
Siding against Google, a federal appellate court has revived
shareholders' claims that the company violated violated securities laws by waiting too long to disclose a data breach that affected Google+ users.
In an opinion issued this week, the 9th
Circuit Court of Appeals wrote that the investors' complaint raised an inference that Google “intentionally did not disclose the cybersecurity information to the public in order to avoid or
delay the impacts disclosure could have on regulatory scrutiny, public criticism, and loss of consumer confidence.”
The decision reverses a trial judge's dismissal of a lawsuit brought
by various investors, including the treasure of Rhode Island (who sued on behalf of the state's pension system), against Google parent company Alphabet.
The battle stems from Google's delay in
disclosing software vulnerabilities -- including a bug allowed hundreds of outside developers to access private information about Google+ users, including their birth dates, photos, occupations, and
addresses. (Google shut down that service in 2019.)
Google allegedly learned of the security glitch in March of 2018, and fixed it by April. But the company didn't publicly disclose it until
October of 2018, when The Wall Street Journal reported on the issue.
Google reportedly delayed disclosing information about the glitch due to fears of regulatory scrutiny
and bad publicity.
The investors alleged that Google violated securities laws by failing to reveal the data breach in the company's April or July filings with the Securities and Exchange
Commission.
The company's April filing didn't mention the potential data leak, and said there hadn't been any “material changes” to
risk factors that year.
U.S. District Court Judge Jeffrey White in San Francisco dismissed the investors' lawsuit last year. He ruled that even if the allegations in the complaint were
true, they wouldn't show that Google had made any false or misleading statements in its regulatory submissions. His decision noted that Google had already remedied the software bug before its April
filing.
A three-judge panel of the 9th Circuit noted that Google reportedly discovered the bug at around the same time that revelations about data harvesting by Cambridge Analytica was roiling
the tech industry.
The judges said that, given the timing of Google's disclosure, the investors' complaint raised the inference that the company made a decision to deliberately conceal the
cybersecurity bug.
“The competing inference that Alphabet knew of this information but was merely negligent in not disclosing it is not plausible,” Circuit Judge Sandra Ikuta wrote
in an opinion joined by Judges Sidney Thomas and Jacqueline Nguyen.
In addition to the shareholders' lawsuit, Google also was hit with a class-action on behalf of Google+ users. The company
settled that matter for $7.5 million.