Google Parent Alphabet Agrees to Pay Shareholders $350 Million Over Data Leak

Google’s parent company Alphabet Inc. agreed to a $350 million tentative settlement resolving allegations it concealed data-security vulnerabilities in the now-shuttered Google + social network. The settlement will become the largest data privacy and cyber-security-related securities class action ever recorded by ISS SCAS, if approved.

In March 2018, amid the uproar caused by the alleged improper harvesting of user data at Facebook, Google discovered a security glitch in its social network that allegedly left the data of its users exposed for three years. The software glitch in its Google+ platform allegedly gave third-party developers access to the personal data of millions of users, including those who had not opted to share their data publicly. The exposed private profile data included email addresses, birth dates, gender, profile photos, places lived, occupations, and relationship status.

After the “three-year bug” was discovered Google’s legal and policy staff, allegedly prepared a memo in April 2018, warning that its disclosure would likely result in “immediate regulatory interest.” To avoid public and regulatory scrutiny, Google’s officers and directors conceived a plan to conceal the bug and other security vulnerabilities in order to “buy time.” The memo also outlined alleged shortcomings in Google’s security system and record keeping, including that while it was able to fix the bug, it could not confirm the extent of the damage or all affected users.

In October 2018, the Wall Street Journal published a lengthy story surrounding the events of the “Privacy Bug Memo.” In response, Google admitted to exposing hundreds of thousands of users’ private data and that it was shutting down the Google+ social network for consumers. The class action complaint further alleges the following:

• Google launched the Google+ platform in June 2011 in an attempt to make a social media network to rival that of Facebook and Twitter.

• While scrutiny of data privacy and security grew in the Spring of 2018, Google engineers discovered a software glitch in the Google+ social network that had existed since 2015.

• Because of a bug in the programming interface for Google+, third-party developers could collect certain users’ profile data, even if those users had relied on Google privacy settings to designate the data as nonpublic.

• While Google had identified the bug in March 2018, it could not confirm the resulting damage nor the number of other bugs due to record-keeping limitations and poor security controls. Specifically, Google could only identify two weeks’ worth of users whose private profile information had been exposed during the three-year lifespan of the bug.

• In April 2018, having read the memo legal and policy staff prepared on the three-year bug, Google’s officers and directors chose a strategy of nondisclosure. Google’s executives gave the same assurances about security and privacy in SEC filings and earnings calls as before, despite being aware of the “Privacy Bug Memo.”

• On October 8, 2018, the Wall Street Journal exposed the three-year software glitch and the company’s concealment of it. As a result, iAlphabet’s stock price fell $11.91 on October 8, 2018, $10.75 on October 9, 2018, and $53.01 on October 10, 2018.

The $350 million settlement was reached, despite the district court’s dismissal of the complaint in its entirety. The district court initially held plaintiff failed to plead a materially misleading misrepresentation or omission. However, a unanimous three-judge panel of the Ninth Circuit reversed in part, finding two statements Alphabet made in quarterly SEC filings actionable.

The Ninth Circuit found the complaint plausibly alleged that the omission of security vulnerabilities from the two statements was misleading to a reasonable investor, given they were made after the detection of Google’s cybersecurity issues and during the growing scrutiny following the Facebook-Cambridge Analytica scandal. The three-judge panel also found plaintiff plausibly alleged that then-CEO of Alphabet Lawrence Page knew about the “Three-Year Bug” and that Alphabet intentionally did not disclose this information.

If approved, the $350 million payout will become the largest privacy and cybersecurity-related securities class action lawsuit settlement, surpassing Equifax ($149 million) and Yahoo! ($80 million). Cyber-related securities class actions have received mixed success in courts, with a number of high-profile actions, such as Capital One, Marriott, Alphabet, and Facebook initially dismissed. However, the Ninth Circuit’s revival of both the Alphabet Google+, as well as the Facebook Cambridge Analytica-related securities lawsuit, could bode well for future investor recoveries related to cyber or data privacy allegations.

ISS SCAS will continue to monitor and file claims for this high-profile action and others, if and when, they progress toward an official settlement.