Opinion
Case No. 19-cv-06968-CRB
03-02-2021
CHARLES REIDINGER, Plaintiff, v. ZENDESK, INC., et al., Defendants.
ORDER GRANTING MOTION TO DISMISS WITH LEAVE TO AMEND
A class of Zendesk, Inc. stock purchasers led by Local 353, I.B.E.W. Pension Fund ("the Pension Fund") is suing Zendesk and two Zendesk officers (collectively, "Zendesk") for securities fraud under §§ 10(b) and 20(a) of the Securities Exchange Act of 1934 and Securities and Exchange Commission (SEC) Rule 10b-5. The Court previously dismissed the Pension Fund's First Amended Complaint under Rule 12(b)(6) of the Federal Rules of Civil Procedure for failure to state a claim for which relief may be granted. The Court gave the Pension Fund leave to amend. In its Second Amended Complaint, the Pension Fund alleges that Zendesk made false and misleading statements relating to Zendesk's data security, resulting in harm to investors after the public learned that Zendesk had suffered a data breach that went undetected for nearly three years.
Zendesk has moved to dismiss the Pension Fund's Second Amended Complaint for failure to state a claim for which relief may be granted. The Court has determined that oral argument is unnecessary and vacates the hearing previously scheduled for March 5, 2021. The Court grants Zendesk's motion to dismiss because the Pension Fund has not adequately pleaded a material misstatement or omission, and the Pension Fund's allegations do not give rise to a strong inference that Zendesk or its officers acted with scienter, i.e., fraudulent intent. The Court grants the Pension Fund leave to amend to cure these deficiencies.
I. BACKGROUND
A. Procedural History
On January 24, 2020, the Court consolidated two putative securities class action lawsuits against Zendesk and appointed the Pension Fund as lead plaintiff. See Order Consolidating Cases (dkt. 42). The Pension Fund then filed an Amended Class Action Complaint on behalf of all purchasers of Zendesk common stock between February 6, 2019 and October 1, 2019, inclusive (the Class Period). See FAC (dkt. 51) at 1. The First Amended Complaint alleged that Zendesk and three officers—Chief Executive Officer Mikkel Svane, Chief Financial Officer Elena Gomez, and Senior Vice President of Worldwide Sales Norman Gennaro—committed securities fraud in violation of § 10(b) of the Securities Exchange and SEC Rule 10b-5. See id. ¶¶ 34-36, 124-127. The Pension Fund also alleged that the individual defendants violated § 20(a) of the Securities Exchange Act as control persons liable for any fraud committed by Zendesk and its employees. See id. ¶¶ 128-131.
The Pension Fund's original claims centered on Zendesk's public statements during the class period in relation to two events: (1) subpar performance in the Europe, Middle East, and Africa (EMEA) and Asia-Pacific (APAC) regions during Q2 2019; and (2) the September 24, 2019 discovery and subsequent disclosure of a data breach that had been ongoing for three years. See Order Dismissing FAC (dkt. 63) at 2.
The Court dismissed the Pension Fund's claims with respect to subpar regional performance because the Pension Fund had not adequately pleaded any false or misleading statement, or facts supporting a strong inference of scienter—that is, Zendesk's intent to deceive, manipulate, or defraud. Id. at 13-18. The Court dismissed the Pension Fund's claim with respect to the data breach because Zendesk's failure to disclose the breach was the only potentially material misstatement or omission that the Pension Fund alleged, and the Pension Fund's allegations did not suggest that Zendesk or its officers intended to deceive investors about the breach. Id. at 21-22. The Court granted the Pension Fund leave to amend. Id. at 22.
One aspect of the Court's Order dismissing the First Amended Complaint warrants clarification, if not revision. See Fed. R. Civ. P. 54(b). The Court stated that the Pension Fund's First Amended Complaint had not alleged "any material misstatement or omission." See Order Dismissing FAC at 1. But the Court also said that the Pension Fund "alleged a material omission" to the extent that the data breach "would have been viewed by the reasonable investor as significant," though no allegations supported the inference that Zendesk had acted with scienter in relation to the data breach. See id. at 21 (citation omitted). The Court should have made its seemingly contradictory reasoning clearer, and does so now. The Court recognizes that significance to a reasonable investor is necessary, but not sufficient, to establish a materially misleading omission. See infra part II.B; In re Yahoo! Inc. Sec. Litig., 2012 WL 3282819, at *7 (N.D. Cal. Aug. 10, 2012) ("Silence, absent a duty to disclose, is not misleading under Rule 10b-5.") (quoting Basic, Inc. v. Levinson, 485 U.S. 224, 239 n.17 (1988)). The Court's conclusion that reasonable investors would have viewed the data breach as significant was thus insufficient to establish the further conclusion that Zendesk had materially omitted information about the breach. In effect, the Court assumed that the Pension Fund had plausibly alleged a material omission and relied on the Pension Fund's more obvious failure to allege facts giving rise to the required "strong inference" that Zendesk or its officers had acted with scienter. See Order Dismissing FAC at 21.
On January 8, 2021, the Pension Fund filed a Second Amended Complaint. See SAC (dkt. 64). The Pension Fund noted that it had "not renewed its allegations concerning" Zendesk's regional performance or its claims against Zendesk Senior Vice President of Worldwide Sales Norman Gennaro. Id. at 2 n.2. Instead, the Pension Fund supplemented its allegations regarding the data breach.
B. Zendesk and the Data Breach
Zendesk sells customer service software to companies. See id. ¶¶ 5-7. In doing so, Zendesk collects, stores, and transmits sensitive customer, agent, and end-user data, including personal identifiable information (PII). Id. ¶ 9. The Pension Fund alleges that Zendesk began hosting its data through Amazon Web Services (AWS)'s cloud computing platform in 2016 and completed its transition to hosting data there in 2019. Id. ¶ 8.
But according to the Pension Fund, in 2016 Zendesk "did not follow basic precautions to secure data hosted by AWS." Id. ¶ 19(a). Before Zendesk had experienced the data breach at issue, AWS had published a list of "best practices." Id. ¶ 27. The list warned customers to "never share" their "AWS . . . access keys with anyone." Id. AWS also instructed customers to "enable multifactor authentication for . . . users who are allowed access to sensitive resources." Id. AWS further explained that customers could "use logging features in AWS" to detect nefarious activity by determining "the actions users have taken . . . and the resources that were used." Id. The Pension Fund alleges that despite these "clear directions," which were consistent (if not identical) with Zendesk's own avowed security best practices, Zendesk "shared AWS keys" with "a third party vendor." Id. ¶¶ 19(a), 25. A "small number" of those keys "were compromised," which allowed "hackers to access customer service data." Id. Zendesk also implemented multifactor authentication only "after it had provided AWS keys to others and . . . had been breached as a result." Id. ¶ 19(b). And Zendesk "failed to properly use logging features" that could have enabled Zendesk to detect the breach. Id. As a result, Zendesk suffered a data breach in November 2016 and discovered the breach only after nearly three years had passed. Id. ¶ 51. The Pension Fund alleges that after the breach was discovered and revealed, Zendesk's stock price fell. Id. ¶¶ 22, 24.
On April 1, 2019, Zendesk posted a "Security Best Practices" article on its website, instructing its customers that they could "reduce the risk of a security breach" by following certain best practices. SAC ¶ 46. The post noted that "even the best security policies will fall short if they are not followed." Id. It went on to suggest that customers implement "2-factor authentication for all agents and admins," "never give out user names, email addresses, or passwords," "routinely audit" their Zendesk accounts "for suspicious activity," and "encourage agents to monitor their user account[s]." Id.
On September 24, 2019—the date that the Pension Fund alleges Zendesk discovered the breach—Zendesk's stock price declined from $77.23 to $73.60 "on unusually high [trading] volume." SAC ¶ 22. On September 27, 2019—the date by which the Pension Fund alleges that Zendesk would have been required to notify its customers of the breach under its internal policies—Zendesk's stock price declined from $74.08 to $72.08 on unusually high volume. Id. ¶¶ 53-54. And after Zendesk published a notice on its website regarding the breach on October 2, 2019, Zendesk's stock price declined from $72.71 to $69.81, again on unusually high volume. Id. ¶ 24.
After the data breach, Zendesk made various public statements regarding the breach's nature and scale. On October 2, 2019, Zendesk published an "Important Notice regarding 2016 Security Incident" (the Notice) on its website. Id. ¶ 25. The Complaint incorporates relevant parts of the Notice:
Important Notice regarding 2016 Security Incident
We recently were alerted by a third party regarding a security matter that
may have affected the Zendesk Support and Chat products and customer accounts of those products activated prior to November of 2016. . . .
* * *
On September 24 [2019], we identified approximately 10,000 Zendesk Support and Chat accounts . . . whose account information was accessed without authorization prior to November of 2016. Information accessed included some [PII] and other service data.
For impacted customers, the information accessed from these databases includes the following data:
-Email addresses, names and phone numbers of agents and end-users of certain Zendesk products.
-Agent and end user passwords that were hashed and salted—a security technique used to make them difficult to decipher, potentially up to November 2016. . . .
Id. ¶ 55.
We have also determined that certain authentication information was accessed for a much smaller set of approximately 700 customer accounts, including expired trial accounts and accounts that are no longer active. . . .
On October 4, 2019, Zendesk updated the Notice to reflect a total of ~22,000 breached customer accounts: ~15,000 Support and Chat accounts, with authentication information accessed for approximately ~7,000 customer accounts. Id. ¶ 61. Because Zendesk's customers often have many end-users, the breach may have affected many more persons' data. See id. ¶ 56.
On October 29, 2019, Zendesk held its Q3 2019 investor conference call, during which Mikkel Svane, Zendesk's CEO, stated that the breach occurred when "Zendesk was in a very different state of security." Id. ¶ 62. Similarly, Zendesk updated an "FAQ" page on its website to include Chief Security Officer Maarten Van Horenbeeck's statement that "Zendesk has significantly invested in its security program since 2016 . . . including rolling out additional protection of sensitive personal data." Id. ¶ 63.
On November 22, 2019, Zendesk revealed the data breach's cause. Id. ¶ 64. While investigating the breach, Zendesk "discovered that a small number of AWS keys" had been "compromised after having been provided to a third party vendor. These keys were then used to access customer service data." Id. The statement also indicated that Zendesk had expanded its use of multifactor authentication "during 2016 and 2017" and had "[i]increased security monitoring and logging" during the period "since 2016." Id.
C. Zendesk Statements During the Class Period, Before the Breach Was Disclosed
The Pension Fund alleges that AWS best practices, the breach, and Zendesk's statements following the breach indicate that Zendesk misled investors during the class period, before the breach was disclosed. As the Pension Fund puts it, Zendesk "repeatedly (and falsely) assured its customers and investors that its data security methodologies were comprehensive and of the highest quality." Id. ¶ 10. This case thus centers on the significance of Zendesk's alleged statements and omissions during the class period. The Pension Fund challenges the following statements:
1. February 14, 2019 Form 10-K for Fiscal year 2018
This filing stated that Zendesk maintains a "comprehensive security program designed to help safeguard the security and integrity of our customers' data." It added that Zendesk "regularly review[s]" its "security program" and regularly "obtain[s] third-party security audits and examinations" of Zendesk's "technical operations and practices covering data security." Id. ¶ 43. Zendesk also noted that in June 2017 it had announced its completion of the EU approval process for using Binding Corporate Rules "as a data processor and controller." Id. This "significant regulatory approval validated [Zendesk's] implementation of the highest possible standards for protecting PII globally, covering both the PII of [Zendesk's] customers and employees." Id.
The filing also warned investors that "if" a data breach were to occur, Zendesk's "products may be perceived as insecure," Zendesk "may lose existing customers or fail to attract new customers," and Zendesk "may incur significant liabilities." Id. ¶ 44. "Unauthorized access to or security breaches of [Zendesk's] products could result in the loss of data," and Zendesk "may also experience security breaches that may remain undetected for an extended period." Id.
2. May 2, 2019 Form 10-Q for Q1 2019 and August 2, 2019 Form 10-Q for Q2 2019
These filings provided investors with the same warnings regarding the risks that "could" occur "if" Zendesk suffered a data breach, and the possibility that Zendesk "may" experience undetected data breaches. Id. ¶¶ 47, 49.
*
The Pension Fund alleges that these statements were "materially false and misleading" because Zendesk "knew or deliberately disregarded and failed to disclose" several facts. Id. ¶ 50. First, contrary to Zendesk's claim that it had a "comprehensive security system" that was up to the "highest possible standards," Zendesk "did not follow basic precautions to secure data hosted by AWS." Id. ¶ 50(a). Second, Zendesk implemented multifactor authentication only "after it had provided AWS keys to others and after it had been breached as a result," and failed to properly "use logging features in AWS." Id. ¶ 50(b). Third, Zendesk had "already suffered a significant breach" caused by "its failure to implement basic data security standards and best practices." Id. ¶ 50(c).
The Pension Fund points to other statements made on Zendesk's website and elsewhere during the class period, see SAC ¶¶ 13, 14; Opp. at 6 n.6, but the Pension Fund's claims arise from the specific statements described above, see SAC ¶ 50. The Court notes that its analysis of the statements that the Pension Fund expressly challenges would apply equally to the other class period statements mentioned in the Second Amended Complaint.
D. The Instant Motion
Zendesk has moved to dismiss the Pension Fund's Second Amended Complaint. See Mot. to Dismiss SAC (dkt. 65). The Motion is fully briefed, see Opp. (dkt. 68); Reply (dkt. 69), and the Court has determined that oral argument is unnecessary.
II. LEGAL STANDARD
Under Rule 12(b)(6) of the Federal Rules of Civil Procedure, a complaint may be dismissed for failure to state a claim for which relief may be granted. Fed. R. Civ. P. 12(b)(6). Rule 12(b)(6) applies when a complaint lacks either "a cognizable legal theory" or "sufficient facts alleged" under such a theory. Godecke v. Kinetic Concepts, Inc., 937 F.3d 1201, 1208 (9th Cir. 2019). Evaluating a motion to dismiss, the Court "must presume all factual allegations of the complaint to be true and draw all reasonable inferences in favor of the nonmoving party." Usher, 828 F.2d at 561. "[C]ourts must consider the complaint in its entirety, as well as other sources courts ordinarily examine when ruling on Rule 12(b)(6) motions to dismiss, in particular, documents incorporated into the complaint by reference, and matters of which a court may take judicial notice." Tellabs, Inc. v. Makor Issues & Rights, Ltd., 551 U.S. 308, 322 (2007).
The Court grants Zendesk's Request for Judicial Notice (dkt. 66) because the relevant documents are either incorporated by reference in the Second Amended Complaint or not subject to reasonable dispute under Rule 201(b) of the Federal Rules of Evidence. The Court notes, however, that its reasoning does not rely on any of the noticed exhibits.
If a court dismisses a complaint for failure to state a claim, it should "freely give leave" to amend "when justice so requires." Fed. R. Civ. P. 15(a)(2). A court nevertheless has discretion to deny leave to amend due to, among other things, "repeated failure to cure deficiencies by amendments previously allowed, undue prejudice to the opposing party by virtue of allowance of the amendment, [and] futility of amendment." Leadsinger, Inc. v. BMG Music Pub., 512 F.3d 522, 532 (9th Cir. 2008) (citing Foman v. Davis, 371 U.S. 178, 182 (1962)).
B. Claims under Section 10(b) of the Securities Exchange Act and Rule 10b-5
Section 10(b) of the Securities Exchange Act of 1934 forbids the "use or employ, in connection with the purchase or sale of any security . . . [of] any manipulative or deceptive device or contrivance in contravention of such rules and regulations as the [SEC] may prescribe as necessary or appropriate in the public interest or for the protection of investors." 15 U.S.C. § 78j(b). SEC Rule 10b-5 implements § 10(b) and declares it unlawful:
(a) To employ any device, scheme, or artifice to defraud,
(b) To make any untrue statement of a material fact or to omit to state a material fact necessary in order to make the statements made . . . not misleading, or
(c) To engage in any act, practice, or course of business which operates or would operate as a fraud or deceit upon any person, in connection with the purchase or sale of any security.17 C.F.R. § 240.10b-5.
The Supreme Court has implied a right of action to stock purchasers or sellers injured by a violation of § 10(b) and Rule 10b-5. See Dura Pharms., Inc. v. Broudo, 544 U.S. 336, 341 (2005). To state a claim, plaintiffs must plead "(1) a material misrepresentation (or omission); (2) scienter, i.e., a wrongful state of mind; (3) a connection with the purchase or sale of a security; (4) reliance . . .; (5) economic loss; and (6) 'loss causation,' i.e., a causal connection between the material misrepresentation and the loss." Id. at 341-42 (citation omitted). The first two elements are particularly relevant here.
The first element of a Rule 10b-5 claim is a material false statement or omission. Id. at 341. A plaintiff can establish "[f]alsity" by pointing to "statements that directly contradict what the defendant knew at that time." Khoja v. Orexigen Therapeutics, Inc., 899 F.3d 988, 1008 (9th Cir. 2008). A plaintiff can establish a material omission by pointing to the defendant's "silence" despite a "duty to disclose." Matrixx Initiatives, Inc. v. Siracusano, 563 U.S. 27, 45 (2011) (quoting Basic Inc. v. Levinson, 485 U.S. 224, 239 n.17 (1988)). Such a duty arises from a statement that, although "not false," is "misleading" because it "omits material information." Khoja, 899 F.3d at 1008-09. "Disclosure is required only when necessary to make [the] statements made, in the light of the circumstances under which they were made, not misleading." Id. at 1009 (quoting Matrixx, 563 U.S. at 44) (internal quotation marks and alterations omitted). Of course, a party "fails to disclose material information" to investors only when the party in question actually "has [the] information that" investors are "entitled to know." Chiarella v. United States, 445 U.S. 222, 228 (1980).
"Companies can control what they have to disclose . . . by controlling what they say to the market." Matrixx, 563 U.S. at 45. But once a company communicates "positive information to the market," that company is "bound to do so in a manner that wouldn't mislead investors." Schueneman v. Arena Pharm., Inc., 840 F.3d 698, 705-06 (9th Cir. 2016) (quoting Berson v. Applied Signal Tech., Inc., 527 F.3d 982, 987 (9th Cir. 2008)).
"Whether its allegations concern an omission or a misstatement," a plaintiff must also allege "materiality." Khoja, 899 F.3d at 1009. A false statement or omission's materiality depends on whether "there is a substantial likelihood that a reasonable shareholder would consider" the information to be "important." Basic, 485 U.S. at 231 (quoting TSC Indus., Inc. v. Northway, Inc., 426 U.S. 438, 449 (1976)). This inquiry is "inherently fact-specific." Matrixx, 563 U.S. at 39. For an omission, "there must be a substantial likelihood that the disclosure of the omitted fact would have been viewed by the reasonable investor as having significantly altered the 'total mix' of information made available." Basic, 485 U.S. at 231-32 (quoting TSC Indus., 426 U.S. at 449). This standard is not "too low," because a "minimal standard might bring an overabundance of information within its reach, and lead management simply to bury shareholders in an avalanche of trivial information." Id. at 231 (citation omitted).
The second element of a Rule 10b-5 claim is a sufficiently culpable state of mind, or "scienter." See Ernst & Ernst v. Hochfelder, 425 U.S. 185, 197-99 (1976). Because § 10(b) covers only "manipulative or deceptive" conduct, and Rule 10b-5 implements (and thus cannot extend more broadly than) § 10(b), a Rule 10b-5 claim must allege conduct involving manipulation or deceit. Santa Fe Indus., Inc. v. Green, 430 U.S. 462, 473-74 (1977). Accordingly, a plaintiff must allege that the defendant had the "intent to deceive, manipulate, or defraud." Ernst & Ernst, 425 U.S. at 188.
Knowledge of falsity or deception is enough to satisfy this standard. See Gebhart v. SEC, 595 F.3d 1034, 1041 (9th Cir. 2010). And although the Supreme Court has never addressed whether recklessness establishes scienter under Rule 10b-5, see Tellabs, 551 U.S. at 319 n.3, the Ninth Circuit has held that "deliberate . . . or conscious recklessness" as to the statement's false or misleading character establishes scienter. SEC v. Platforms Wireless Int'l Corp., 617 F.3d 1072, 1093 (9th Cir. 2010) (quoting Gebhart, 595 F.3d at 1041-42). That is because deliberate, conscious recklessness is "a form of intentional or knowing misconduct." Id. (quoting In re Silicon Graphics Inc. Sec. Litig., 183 F.3d 970, 976 (9th Cir. 1999)). The defendant must have subjectively "appreciate[d] the gravity of the risk of misleading others" and "consciously disregarded" that risk. Id. (quoting Gebhart, 595 F.3d at 1042 n.11).
Although the deliberate or conscious recklessness inquiry is subjective, extreme departures from an objective standard of care may support an inference that the defendant was consciously reckless. Gebhart, 595 F.3d at 1042.
Even when individual officers lack the requisite scienter, the Ninth Circuit has left open whether a corporation may be liable for securities fraud under a "collective scienter" theory that imputes the cumulative knowledge of a corporation's agents to the corporation. See Glazer Capital Mgmt., LP v. Magistri, 549 F.3d 736, 744 (9th Cir. 2008); Nordstrom, Inc. v. Chubb & Son, Inc., 54 F.3d 1424, 1435 (9th Cir. 1995). "[S]ome form of collective scienter pleading might be appropriate," but only when "a company's public statements were so important and so dramatically false that they would create a strong inference that at least some corporate officials knew of the falsity upon publication." Glazer, 549 F.3d at 744 (emphasis in original).
Special pleading requirements apply to the (1) material misstatement or omission and (2) scienter elements of a Rule 10b-5 claim. Tellabs, 551 U.S. at 313. The Private Securities Litigation Reform Act of 1995 (PSLRA) requires plaintiffs to "specify each statement alleged to have been misleading [and] the reason or reasons why the statement is misleading," 15 U.S.C. § 78u-4(b)(1), and to "state with particularity facts giving rise to a strong inference that the defendant acted" with the requisite scienter—that is, the intent "to deceive, manipulate, or defraud." Tellabs, 551 U.S. at 313-314 (quoting 15 U.S.C. § 78u-4(b)(2); Ernst & Ernst, 425 U.S. at 194 & n.12). With respect to scienter, the plaintiff must do more than allege facts from which "a reasonable person could infer that the defendant acted with the required intent." Id. at 314 (citation omitted). "To qualify as 'strong,' . . . an inference of scienter must be more than merely plausible or reasonable—it must be cogent and at least as compelling as any opposing inference of fraudulent intent." Id.
More generally, Rule 9(b) of the Federal Rules of Civil Procedure requires a party alleging fraud to "state with particularity the circumstances constituting fraud." Fed. R. Civ. P. 9(b).
If "no reasonable person could deny" that the challenged statement was "materially misleading," and the plaintiff plausibly alleges that the defendant was "aware of the facts that made the statement misleading," then there is a factual dispute as to whether the defendant was at least consciously reckless. Platforms Wireless Int'l Corp., 617 F.3d at 1094.
C. Claims under § 20(a) of the Securities Exchange Act
Under § 20(a), "every person who, directly or indirectly, controls any person liable" for a violation of § 10(b) "shall also be liable jointly and severally with and to the same extent as such controlled person." 15 U.S.C. § 78t(a). Nonetheless, a control person who "acted in good faith and did not directly or indirectly induce the act or acts constituting the violation" is not liable. Id.
III. DISCUSSION
Zendesk argues that the Pension Fund has not stated a claim under § 10(b) and Rule 10b-5 because the Pension Fund has not identified any false statement or actionable omission regarding Zendesk's data security, see Mot. to Dismiss SAC at 4-9, has failed to plead facts giving rise to a "strong inference" of scienter, id. at 9-13, and has failed to plead a causal connection between any material misrepresentation and a loss to investors, see id. at 13-14. The Pension Fund argues that Zendesk's statements before the breach was disclosed were misleading because Zendesk lacked "a comprehensive data security program that was continuously reviewed and monitored and up to the highest standards," and "gave investors the impression that the Company took all possible steps to secure and protect sensitive information." Opp. at 5 (internal quotation marks omitted). The Pension Fund also argues that its allegations support a strong inference of scienter because Zendesk either "knew" about or "recklessly disregarded" its failure to "comply with AWS's or even its own best practices" while making public statements about its comprehensive security program. Opp. at 8.
The Court agrees with Zendesk that the Pension Fund has failed to state a claim for securities fraud under the PSLRA's special pleading requirements. The Pension Fund alleges certain mistakes that resulted in a long-undetected data breach. But although § 10(b) "is aptly described as a catchall provision . . . what it catches must be fraud." Chiarella, 445 U.S. at 235. The Pension Fund has failed to state a claim for securities fraud for two independent reasons. First, the Pension Fund has not pleaded a material misstatement or omission because the Pension Fund has neither identified any misleading statement relating to Zendesk's data security nor explained how Zendesk could have disclosed additional information that would have made Zendesk's statements "not misleading." Matrixx, 563 U.S. at 44. Second, as before, the Pension Fund's allegations do not give rise to the "strong inference" that Zendesk or its officers acted with the intent to deceive, manipulate, or defraud investors. Tellabs, 551 U.S. at 313-314 (quoting 15 U.S.C. § 78u-4(b)(2); Ernst & Ernst, 425 U.S. at 194 & n.12). Instead, those allegations support the "competing" inference that Zendesk was simply unaware of its mistakes or their consequences—a more "compelling" inference than the convoluted fraudulent scheme that the Pension Fund has attempted to allege. Id. at 314.
A. First Element: Material Misstatement or Omission
Under the applicable pleading standard, see 15 U.S.C. § 78u-4(b)(1), the Pension Fund has not adequately pleaded any false statement or misleading omission.
The Pension Fund has pointed to no false statement—that is, no statement that "directly contradict[s]" what Zendesk "knew at the time." Khoja, 899 F.3d at 1008. The Pension Fund argues that Zendesk lied about the strength of its data security programs based on its past failure to follow best practices, see Opp. at 5, but Zendesk made the relevant statements in 2019, addressing its recent and contemporaneous data security practices, see SAC ¶¶ 43-44, 47, 49. The Pension Fund's own allegations show that Zendesk's data security improved between 2016 and 2019, such that Zendesk's 2019 statements are plausibly consistent with Zendesk having a less robust security program in the past. See SAC ¶¶ 50(b), 62-64. Indeed, Zendesk did not state that its data security had always been up to the best possible standards. The only arguable indication that, in 2019, Zendesk's data security was not as strong as Zendesk claimed is Zendesk's failure to have detected the ongoing breach when Zendesk made the challenged statements. But those challenged statements expressly accounted for that possibility by acknowledging that past breaches "may remain undetected for an extended period." Id. ¶¶ 44, 49. Further, the undetected breach does not indicate that Zendesk's statements that it (1) "regularly review[ed]" its "security program," and (2) "regularly obtain[ed] third-party security audits and examinations" of that program, were false. Opp. at 5 (quoting SAC ¶¶ 43). The breach merely indicates that those measures did not uncover a breach—again, a possibility that Zendesk expressly disclosed. See SAC ¶¶ 44, 49. Finally, Zendesk never stated that its employees had unfailingly complied with AWS best practices and its own best practices from 2016 onwards. In sum, nothing in Zendesk's 2019 statements was false.
The Pension Fund has also not alleged a material omission because the challenged statements were not misleading. See Matrixx, 563 U.S. at 44. The challenged statements discussed Zendesk's recent and contemporaneous data security practices. They did not imply that Zendesk had not suffered an undetected data breach or that Zendesk's employees had unfailingly complied with AWS best practices during and since 2016. Indeed, Zendesk's warnings that it may experience an undetected data breach implied the possibility that, at some point, Zendesk's data security measures had failed. See SAC ¶¶ 44, 47, 49.
Zendesk's statements that "if" Zendesk suffered a breach, Zendesk "may incur significant liabilities" and the breach "could result in the loss of data," SAC ¶¶ 44, 47, 49, did not misleadingly imply that Zendesk had not suffered a breach given Zendesk's express acknowledgement of that possibility. The Pension Fund's argument to the contrary, see Opp. at 6-7, relies on inapposite cases involving statements that certain risks might materialize when the companies knew that those risks had already materialized, see, e.g., In re Convergent Techs. Sec. Litig., 948 F.2d 507, 515 (9th Cir. 1991).
Even if the Court were to assume that the challenged statements were misleading, the statements were not misleading based on information that Zendesk omitted. Because the Pension Fund's own allegations indicate that Zendesk lacked the "information" that investors were supposedly "entitled to know," Chiarella, 445 U.S. at 228, the Pension Fund has not pointed to any statement that Zendesk could have made "not misleading," Matrixx, 563 U.S. at 44. For example, Zendesk could not have had any "duty to disclose" the data breach, Matrixx, 563 U.S. at 44, because Zendesk was unaware of the breach. Similarly, the Pension Fund has not plausibly alleged that during the class period, Zendesk officers knew, or even should have known, that someone at Zendesk had improperly shared Zendesk's AWS keys with a third party vendor in 2016. See infra part III.B. Indeed, the Pension Fund cites Zendesk's statement that it "discovered" the AWS keys had been shared "during [Zendesk's] review" of the data breach, not before Zendesk made the challenged statements. SAC ¶ 64. There is similarly little reason to think that Zendesk officers knew about Zendesk's 2016 and 2017 multifactor authentication rollout and past AWS logging practices, let alone their significance. Plus, with no ability to disclose the data breach or the sharing of AWS keys with a single vendor, disclosure of the multifactor authentication rollout and past AWS logging practices would have only served to "bury shareholders in an avalanche of trivial information." Basic, 485 U.S. at 231.
The Pension Fund makes much of the Twitter account hack that Zendesk CEO Mikkel Svane experienced before 2016, after which Svane had been warned "of the need to implement multi-factor authentication." Opp. at 3 (citing SAC ¶¶ 16-18). But knowledge of a general security best practice does not equal knowledge of a specific failure to follow that best practice in an unrelated context, or the resulting consequences. Similarly, Svane and CFO Elena Gomez's certification in the February 2019 Form 10-K that they were "involved in designing and testing the Company's internal controls," SAC ¶ 43, does not imply that they were "very familiar with Zendesk's data security systems," Opp. at 11 n.9, let alone that they knew or should have known about specific data security mistakes that had occurred in 2016. In short, there is no plausible allegation that Svane or Gomez would have had any reason to think that the challenged statements might mislead investors.
The Pension Fund's arguments to the contrary are unavailing. For example, the Pension Fund argues that "[t]he timing of the breach (2016) does not render 2019 misstatements inactionable or any less false" because "Zendesk remained exposed to the consequences of giving away its AWS keys and failing to implement other best practices." Opp. at 7. The Pension Fund reasons that if a bank "gave away the keys to its vault," the bank could not later claim that its security was "comprehensive . . . just because it installed security cameras." Id. This analogy misses the mark. There is no indication that in 2019, Zendesk officers knew or were consciously or deliberately reckless in not knowing that three years earlier, AWS keys had been shared with a single vendor, i.e., a business partner. A more apt analogy would involve a bank employee—perhaps a teller—disclosing sensitive information about the bank's vault to one of the bank's business partners (say, a company that helps the bank obtain cash). There would be little reason to think that the bank's corporate officers knew about the error and could disclose it, or that the error made their general statements about bank security practices three years later misleading.
The Pension Fund has not alleged a false statement or the omission of any information that Zendesk had a duty to disclose. Therefore, the Pension Fund has not stated a claim for securities fraud, and the Court need not address whether the Pension Fund has shown "a substantial likelihood that a reasonable shareholder would consider" the information to be "important." Basic, 485 U.S. at 224.
Thus, as in the Court's prior order, the Court assumes that a reasonable investor would find at least the fact of the data breach important. See supra note 1; Order Granting First MTD at 21. The Court also assumes that the Pension Fund's allegations give rise to a factual dispute as to whether a reasonable investor would care that Zendesk had accidentally shared a few AWS keys in 2016 before implementing multifactor authentication and increasing its use of AWS logging features. SAC ¶ 50. As noted above, however, the Court does not assume that a reasonable investor would find information about multifactor authentication and logging important in the absence of additional information regarding the sharing of AWS keys and/or the data breach. More generally, because Zendesk lacked either a duty to disclose or the requisite state of mind, these assumptions do not affect the Court's conclusion that the Pension Fund has failed to state a claim for which relief may be granted.
B. Second Element: Scienter
The Pension Fund has not stated a claim for which relief may be granted for another, independent reason. The Pension Fund has failed to "state with particularity facts giving rise to a strong inference" that Zendesk or any Zendesk officer acted with the intent "to deceive, manipulate, or defraud" in failing to disclose the data breach. Tellabs, 551 U.S. at 313-314 (quoting 15 U.S.C. § 78u-4(b)(2); Ernst & Ernst, 425 U.S. at 194 & n.12).
Because the Pension Fund has not alleged a material false statement or omission, the Pension Fund has not alleged that Zendesk or its officers had knowledge of falsity or acted with conscious recklessness as to the risk that any statement was misleading without further disclosure.
But even accepting the Pension Fund's argument that Zendesk's 2019 statements were misleading, the Pension Fund has not alleged that any Zendesk officer acted intentionally or with conscious recklessness. The Pension Fund's allegations indicate that Zendesk's officers were simply unaware of the breach until September 2019. See SAC ¶ 51; see also Opp. at 11 (stating that Zendesk "did not even discover" the breach until it was "alerted by a third party"). Thus, the Pension Fund's allegations contradict any inference that Zendesk intended to "deceive" or "defraud" regarding the fact of the breach. Tellabs, 551 U.S. at 313-314. The same analysis applies to Zendesk's nondisclosure of its failure to implement certain security best practices before the breach occurred. Of course, Zendesk's failure to detect the breach may have resulted from negligence, including inadequate use of AWS's logging features. But given Zendesk's lack of knowledge surrounding the data breach, the inference that Zendesk's officers acted with fraudulent intent when failing to disclose Zendesk's past security mistakes rests on a multitude of dubious premises. Zendesk's officers must have not only known that someone at Zendesk shared the AWS keys, Zendesk implemented multifactor authentication too late, and Zendesk failed to monitor its platform effectively, but also consciously disregarded a risk that these events made its general statements about data security in 2019 misleading. No allegations in the Second Amended Complaint suggest this was the case.
The Pension Fund's contrary arguments are meritless. First, the Pension Fund argues that "the substantial contradiction between the true state of affairs and Zendesk's misstatements supports an inference of scienter." Opp. at 8 (citing Ronconi v. Larkin, 253 F.3d 423, 429 (9th Cir. 2001)). As discussed above, the Court rejects the premise that there was such a contradiction. Moreover, in noting that "falsity and scienter in private securities fraud cases are generally strongly inferred from the same set of facts," Ronconi did not purport to hold that a showing of falsity alone creates a strong inference of scienter. 253 F.3d at 429. It merely held that one set of facts could, in certain circumstances, "raise a strong inference that defendants intentionally or [with] deliberate recklessness made false or misleading statements." Id. (citation omitted). The scienter requirement exists because falsity does not always equal fraud. See Tellabs, 551 U.S. at 324 ("[A] court must consider plausible, nonculpable explanations for the defendant's conduct."). Second, the Pension Fund argues that it would be "absurd to suggest that the top executives of a company whose entire business revolves around collecting, storing, and processing users' sensitive information would be unaware of the failure to follow even basic best practices set by AWS and Zendesk itself." Opp. at 10. But it is far from absurd to think that in 2019, Zendesk officers were not aware or consciously ignorant of a single episode in 2016 when someone at Zendesk shared AWS keys with a third-party vendor, let alone that Zendesk had implemented multifactor authentication just after that event. The second amended complaint does not plausibly allege an ongoing, systematic flaunting of security best practices. Cf. Flynn v. Sientra, Inc., 2016 WL 336066, at *15 (C.D. Cal. June 9, 2016) (stating that a company's officers would be aware of "substandard, non-compliant conditions pervading their company's manufacturing and quality control divisions," which where "the heart" of the company) (emphasis added).
The Second Amended Complaint also fails to allege corporate or collective scienter against Zendesk, to the extent the Ninth Circuit permits such a theory. See Glazer, 549 F.3d at 744. Because Zendesk's public statements were neither false nor misleading, they could not have been "so dramatically false" as to "create a strong inference that at least some" Zendesk officials knew of their falsity. Id. (emphasis in original).
For all these reasons, the inference urged by the Pension Fund regarding Zendesk and its officers' scienter is not "as compelling as any opposing inference." Tellabs, 551 U.S. at 314. The Pension Fund's theory of Zendesk's fraudulent intent is, at best, convoluted: Zendesk's officers did not know about a data breach, but chose to mislead investors during the 2019 class period by refusing to disclose past security mistakes, while nonetheless disclosing that Zendesk might have suffered an undetected breach. The Pension Fund's allegations do not support the "strong inference" that Zendesk was engaged in such a novel fraudulent scheme. See 15 U.S.C. § 78u-4(b)(2). Instead, they strongly support the competing inferences that (1) someone at Zendesk made a serious mistake by sharing AWS keys a third party vendor, which—combined with Zendesk's failure to implement multifactor authentication, resulted in a breach; and (2) Zendesk's failure to use logging features may have compounded these errors by letting the breach go undetected for nearly three years; but (3) Zendesk's 2019 statements warned investors about this exact possibility; and thus (4) Zendesk's officers did not intend Zendesk's statements during the class period to be misleading or deliberately disregard the risk that they would be misleading. The Pension Fund's allegations suggest that Zendesk failed to protect sensitive data, not that Zendesk intended to defraud investors.
Because the Pension Fund's allegations do not satisfy the first two elements of a § 10(b) and Rule 10b-5 claim, the Court need not consider whether the Pension Fund adequately pleaded loss causation.
C. Section 20(a) Claims
Because the Pension Fund has not stated an underlying securities fraud claim, the Pension Fund's § 20(a) control persons claim fails. See 15 U.S.C. § 78t(a).
IV. CONCLUSION
For the foregoing reasons, the Court GRANTS Zendesk's motion to dismiss. Because it is conceivable that the Pension Fund could add allegations to cure the above-described deficiencies, the Court giants the Pension Fund leave to amend. See Leadsinger, 512 F.3d at 532. The Pension Fund shall have 21 days from the date of this order to file another amended complaint.
Leave to amend is appropriate given the possibility that the Pension Fund relied on the prior order's statements regarding whether the Pension Fund had pleaded a material omission. See Fed. R. Civ. P. 15(a)(2); supra note 1.
IT IS SO ORDERED.
Dated: March 2, 2021
/s/_________
CHARLES R. BREYER
United States District Judge