Siding against Google, a federal appellate court has revived shareholders' claims that the company violated violated securities laws by waiting too long to disclose a data breach that affected Google+ users.
In an opinion issued this week, the 9th Circuit Court of Appeals wrote that the investors' complaint raised an inference that Google “intentionally did not disclose the cybersecurity information to the public in order to avoid or delay the impacts disclosure could have on regulatory scrutiny, public criticism, and loss of consumer confidence.”
The decision reverses a trial judge's dismissal of a lawsuit brought by various investors, including the treasure of Rhode Island (who sued on behalf of the state's pension system), against Google parent company Alphabet.
The battle stems from Google's delay in disclosing software vulnerabilities -- including a bug allowed hundreds of outside developers to access private information about Google+ users, including their birth dates, photos, occupations, and addresses. (Google shut down that service in 2019.)
Google allegedly learned of the security glitch in March of 2018, and fixed it by April. But the company didn't publicly disclose it until October of 2018, when The Wall Street Journal reported on the issue.
Google reportedly delayed disclosing information about the glitch due to fears of regulatory scrutiny and bad publicity.
The investors alleged that Google violated securities laws by failing to reveal the data breach in the company's April or July filings with the Securities and Exchange Commission.
The company's April filing didn't mention the potential data leak, and said there hadn't been any “material changes” to risk factors that year.
U.S. District Court Judge Jeffrey White in San Francisco dismissed the investors' lawsuit last year. He ruled that even if the allegations in the complaint were true, they wouldn't show that Google had made any false or misleading statements in its regulatory submissions. His decision noted that Google had already remedied the software bug before its April filing.
A three-judge panel of the 9th Circuit noted that Google reportedly discovered the bug at around the same time that revelations about data harvesting by Cambridge Analytica was roiling the tech industry.
The judges said that, given the timing of Google's disclosure, the investors' complaint raised the inference that the company made a decision to deliberately conceal the cybersecurity bug.
“The competing inference that Alphabet knew of this information but was merely negligent in not disclosing it is not plausible,” Circuit Judge Sandra Ikuta wrote in an opinion joined by Judges Sidney Thomas and Jacqueline Nguyen.
In addition to the shareholders' lawsuit, Google also was hit with a class-action on behalf of Google+ users. The company settled that matter for $7.5 million.