On June 10, 2024, the Supreme Court granted certiorari in Facebook, Inc. v. Amalgamated Bank[1] to review a decision by the Ninth Circuit Court of Appeals holding that Facebook could be held liable under Section 10(b) and Rule 10b-5 for failing to disclose risks that had materialized in the past but that presented no known risk of ongoing or future business harm. This case raises significant questions regarding the scope of corporate liability for risk disclosures and could potentially affect the nature and volume of investor lawsuits.

Litigation Background

The underlying action dates back to March 2018, when Amalgamated Bank filed a securities class action alleging that defendant Facebook Inc. made materially false and misleading statements and omissions regarding the risk of improper access to or disclosure of Facebook user data.[2] Facebook’s 2016 Form 10-K disclosures included risk factors such as “[a]ny failure to prevent or mitigate … improper access to or disclosure of our data or user data … could result in loss or misuse of such data, which could harm [Facebook’s] business and reputation and diminish our competitive position.” Plaintiffs alleged that at the time these risk factor statements were made, Facebook knew that on two prior occasions, Cambridge Analytica, a political consulting firm, had improperly collected and harvested Facebook users’ personal data. Accordingly, plaintiffs alleged that the risk factors identified in the Form 10-K were false and misleading because they framed the risk of data misuse as merely hypothetical, belying the fact that such data misuse had already occurred.

The district court dismissed plaintiffs’ claims for failure to plead falsity, scienter and loss causation under Rule 9(b). The court found that the plaintiffs failed to demonstrate that Facebook knew or should have known that Cambridge Analytica’s certifications that the misappropriated data had been deleted and was no longer being misused were false. Furthermore, the court found that plaintiffs’ general allegations that three Facebook employees who worked with Cambridge Analytica and therefore would have known about the data misappropriation were too speculative to demonstrate scienter.

Ninth Circuit Court of Appeals’ Decision

A split panel of the Ninth Circuit affirmed in part and reversed in part. In particular, the court found that the plaintiffs had adequately pleaded falsity as to the risk factors disclosed in Facebook’s Form 10-K regarding whether misuse of Facebook users’ data could harm Facebook’s business, reputation and competitive position. In so finding, the majority pointed to its reasoning in In re Alphabet,[3] decided after the district court dismissed plaintiffs’ complaint. In In re Alphabet, the Ninth Circuit held that falsity allegations could survive a motion to dismiss when the complaint plausibly alleged that a company’s Securities and Exchange Commission (SEC) filings warned that risks “could” occur, when in fact those risks had already materialized. Relying on this holding, the majority found that the plaintiffs had sufficiently alleged the falsity of Facebook’s risk factor statements. The majority emphasized that Facebook’s Form 10-K filings presented the risk of business and reputational harm from the misuse of users’ data as merely hypothetical, when in fact Facebook knew that the Cambridge Analytica data breaches indicated that such a risk had already materialized.

Judge Patrick J. Bumatay dissented in part, disagreeing with the majority’s holding that plaintiffs sufficiently pleaded the falsity of Facebook’s risk factor statements. First, the dissent argued that, as worded, the statements did not make any representations about whether a data breach had occurred.[4] Instead, Facebook made a true statement that its business and reputation “could” be harmed by data breaches and misuse. Second, the dissent argued that the risk factor statements could not give rise to liability because the harm caused by the breach remained “unknown” to Facebook at the time it made its statements, while the disclosure requirements apply to risks for which a company knows that “its reputation and business were already harmed.”[5] Finally, the dissent asserted that the majority inappropriately extended Alphabet’s reasoning by requiring disclosures where the harm is not “actual or near-certain” but was still unknown or not yet materialized.

Facebook filed a petition for rehearing en banc, which the Ninth Circuit denied in December 2023.

Petition for Certiorari and Looking Ahead

Facebook’s petition for certiorari presented two questions for the Court’s consideration, of which it granted review of one: whether risk disclosures are false or misleading when they do not disclose a risk that has materialized in the past, even if that past event presents no known risk of ongoing or future business harm.[6] In other words, must companies disclose events that  may give rise to business harms, even if those harms are not yet known or realized?

The petitioners contend that the Ninth Circuit’s holding creates a three-way split among eight circuits regarding what companies must include in “risk factors” disclosures. According to the petition, in the Sixth Circuit, companies need not disclose any past instances when a risk has materialized.[7] In the First, Second, Third, Fifth, Tenth and D.C. circuits, a company must disclose a risk if it knows that the event will harm the business.[8] The petitioners further argued that the Ninth Circuit’s rule would make disclosures less useful by drowning investors in irrelevant information, spur fraud-by-hindsight lawsuits and render disclosure requirements more burdensome for companies.

Law professors, former SEC officials, legal policy institutes and industry groups filed amicus briefs in support of the petition for certiorari, arguing that the Ninth Circuit’s ruling will lead to information overload for investors and contribute to a wave of meritless securities suits.

The Supreme Court’s decision to grant certiorari signals its willingness to resolve this divide among the appellate courts and clarify the extent to which a company must disclose events that present no known risk of ongoing or future business harm.


[1]No. 23-980, 2024 WL 2883752.

[2]In re Facebook, Inc. Securities Litigation, No. 5:18-CV-1725 (EJD), 2021 WL 6000058 (N.D. Cal. Dec. 20, 2021).

[3]In re Alphabet Securities Litigation, 1 F.4th 687 (9th Cir. 2021).

[4]In re Facebook, Inc. Securities Litigation, 87 F.4th 934 (9th Cir. 2023), at *958-59.

[5]Id., at *959.

[6]The second question, upon which the Court did not grant certiorari, asked: “Does Federal Rule 8 or Rule 9(b) supply the proper pleading standard for loss causation in a private securities-fraud action?”

[7]See Bondali v. Yum! Brands, Inc., 620 App’x 483 (6th Cir. 2015).

[8]See Karth v. Keryx Biopharmaceuticals, Inc., 6 F.4th 123 (1st Cir. 2021); Set Capital LLC v. Credit Suisse Group AG, 996 F.3d 64 (2d Cir. 2021); Williams v. Globus Medical, Inc., 869 F.3d 235 (3d Cir. 2017); Lormand v. US Unwired, Inc., 565 F.3d 228 (5th Cir. 2009); Indiana Public Retirement System v. Pluralsight, Inc., 45 F.4th 1236 (10th Cir. 2022); In re Harman Int’l Indus., Inc. Securities Litigation, 791 F.3d 90 (D.C. Cir. 2015).


Summer associate Stephen Ferguson assisted in the preparation of this alert.