Google is urging the Supreme Court to review a lower court's decision to allow investors to proceed with a claim that the company misled them by waiting too long to disclose a data breach that affected Google+ users.
In a petition made available this week, Google says the ruling -- which was issued by the 9th Circuit Court of Appeals -- could affect a broad swath of companies.
“Today, practically every company operates online or collects consumer data,” Google writes. “Under the Ninth Circuit’s rule, each of these companies -- and any others that include a similar risk disclosure -- must now also disclose every security or data privacy bug they have experienced, no matter how large or small, and no matter how far in the past, even if it was easily fixed and did not cause consumers harm. That is no easy matter.”
The battle between Google and the shareholders stems from the company's delay in disclosing software vulnerabilities -- including a bug that allowed hundreds of outside developers to access private information about Google+ users, including their birth dates, photos, occupations, and addresses. (Google shut down Google+ in 2019.)
Google allegedly learned of the security glitch in March 2018, and fixed it by April. But the company didn't publicly disclose it until October 2018, when The Wall Street Journal reported on the bug.
Google reportedly delayed disclosing information about the glitch because it feared regulatory scrutiny and bad publicity.
News of the data breach led to a class-action lawsuit on behalf of users, which Google settled for $7.5 million.
Investors, led by the treasurer of Rhode Island (who sued on behalf of the state's pension system), alleged in a separate lawsuit that Google violated securities laws by failing to reveal the data breach in the company's April or July 2018 filings with the Securities and Exchange Commission.
U.S. District Court Judge Jeffrey White in San Francisco dismissed the investors' complaint last year. He ruled that even if the allegations in the investors' complaint were true, they wouldn't show that Google had made any false or misleading statements in its regulatory submissions.
He noted in his decision that Google had already remedied the software bug before its April filing.
A three-judge panel of the 9th Circuit reversed White's decision. Those judges said the investors' complaint raised the inference that the company made a decision to deliberately conceal the cybersecurity bug.
Google is now asking the Supreme Court to review that ruling.
The company argues that in its new petition that its securities filings didn't mislead investors about possible risks.
“A 'risk' is the possibility of a future harm or loss. It captures what might occur, not what has occurred,” Google writes. “And because a reasonable investor understands that a 'risk' captures the future and does not summarize the past, omitting a past event from the 'risk factor' section of a securities filing is not misleading.”
The investors' response is due by November 24.