Google is urging the Supreme Court to review a lower court's
decision to allow investors to proceed with a claim that the company misled them by waiting too long to disclose a data breach that affected Google+ users.
In a petition made available this week, Google says the ruling -- which was issued by the 9th
Circuit Court of Appeals -- could affect a broad swath of companies.
“Today, practically every company operates online or collects consumer data,” Google writes. “Under the
Ninth Circuit’s rule, each of these companies -- and any others that include a similar risk disclosure -- must now also disclose every security or data privacy bug they have experienced, no
matter how large or small, and no matter how far in the past, even if it was easily fixed and did not cause consumers harm. That is no easy matter.”
The battle between Google and the
shareholders stems from the company's delay in disclosing software vulnerabilities -- including a bug that allowed hundreds of outside developers to access private information about Google+ users,
including their birth dates, photos, occupations, and addresses. (Google shut down Google+ in 2019.)
Google allegedly learned of the security glitch in March 2018, and fixed it by April. But
the company didn't publicly disclose it until October 2018, when The Wall Street Journal reported on the bug.
Google reportedly delayed disclosing information about the
glitch because it feared regulatory scrutiny and bad publicity.
News of the data breach led to a class-action lawsuit on behalf of users, which Google settled for $7.5 million.
Investors, led by the treasurer of Rhode
Island (who sued on behalf of the state's pension system), alleged in a separate lawsuit that Google violated securities laws by failing to reveal the data breach in the company's April or July 2018
filings with the Securities and Exchange Commission.
U.S. District Court Judge Jeffrey White in San Francisco dismissed the investors' complaint last year. He ruled that even if the
allegations in the investors' complaint were true, they wouldn't show that Google had made any false or misleading statements in its regulatory submissions.
He noted in his decision that
Google had already remedied the software bug before its April filing.
A three-judge panel of the 9th Circuit reversed White's decision. Those judges said the investors' complaint raised the
inference that the company made a decision to deliberately conceal the cybersecurity bug.
Google is now asking the Supreme Court to review that ruling.
The company argues that in its
new petition that its securities filings didn't mislead investors about possible risks.
“A 'risk' is the possibility of a future harm or loss. It captures what might occur, not what has
occurred,” Google writes. “And because a reasonable investor understands that a 'risk' captures the future and does not summarize the past, omitting a past event from the 'risk factor'
section of a securities filing is not misleading.”
The investors' response is due by November 24.