When Facebook learned that the personal data of its users had been harvested by a British consulting firm named Cambridge Analytica in 2018, the social media giant violated the Securities and Exchange Act by failing to disclose the data breach to its stockholders for two years. Instead, the Menlo Park-based company made misleading statements and omissions about the “risk of improper access to user data, about its internal investigation into the breach, and about the amount of control users have over their own personal data.” When stock prices plummeted after the public learned of the breach, shareholders sued.

The stockholders had many complaints against Facebook, three of which were reviewed in this decision. First, they claimed that the company’s 2016 filings with the Securities and Exchange Commission (SEC) were false because Facebook only acknowledged that its users’ data “could” be compromised, even though it was aware that huge breaches had occurred. When Facebook challenged this claim, the U.S. District Court for the Northern District of California ruled in favor of the company because it agreed that the stockholders had “failed to prove falsity.” Now, a three-justice panel of the Ninth Circuit Court of Appeal has reversed this part of the ruling, so this portion of their suit can proceed.

The Ninth Circuit panel was comprised of Circuit Judges M. Margaret McKeown, Jay S. Bybee, and Patrick J. Bumatay. McKeown authored the opinion, which was partially concurred and partially dissented by Judge Bumatay.

The second stockholder complaint examined whether, under the “heightened standard of the Private Securities Litigation Act, the shareholders “adequately pleaded scienter as to Cambridge Anayltica’s investigation statements.” Scienter is a legal term that requires shareholders to prove that Facebook had intent or knowledge of its wrongdoing. Even though a Facebook spokesperson told the media that its internal investigation had not uncovered any evidence of wrongdoing, the Ninth Circuit ruled that scienter had not been proved because the shareholders only pleaded that the company’s spokesperson “should have known” about the misconduct. This failed to meet the standard of actual knowledge, despite a strong inference of “intent to deceive, manipulate or defraud.”

Third, the Ninth Circuit reviewed whether the stockholders “adequately pleaded loss causation about what it called “user control statements.” It ruled that the district court properly dismissed Facebook’s statements about its “goals of transparency and control” because those statements were not false when Facebook made them. The statements, in fact, had preceded the data breach and stock price drop. This issue was remanded for additional proceedings.

Facebook’s problems with Cambridge Analytica began in 2015 when The Guardian, a daily newspaper based in London, reported that the consulting firm had created a database of information by harvesting Facebook’s data that was gathered from an online Facebook quiz developed by a Cambridge academic named Aleksandr Kogan. When Facebook integrated Kogan’s quiz into its data, “Kogan gained access” to the data of those who took the quiz “as well as data from their Facebook friends who had not taken the quiz,” including their names, gender, location, birthdate, ‘likes’ and list of Facebook friends.

This gave Kogan data from over 30 million Facebook users. Kogan subsequently developed an algorithm that assigned “personality scores” to the users and matched their scores to their voting preferences. The Guardian wrote that this data “helped Ted Cruz,” a Republican presidential candidate to “gain an edge over Donald Trump.” The Guardian wrote, “A little-known data company, now embedded within Cruz’s campaign and indirectly financed by his primary billionaire benefactor, paid researchers at Cambridge University to gather detailed psychological profiles about the US electorate using a massive pool of mainly unwitting US Facebook users built with an online survey.”

An internal investigation into the matter by Facebook led Cambridge Analytics to claim it deleted the Facebook data. This proved untrue. Cambridge Analytics continued to use the data.

Facebook’s legal problems followed when it told the SEC in 2017 that “third-party misuse of Facebook users’ personal data was a purely hypothetical risk that could harm the company if it materialized. Both The Guardian, the New York Times and other news organizations continued to investigate the data breach, and both the media and politicians began to publicly chastise the company for the “serious flaw” in its “ability to keep exclusive control over its information.” Soon after, Facebook’s stock prices significantly declined “reflecting a loss of over “$ 100 billion in market capitalization.”

In June 2018, things got even worse for Facebook when it admitted to “whitelisting,” or “continued sharing the data of users and their Facebook friends with dozens of whitelisted third parties like Apple, Microsoft, and Samsung without the users’ express consent.” The shareholder suit followed, based on Facebook’s false and misleading statements.

McKeown’s opinion explained the laws that prohibit “manipulative or deceptive” practices in connection with the purchase or sale of a security.” These are primarily Section 10(b) of the Exchange Act and the “heightened pleading requirements” of the Private Securities Litigation Reform Act. She wrote that Facebook’s reports of “hypothetical risk” did not match with what the company actually knew about its data breach. She said under the law, Facebook’s “statements and omissions would be actionably false or misleading” if they “directly contradict what the defendant knew at that time.” They were. It is not lawful to warn that risks “could” occur “when, in fact, “those risks had already materialized.” She said that Facebook “sidestep(ed)” the reality of what they knew about the compromised data.

The Ninth Circuit thus affirmed, reversed, and remanded parts of the district court ruling. The key shareholder complaint about Facebook’s reports of hypothetical, not actual risks, as well as its use of control statements will have additional days in court.