenue and earnings, and reduced growth expectations going forward’ on account of the Cambridge Analytica and whitelisting scandals.”
Spokesperson’s Statement
A March 4, 2017 article in The Guardian quoted a Facebook spokesperson as saying: “Our investigation to date has not uncovered anything that suggests wrongdoing with respect to Cambridge Analytica’s work on the Leave and Trump campaigns.” That, the investors argued, was a false representation.
McKeown responded:
“The district court held that the shareholders failed to plead scienter as to the Cambridge Analytica investigation statements. We agree.”
She elaborated:
“Nothing in the complaint suggests that the Cambridge Analytica investigation statements involved an extreme departure from the standards of ordinary care, and the shareholders thus fall short of raising a strong inference that the spokesperson acted with the necessary malintent.”
A stand-alone claim based on the whitelisting was properly dismissed, McKeown said.
Bumatay’s Opinion
Bumatay agreed that the shareholders had not adequately pled scienter in connection with the spokesperson’s statement in connection with Facebook’s investigation. He also agreed that causation of loss had been pled—but only from the whitelisting.
The jurist opined that Facebook had not made fraudulent statements in its 2016 filing nor had it made false utterances concerning user control.
With respect to the 2016 filing, he wrote:
“Taken together, Facebook’s risk factor statements warn about harm to its ‘reputation’ and ‘business’ that may come to light if the public or the government learns about improper access to its data. These statements do not represent that Facebook was free from significant breaches at the time of the filing. And if a reasonable investor thought so based on Facebook’s 10-K statements, that ‘reasonable’ investor wasn’t acting so reasonably.”
He added:
“[N]one of the 10-K risk factor statements are false or misleading. The statements advise that improper access to data could harm Facebook’s reputation and business. And Shareholders have not sufficiently alleged that Facebook knew its reputation and business were already harmed at the time of the filing of the 10-K. Nor do they allege that Facebook was aware of government entities or users launching regulatory or legal actions based on the Cambridge Analytica scandal in February 2017.”
He went on to say:
“Here, a supposed bad actor violating Facebook’s privacy controls to improperly access user data doesn’t make the company’s statements about its policies misleading.
“What makes our ruling all the more odd is that much of the Cambridge Analytica scandal was already public by the time of the user control statements….We thus should have limited Facebook’s liability for the user control statements to the ‘whitelisting’ allegations.”
The case is Amalgamated Bank v. Facebook, Inc., 22-15077.
Copyright 2023, Metropolitan News Company