Opinion
21-15785
03-02-2022
NOT FOR PUBLICATION
Argued and Submitted February 7, 2022
Appeal from the United States District Court for the Northern District of California Nos. 3:19-cv-06968-CRB, 3:19-cv-07361-CRB Charles R. Breyer, District Judge, Presiding
Before: WARDLAW, IKUTA, and BADE, Circuit Judges.
MEMORANDUM [*]
Plaintiffs Local 353, IBEW Pension Fund, Charles Reidinger and Mandy Ho ("Plaintiffs") appeal a district court order dismissing their Second Amended Complaint ("SAC") for failure to state a claim under 17 C.F.R. § 240.10b-5 ("Rule 10b-5"), 15 U.S.C. § 78j(b) ("Section 10(b)"), or 15 U.S.C. § 78t(a) ("Section 20(a)"). We have jurisdiction under 28 U.S.C. § 1291, and we affirm.
1. The district court did not err in dismissing Plaintiffs' claim under Rule 10b-5 and Section 10(b) for failure to state a claim. To state a claim under Rule 10b-5 and Section 10(b), a plaintiff must plead "six essential elements" including (1) falsity (a material misrepresentation or omission), and (2) scienter. Retail Wholesale & Dep't Store Union Loc. 338 Ret. Fund v. Hewlett-Packard Co., 845 F.3d 1268, 1274 (9th Cir. 2017). To survive a motion to dismiss, the SAC must not only satisfy Federal Rule of Civil Procedure 8, but meet additional pleading requirements set out in Federal Rule of Civil Procedure 9 and the Private Securities Litigation Reform Act ("PSLRA"), 15 U.S.C. § 78u-4(b)(1), 78u-4(b)(2)(A).
2. The district court did not err in concluding that while the SAC did "specify" five publicly filed statements, 15 U.S.C. § 78u-4(b)(1), it did not include facts supporting a reasonable inference that any of those statements were false or misleading, see Retail Wholesale, 845 F.3d at 1274.
Plaintiffs argue that two of the five statements in Zendesk's 2018 Form 10-K (filed February 14, 2019)-that Zendesk "maintain[s] a comprehensive security program," and that it "completed the EU approval process for [its] global Binding Corporate Rules" in 2017-were misleading because they created the impression that Zendesk implemented the data security best practices described in those statements no later than 2016, when in fact, the company did not implement those practices until later.
We disagree. Neither statement makes any reference to Zendesk's data security practices in 2016. Statement one is in the present tense; it describes features of Zendesk's 2019 data security program and certifies that the current program is "comprehensive." Statement two simply states that the EU approved Zendesk's global Binding Corporate Rules in 2017. Both statements are truthful.
Plaintiffs contend, however, that based on these statements a reasonable investor could have concluded that any data security improvements Zendesk described would have been put in place in response to the two public hacks Zendesk had experienced in the past, one in 2013 and one in 2016. However, Plaintiffs plead no facts supporting a reasonable inference that either of those hacks was a prominent enough milestone in company history that the average investor would be led to believe every data security improvement directly followed them. Further, the 2013 hack occurred before Zendesk began using Amazon Web Services ("AWS") and the 2016 hack involved only Defendant Svane's personal Twitter account.
Next, Plaintiffs argue that the remaining three statements-all of which are risk disclosures that appeared in Zendesk's 2018 Form 10-K (filed February 14, 2019)-were misleading because they created the impression that it was unlikely Zendesk had suffered an undetected data breach in the past, when in reality it was somewhat likely. Again, we disagree. None of the three statements makes assertions as to the likelihood of such contingencies occurring. Therefore, these statements would not give an ordinary investor reason to believe that Zendesk was asserting that the risk that an undetected breach had occurred was particularly high or low, or that it had changed over time.
3. The district court did not err in finding that Plaintiffs failed to state "with particularity" facts supporting a "strong inference," 15 U.S.C. § 78u-4(b)(2)(A), that Zendesk acted with the required scienter-intent to "deceive, manipulate or defraud" or "deliberate recklessness" toward that possibility-under either the core operations doctrine or the corporate scienter doctrine. Schueneman v. Arena Pharms. Inc., 840 F.3d 698, 705 (9th Cir. 2016) (internal quotation marks omitted).
Plaintiffs fail to adequately allege scienter under the core operations doctrine because they do not make "detailed and specific allegations" supporting a strong inference that Defendants Gomez or Svane were intimately involved in the minutiae of Zendesk's AWS data-security policy, Zucco Partners, LLC v. Digimarc Corp., 552 F.3d 981, 1000 (9th Cir. 2009) (internal quotation marks omitted), or allegations supporting a strong inference that the facts at issue (minor changes in the company's data security policy over a three-year period) were "of such prominence that it would be absurd to suggest that management was without knowledge of the matter," S. Ferry LP, No. 2 v. Killinger, 542 F.3d 776, 786 (9th Cir. 2008) (emphasis added) (internal quotation marks omitted). They do allege that, generally speaking, data security is a core element of Zendesk's business, that both Gomez and Svane signed Zendesk's form 10-K which made assertions about data security, and that in the wake of the 2019 discovery of the 2016 hack, Svane stated that Zendesk was in a "very different state of security" in 2016 than it was in 2019. However, those allegations fall far short of the bar set by our cases. Compare No. 84 Emp.-Teamster Joint Council Pension Tr. Fund v. America West, 320 F.3d 920, 937-939 (9th Cir. 2003), with Zucco, 552 F.3d at 1001.
Similarly, even assuming corporate scienter is a viable theory in our circuit, Plaintiffs fail to adequately allege scienter under that doctrine because the statements that Plaintiffs cite to were not "so dramatically false" that at least some corporate official must have known of their falsity upon publication. Compare In re NVIDIA Corp. Sec. Litig., 768 F.3d 1046, 1063-64 (9th Cir. 2014) (serious defects in two important products was not enough to trigger corporate scienter), with Makor Issues & Rts., Ltd. v. Tellabs Inc., 513 F.3d 702, 709-10 (7th Cir. 2008) (production issues, collapsing sales, and other serious issues for company's flagship products were enough to trigger corporate scienter).
4. Finally, the district court did not err in dismissing Plaintiffs' Section 20(a) claim because liability under Section 20(a) requires an underlying violation of securities law, and the district court correctly dismissed Plaintiffs' claim under Rule 10b-5/Section 10(b). See In re Rigel Pharms., Inc. Sec. Litig., 697 F.3d 869, 886 (9th Cir. 2012) ("Because Plaintiff here has failed to adequately plead a violation of the federal securities laws, it follows that Plaintiff also has failed to adequately plead violations of section 20(a) . . .").
AFFIRMED.
[*] This disposition is not appropriate for publication and is not precedent except as provided by Ninth Circuit Rule 36-3.