1 2 3 4 5 IN THE UNITED STATES DISTRICT COURT 6 FOR THE NORTHERN DISTRICT OF CALIFORNIA 7 8 CHARLES REIDINGER, Case No. 19-cv-06968-CRB
9 Plaintiff, ORDER GRANTING MOTION TO 10 v. DISMISS WITH LEAVE TO AMEND
11 ZENDESK, INC., et al., 12 Defendants.
13 A class of Zendesk, Inc. stock purchasers led by Local 353, I.B.E.W. Pension Fund 14 (“the Pension Fund”) is suing Zendesk and two Zendesk officers (collectively, “Zendesk”) 15 for securities fraud under §§ 10(b) and 20(a) of the Securities Exchange Act of 1934 and 16 Securities and Exchange Commission (SEC) Rule 10b-5. The Court previously dismissed 17 the Pension Fund’s First Amended Complaint under Rule 12(b)(6) of the Federal Rules of 18 Civil Procedure for failure to state a claim for which relief may be granted. The Court 19 gave the Pension Fund leave to amend. In its Second Amended Complaint, the Pension 20 Fund alleges that Zendesk made false and misleading statements relating to Zendesk’s data 21 security, resulting in harm to investors after the public learned that Zendesk had suffered a 22 data breach that went undetected for nearly three years. 23 Zendesk has moved to dismiss the Pension Fund’s Second Amended Complaint for 24 failure to state a claim for which relief may be granted. The Court has determined that oral 25 argument is unnecessary and vacates the hearing previously scheduled for March 5, 2021. 26 The Court grants Zendesk’s motion to dismiss because the Pension Fund has not 27 adequately pleaded a material misstatement or omission, and the Pension Fund’s 1 scienter, i.e., fraudulent intent. The Court grants the Pension Fund leave to amend to cure 2 these deficiencies. 3 I. BACKGROUND 4 A. Procedural History 5 On January 24, 2020, the Court consolidated two putative securities class action 6 lawsuits against Zendesk and appointed the Pension Fund as lead plaintiff. See Order 7 Consolidating Cases (dkt. 42). The Pension Fund then filed an Amended Class Action 8 Complaint on behalf of all purchasers of Zendesk common stock between February 6, 9 2019 and October 1, 2019, inclusive (the Class Period). See FAC (dkt. 51) at 1. The First 10 Amended Complaint alleged that Zendesk and three officers—Chief Executive Officer 11 Mikkel Svane, Chief Financial Officer Elena Gomez, and Senior Vice President of 12 Worldwide Sales Norman Gennaro—committed securities fraud in violation of § 10(b) of 13 the Securities Exchange and SEC Rule 10b-5. See id. ¶¶ 34–36, 124–127. The Pension 14 Fund also alleged that the individual defendants violated § 20(a) of the Securities 15 Exchange Act as control persons liable for any fraud committed by Zendesk and its 16 employees. See id. ¶¶ 128–131. 17 The Pension Fund’s original claims centered on Zendesk’s public statements during 18 the class period in relation to two events: (1) subpar performance in the Europe, Middle 19 East, and Africa (EMEA) and Asia-Pacific (APAC) regions during Q2 2019; and (2) the 20 September 24, 2019 discovery and subsequent disclosure of a data breach that had been 21 ongoing for three years. See Order Dismissing FAC (dkt. 63) at 2. 22 The Court dismissed the Pension Fund’s claims with respect to subpar regional 23 performance because the Pension Fund had not adequately pleaded any false or misleading 24 statement, or facts supporting a strong inference of scienter—that is, Zendesk’s intent to 25 deceive, manipulate, or defraud. Id. at 13–18. The Court dismissed the Pension Fund’s 26 claim with respect to the data breach because Zendesk’s failure to disclose the breach was 27 the only potentially material misstatement or omission that the Pension Fund alleged, and 1 deceive investors about the breach. Id. at 21–22. The Court granted the Pension Fund 2 leave to amend. Id. at 22.1 3 On January 8, 2021, the Pension Fund filed a Second Amended Complaint. See 4 SAC (dkt. 64). The Pension Fund noted that it had “not renewed its allegations 5 concerning” Zendesk’s regional performance or its claims against Zendesk Senior Vice 6 President of Worldwide Sales Norman Gennaro. Id. at 2 n.2. Instead, the Pension Fund 7 supplemented its allegations regarding the data breach. 8 B. Zendesk and the Data Breach 9 Zendesk sells customer service software to companies. See id. ¶¶ 5–7. In doing so, 10 Zendesk collects, stores, and transmits sensitive customer, agent, and end-user data, 11 including personal identifiable information (PII). Id. ¶ 9. The Pension Fund alleges that 12 Zendesk began hosting its data through Amazon Web Services (AWS)’s cloud computing 13 platform in 2016 and completed its transition to hosting data there in 2019. Id. ¶ 8. 14 But according to the Pension Fund, in 2016 Zendesk “did not follow basic 15 precautions to secure data hosted by AWS.” Id. ¶ 19(a). Before Zendesk had experienced 16 the data breach at issue, AWS had published a list of “best practices.” Id. ¶ 27. The list 17 warned customers to “never share” their “AWS . . . access keys with anyone.” Id. AWS 18 also instructed customers to “enable multifactor authentication for . . . users who are 19 1 One aspect of the Court’s Order dismissing the First Amended Complaint warrants clarification, 20 if not revision. See Fed. R. Civ. P. 54(b). The Court stated that the Pension Fund’s First Amended Complaint had not alleged “any material misstatement or omission.” See Order 21 Dismissing FAC at 1. But the Court also said that the Pension Fund “alleged a material omission” to the extent that the data breach “would have been viewed by the reasonable investor as 22 significant,” though no allegations supported the inference that Zendesk had acted with scienter in relation to the data breach. See id. at 21 (citation omitted). The Court should have made its 23 seemingly contradictory reasoning clearer, and does so now. The Court recognizes that significance to a reasonable investor is necessary, but not sufficient, to establish a materially 24 misleading omission. See infra part II.B; In re Yahoo! Inc. Sec. Litig., 2012 WL 3282819, at *7 (N.D. Cal. Aug. 10, 2012) (“Silence, absent a duty to disclose, is not misleading under Rule 10b- 25 5.”) (quoting Basic, Inc. v. Levinson, 485 U.S. 224, 239 n.17 (1988)). The Court’s conclusion that reasonable investors would have viewed the data breach as significant was thus insufficient to 26 establish the further conclusion that Zendesk had materially omitted information about the breach. In effect, the Court assumed that the Pension Fund had plausibly alleged a material omission and 27 relied on the Pension Fund’s more obvious failure to allege facts giving rise to the required 1 allowed access to sensitive resources.” Id. AWS further explained that customers could 2 “use logging features in AWS” to detect nefarious activity by determining “the actions 3 users have taken . . . and the resources that were used.” Id. The Pension Fund alleges that 4 despite these “clear directions,” which were consistent (if not identical) with Zendesk’s 5 own avowed security best practices,2 Zendesk “shared AWS keys” with “a third party 6 vendor.” Id. ¶¶ 19(a), 25. A “small number” of those keys “were compromised,” which 7 allowed “hackers to access customer service data.” Id. Zendesk also implemented 8 multifactor authentication only “after it had provided AWS keys to others and . . . had been 9 breached as a result.” Id. ¶ 19(b). And Zendesk “failed to properly use logging features” 10 that could have enabled Zendesk to detect the breach. Id. As a result, Zendesk suffered a 11 data breach in November 2016 and discovered the breach only after nearly three years had 12 passed. Id. ¶ 51. The Pension Fund alleges that after the breach was discovered and 13 revealed, Zendesk’s stock price fell. Id. ¶¶ 22, 24.3 14 After the data breach, Zendesk made various public statements regarding the 15 breach’s nature and scale. On October 2, 2019, Zendesk published an “Important Notice 16 regarding 2016 Security Incident” (the Notice) on its website. Id. ¶ 25. The Complaint 17 incorporates relevant parts of the Notice: 18 Important Notice regarding 2016 Security Incident We recently were alerted by a third party regarding a security matter that 19 20 2 On April 1, 2019, Zendesk posted a “Security Best Practices” article on its website, instructing 21 its customers that they could “reduce the risk of a security breach” by following certain best practices. SAC ¶ 46. The post noted that “even the best security policies will fall short if they are 22 not followed.” Id. It went on to suggest that customers implement “2-factor authentication for all agents and admins,” “never give out user names, email addresses, or passwords,” “routinely audit” 23 their Zendesk accounts “for suspicious activity,” and “encourage agents to monitor their user account[s].” Id. 24
3 On September 24, 2019—the date that the Pension Fund alleges Zendesk discovered the 25 breach—Zendesk’s stock price declined from $77.23 to $73.60 “on unusually high [trading] volume.” SAC ¶ 22. On September 27, 2019—the date by which the Pension Fund alleges that 26 Zendesk would have been required to notify its customers of the breach under its internal policies—Zendesk’s stock price declined from $74.08 to $72.08 on unusually high volume. Id. 27 ¶¶ 53–54. And after Zendesk published a notice on its website regarding the breach on October 2, may have affected the Zendesk Support and Chat products and customer accounts 1 of those products activated prior to November of 2016. . . . 2 * * * 3 On September 24 [2019], we identified approximately 10,000 Zendesk 4 Support and Chat accounts . . . whose account information was accessed without 5 authorization prior to November of 2016. Information accessed included some [PII] and other service data. 6
7 For impacted customers, the information accessed from these databases includes the following data: 8 -Email addresses, names and phone numbers of agents and end-users of 9 certain Zendesk products. 10 -Agent and end user passwords that were hashed and salted—a security technique used to make them difficult to decipher, potentially up to 11 November 2016. . . . 12 We have also determined that certain authentication information was 13 accessed for a much smaller set of approximately 700 customer accounts, including expired trial accounts and accounts that are no longer active. . . . 14 Id. ¶ 55. 15 On October 4, 2019, Zendesk updated the Notice to reflect a total of ~22,000 16 breached customer accounts: ~15,000 Support and Chat accounts, with authentication 17 information accessed for approximately ~7,000 customer accounts. Id. ¶ 61. Because 18 Zendesk’s customers often have many end-users, the breach may have affected many more 19 persons’ data. See id. ¶ 56. 20 On October 29, 2019, Zendesk held its Q3 2019 investor conference call, during 21 which Mikkel Svane, Zendesk’s CEO, stated that the breach occurred when “Zendesk was 22 in a very different state of security.” Id. ¶ 62. Similarly, Zendesk updated an “FAQ” page 23 on its website to include Chief Security Officer Maarten Van Horenbeeck’s statement that 24 “Zendesk has significantly invested in its security program since 2016 . . . including rolling 25 out additional protection of sensitive personal data.” Id. ¶ 63. 26 On November 22, 2019, Zendesk revealed the data breach’s cause. Id. ¶ 64. While 27 1 “compromised after having been provided to a third party vendor. These keys were then 2 used to access customer service data.” Id. The statement also indicated that Zendesk had 3 expanded its use of multifactor authentication “during 2016 and 2017” and had 4 “[i]increased security monitoring and logging” during the period “since 2016.” Id. 5 C. Zendesk Statements During the Class Period, Before the Breach Was Disclosed 6 The Pension Fund alleges that AWS best practices, the breach, and Zendesk’s 7 statements following the breach indicate that Zendesk misled investors during the class 8 period, before the breach was disclosed. As the Pension Fund puts it, Zendesk “repeatedly 9 (and falsely) assured its customers and investors that its data security methodologies were 10 comprehensive and of the highest quality.” Id. ¶ 10. This case thus centers on the 11 significance of Zendesk’s alleged statements and omissions during the class period. The 12 Pension Fund challenges the following statements: 13 1. February 14, 2019 Form 10-K for Fiscal year 2018 14 This filing stated that Zendesk maintains a “comprehensive security program 15 designed to help safeguard the security and integrity of our customers’ data.” It added that 16 Zendesk “regularly review[s]” its “security program” and regularly “obtain[s] third-party 17 security audits and examinations” of Zendesk’s “technical operations and practices 18 covering data security.” Id. ¶ 43. Zendesk also noted that in June 2017 it had announced 19 its completion of the EU approval process for using Binding Corporate Rules “as a data 20 processor and controller.” Id. This “significant regulatory approval validated [Zendesk’s] 21 implementation of the highest possible standards for protecting PII globally, covering both 22 the PII of [Zendesk’s] customers and employees.” Id. 23 The filing also warned investors that “if” a data breach were to occur, Zendesk’s 24 “products may be perceived as insecure,” Zendesk “may lose existing customers or fail to 25 attract new customers,” and Zendesk “may incur significant liabilities.” Id. ¶ 44. 26 “Unauthorized access to or security breaches of [Zendesk’s] products could result in the 27 loss of data,” and Zendesk “may also experience security breaches that may remain 1 undetected for an extended period.” Id. 2 2. May 2, 2019 Form 10-Q for Q1 2019 and August 2, 2019 Form 10- Q for Q2 2019 3 These filings provided investors with the same warnings regarding the risks that 4 “could” occur “if” Zendesk suffered a data breach, and the possibility that Zendesk “may” 5 experience undetected data breaches. Id. ¶¶ 47, 49. 6 * 7 The Pension Fund alleges that these statements were “materially false and 8 misleading” because Zendesk “knew or deliberately disregarded and failed to disclose” 9 several facts. Id. ¶ 50.4 First, contrary to Zendesk’s claim that it had a “comprehensive 10 security system” that was up to the “highest possible standards,” Zendesk “did not follow 11 basic precautions to secure data hosted by AWS.” Id. ¶ 50(a). Second, Zendesk 12 implemented multifactor authentication only “after it had provided AWS keys to others 13 and after it had been breached as a result,” and failed to properly “use logging features in 14 AWS.” Id. ¶ 50(b). Third, Zendesk had “already suffered a significant breach” caused by 15 “its failure to implement basic data security standards and best practices.” Id. ¶ 50(c). 16 D. The Instant Motion 17 Zendesk has moved to dismiss the Pension Fund’s Second Amended Complaint. 18 See Mot. to Dismiss SAC (dkt. 65). The Motion is fully briefed, see Opp. (dkt. 68); Reply 19 (dkt. 69), and the Court has determined that oral argument is unnecessary. 20 II. LEGAL STANDARD 21 A. Rule 12(b)(6) 22 Under Rule 12(b)(6) of the Federal Rules of Civil Procedure, a complaint may be 23 dismissed for failure to state a claim for which relief may be granted. Fed. R. Civ. P. 24 12(b)(6). Rule 12(b)(6) applies when a complaint lacks either “a cognizable legal theory” 25
26 4 The Pension Fund points to other statements made on Zendesk’s website and elsewhere during the class period, see SAC ¶¶ 13, 14; Opp. at 6 n.6, but the Pension Fund’s claims arise from the 27 specific statements described above, see SAC ¶ 50. The Court notes that its analysis of the 1 or “sufficient facts alleged” under such a theory. Godecke v. Kinetic Concepts, Inc., 937 2 F.3d 1201, 1208 (9th Cir. 2019). Evaluating a motion to dismiss, the Court “must presume 3 all factual allegations of the complaint to be true and draw all reasonable inferences in 4 favor of the nonmoving party.” Usher, 828 F.2d at 561. “[C]ourts must consider the 5 complaint in its entirety, as well as other sources courts ordinarily examine when ruling on 6 Rule 12(b)(6) motions to dismiss, in particular, documents incorporated into the complaint 7 by reference, and matters of which a court may take judicial notice.” Tellabs, Inc. v. 8 Makor Issues & Rights, Ltd., 551 U.S. 308, 322 (2007).5 9 If a court dismisses a complaint for failure to state a claim, it should “freely give 10 leave” to amend “when justice so requires.” Fed. R. Civ. P. 15(a)(2). A court nevertheless 11 has discretion to deny leave to amend due to, among other things, “repeated failure to cure 12 deficiencies by amendments previously allowed, undue prejudice to the opposing party by 13 virtue of allowance of the amendment, [and] futility of amendment.” Leadsinger, Inc. v. 14 BMG Music Pub., 512 F.3d 522, 532 (9th Cir. 2008) (citing Foman v. Davis, 371 U.S. 15 178, 182 (1962)). 16 B. Claims under Section 10(b) of the Securities Exchange Act and Rule 10b-5 17 Section 10(b) of the Securities Exchange Act of 1934 forbids the “use or employ, in 18 connection with the purchase or sale of any security . . . [of] any manipulative or deceptive 19 device or contrivance in contravention of such rules and regulations as the [SEC] may 20 prescribe as necessary or appropriate in the public interest or for the protection of 21 investors.” 15 U.S.C. § 78j(b). SEC Rule 10b-5 implements § 10(b) and declares it 22 unlawful: 23 (a) To employ any device, scheme, or artifice to defraud, (b) To make any untrue statement of a material fact or to omit to state a 24 material fact necessary in order to make the statements made . . . not 25 misleading, or 26 5 The Court grants Zendesk’s Request for Judicial Notice (dkt. 66) because the relevant documents 27 are either incorporated by reference in the Second Amended Complaint or not subject to (c) To engage in any act, practice, or course of business which operates or 1 would operate as a fraud or deceit upon any person, in connection with 2 the purchase or sale of any security. 3 17 C.F.R. § 240.10b-5. 4 The Supreme Court has implied a right of action to stock purchasers or sellers 5 injured by a violation of § 10(b) and Rule 10b-5. See Dura Pharms., Inc. v. Broudo, 544 6 U.S. 336, 341 (2005). To state a claim, plaintiffs must plead “(1) a material 7 misrepresentation (or omission); (2) scienter, i.e., a wrongful state of mind; (3) a 8 connection with the purchase or sale of a security; (4) reliance . . .; (5) economic loss; and 9 (6) ‘loss causation,’ i.e., a causal connection between the material misrepresentation and 10 the loss.” Id. at 341–42 (citation omitted). The first two elements are particularly relevant 11 here. 12 The first element of a Rule 10b-5 claim is a material false statement or omission. 13 Id. at 341. A plaintiff can establish “[f]alsity” by pointing to “statements that directly 14 contradict what the defendant knew at that time.” Khoja v. Orexigen Therapeutics, Inc., 15 899 F.3d 988, 1008 (9th Cir. 2008). A plaintiff can establish a material omission by 16 pointing to the defendant’s “silence” despite a “duty to disclose.” Matrixx Initiatives, Inc. 17 v. Siracusano, 563 U.S. 27, 45 (2011) (quoting Basic Inc. v. Levinson, 485 U.S. 224, 239 18 n.17 (1988)). Such a duty arises from a statement that, although “not false,” is 19 “misleading” because it “omits material information.” Khoja, 899 F.3d at 1008–09. 20 “Disclosure is required only when necessary to make [the] statements made, in the light of 21 the circumstances under which they were made, not misleading.” Id. at 1009 (quoting 22 Matrixx, 563 U.S. at 44) (internal quotation marks and alterations omitted). 6 Of course, a 23 party “fails to disclose material information” to investors only when the party in question 24 actually “has [the] information that” investors are “entitled to know.” Chiarella v. United 25 6 “Companies can control what they have to disclose . . . by controlling what they say to the 26 market.” Matrixx, 563 U.S. at 45. But once a company communicates “positive information to the market,” that company is “bound to do so in a manner that wouldn’t mislead investors.” 27 Schueneman v. Arena Pharm., Inc., 840 F.3d 698, 705–06 (9th Cir. 2016) (quoting Berson v. 1 States, 445 U.S. 222, 228 (1980). 2 “Whether its allegations concern an omission or a misstatement,” a plaintiff must 3 also allege “materiality.” Khoja, 899 F.3d at 1009. A false statement or omission’s 4 materiality depends on whether “there is a substantial likelihood that a reasonable 5 shareholder would consider” the information to be “important.” Basic, 485 U.S. at 231 6 (quoting TSC Indus., Inc. v. Northway, Inc., 426 U.S. 438, 449 (1976)). This inquiry is 7 “inherently fact-specific.” Matrixx, 563 U.S. at 39. For an omission, “there must be a 8 substantial likelihood that the disclosure of the omitted fact would have been viewed by 9 the reasonable investor as having significantly altered the ‘total mix’ of information made 10 available.” Basic, 485 U.S. at 231–32 (quoting TSC Indus., 426 U.S. at 449). This 11 standard is not “too low,” because a “minimal standard might bring an overabundance of 12 information within its reach, and lead management simply to bury shareholders in an 13 avalanche of trivial information.” Id. at 231 (citation omitted). 14 The second element of a Rule 10b-5 claim is a sufficiently culpable state of mind, 15 or “scienter.” See Ernst & Ernst v. Hochfelder, 425 U.S. 185, 197–99 (1976). Because 16 § 10(b) covers only “manipulative or deceptive” conduct, and Rule 10b-5 implements (and 17 thus cannot extend more broadly than) § 10(b), a Rule 10b-5 claim must allege conduct 18 involving manipulation or deceit. Santa Fe Indus., Inc. v. Green, 430 U.S. 462, 473–74 19 (1977). Accordingly, a plaintiff must allege that the defendant had the “intent to deceive, 20 manipulate, or defraud.” Ernst & Ernst, 425 U.S. at 188. 21 Knowledge of falsity or deception is enough to satisfy this standard. See Gebhart v. 22 SEC, 595 F.3d 1034, 1041 (9th Cir. 2010). And although the Supreme Court has never 23 addressed whether recklessness establishes scienter under Rule 10b-5, see Tellabs, 551 24 U.S. at 319 n.3, the Ninth Circuit has held that “deliberate . . . or conscious recklessness” 25 as to the statement’s false or misleading character establishes scienter. SEC v. Platforms 26 Wireless Int’l Corp., 617 F.3d 1072, 1093 (9th Cir. 2010) (quoting Gebhart, 595 F.3d at 27 1041–42). That is because deliberate, conscious recklessness is “a form of intentional or 1 976 (9th Cir. 1999)). The defendant must have subjectively “appreciate[d] the gravity of 2 the risk of misleading others” and “consciously disregarded” that risk. Id. (quoting 3 Gebhart, 595 F.3d at 1042 n.11).7 4 Even when individual officers lack the requisite scienter, the Ninth Circuit has left 5 open whether a corporation may be liable for securities fraud under a “collective scienter” 6 theory that imputes the cumulative knowledge of a corporation’s agents to the corporation. 7 See Glazer Capital Mgmt., LP v. Magistri, 549 F.3d 736, 744 (9th Cir. 2008); Nordstrom, 8 Inc. v. Chubb & Son, Inc., 54 F.3d 1424, 1435 (9th Cir. 1995). “[S]ome form of collective 9 scienter pleading might be appropriate,” but only when “a company’s public statements 10 were so important and so dramatically false that they would create a strong inference that 11 at least some corporate officials knew of the falsity upon publication.” Glazer, 549 F.3d at 12 744 (emphasis in original). 13 Special pleading requirements apply to the (1) material misstatement or omission 14 and (2) scienter elements of a Rule 10b-5 claim. Tellabs, 551 U.S. at 313. The Private 15 Securities Litigation Reform Act of 1995 (PSLRA) requires plaintiffs to “specify each 16 statement alleged to have been misleading [and] the reason or reasons why the statement is 17 misleading,” 15 U.S.C. § 78u–4(b)(1), and to “state with particularity facts giving rise to a 18 strong inference that the defendant acted” with the requisite scienter—that is, the intent “to 19 deceive, manipulate, or defraud.” Tellabs, 551 U.S. at 313–314 (quoting 15 U.S.C. § 78u– 20 4(b)(2); Ernst & Ernst, 425 U.S. at 194 & n.12).8 With respect to scienter, the plaintiff 21 must do more than allege facts from which “a reasonable person could infer that the 22 defendant acted with the required intent.” Id. at 314 (citation omitted). “To qualify as 23 ‘strong,’ . . . an inference of scienter must be more than merely plausible or reasonable—it 24 must be cogent and at least as compelling as any opposing inference of fraudulent intent.” 25
26 7 Although the deliberate or conscious recklessness inquiry is subjective, extreme departures from an objective standard of care may support an inference that the defendant was consciously 27 reckless. Gebhart, 595 F.3d at 1042. 1 Id.9 2 C. Claims under § 20(a) of the Securities Exchange Act 3 Under § 20(a), “every person who, directly or indirectly, controls any person 4 liable” for a violation of § 10(b) “shall also be liable jointly and severally with and to the 5 same extent as such controlled person.” 15 U.S.C. § 78t(a). Nonetheless, a control person 6 who “acted in good faith and did not directly or indirectly induce the act or acts 7 constituting the violation” is not liable. Id. 8 III. DISCUSSION 9 Zendesk argues that the Pension Fund has not stated a claim under § 10(b) and Rule 10 10b-5 because the Pension Fund has not identified any false statement or actionable 11 omission regarding Zendesk’s data security, see Mot. to Dismiss SAC at 4–9, has failed to 12 plead facts giving rise to a “strong inference” of scienter, id. at 9–13, and has failed to 13 plead a causal connection between any material misrepresentation and a loss to investors, 14 see id. at 13–14. The Pension Fund argues that Zendesk’s statements before the breach 15 was disclosed were misleading because Zendesk lacked “a comprehensive data security 16 program that was continuously reviewed and monitored and up to the highest standards,” 17 and “gave investors the impression that the Company took all possible steps to secure and 18 protect sensitive information.” Opp. at 5 (internal quotation marks omitted). The Pension 19 Fund also argues that its allegations support a strong inference of scienter because Zendesk 20 either “knew” about or “recklessly disregarded” its failure to “comply with AWS’s or even 21 its own best practices” while making public statements about its comprehensive security 22 program. Opp. at 8. 23 The Court agrees with Zendesk that the Pension Fund has failed to state a claim for 24 securities fraud under the PSLRA’s special pleading requirements. The Pension Fund 25 alleges certain mistakes that resulted in a long-undetected data breach. But although 26 9 If “no reasonable person could deny” that the challenged statement was “materially misleading,” 27 and the plaintiff plausibly alleges that the defendant was “aware of the facts that made the 1 § 10(b) “is aptly described as a catchall provision . . . what it catches must be fraud.” 2 Chiarella, 445 U.S. at 235. The Pension Fund has failed to state a claim for securities 3 fraud for two independent reasons. First, the Pension Fund has not pleaded a material 4 misstatement or omission because the Pension Fund has neither identified any misleading 5 statement relating to Zendesk’s data security nor explained how Zendesk could have 6 disclosed additional information that would have made Zendesk’s statements “not 7 misleading.” Matrixx, 563 U.S. at 44. Second, as before, the Pension Fund’s allegations 8 do not give rise to the “strong inference” that Zendesk or its officers acted with the intent 9 to deceive, manipulate, or defraud investors. Tellabs, 551 U.S. at 313–314 (quoting 15 10 U.S.C. § 78u–4(b)(2); Ernst & Ernst, 425 U.S. at 194 & n.12). Instead, those allegations 11 support the “competing” inference that Zendesk was simply unaware of its mistakes or 12 their consequences—a more “compelling” inference than the convoluted fraudulent 13 scheme that the Pension Fund has attempted to allege. Id. at 314. 14 A. First Element: Material Misstatement or Omission 15 Under the applicable pleading standard, see 15 U.S.C. § 78u–4(b)(1), the Pension 16 Fund has not adequately pleaded any false statement or misleading omission. 17 The Pension Fund has pointed to no false statement—that is, no statement that 18 “directly contradict[s]” what Zendesk “knew at the time.” Khoja, 899 F.3d at 1008. The 19 Pension Fund argues that Zendesk lied about the strength of its data security programs 20 based on its past failure to follow best practices, see Opp. at 5, but Zendesk made the 21 relevant statements in 2019, addressing its recent and contemporaneous data security 22 practices, see SAC ¶¶ 43–44, 47, 49. The Pension Fund’s own allegations show that 23 Zendesk’s data security improved between 2016 and 2019, such that Zendesk’s 2019 24 statements are plausibly consistent with Zendesk having a less robust security program in 25 the past. See SAC ¶¶ 50(b), 62–64. Indeed, Zendesk did not state that its data security had 26 always been up to the best possible standards. The only arguable indication that, in 2019, 27 Zendesk’s data security was not as strong as Zendesk claimed is Zendesk’s failure to have 1 challenged statements expressly accounted for that possibility by acknowledging that past 2 breaches “may remain undetected for an extended period.” Id. ¶¶ 44, 49. Further, the 3 undetected breach does not indicate that Zendesk’s statements that it (1) “regularly 4 review[ed]” its “security program,” and (2) “regularly obtain[ed] third-party security audits 5 and examinations” of that program, were false. Opp. at 5 (quoting SAC ¶¶ 43). The 6 breach merely indicates that those measures did not uncover a breach—again, a possibility 7 that Zendesk expressly disclosed. See SAC ¶¶ 44, 49. Finally, Zendesk never stated that 8 its employees had unfailingly complied with AWS best practices and its own best practices 9 from 2016 onwards. In sum, nothing in Zendesk’s 2019 statements was false. 10 The Pension Fund has also not alleged a material omission because the challenged 11 statements were not misleading. See Matrixx, 563 U.S. at 44. The challenged statements 12 discussed Zendesk’s recent and contemporaneous data security practices. They did not 13 imply that Zendesk had not suffered an undetected data breach or that Zendesk’s 14 employees had unfailingly complied with AWS best practices during and since 2016. 15 Indeed, Zendesk’s warnings that it may experience an undetected data breach implied the 16 possibility that, at some point, Zendesk’s data security measures had failed. See SAC 17 ¶¶ 44, 47, 49.10 18 Even if the Court were to assume that the challenged statements were misleading, 19 the statements were not misleading based on information that Zendesk omitted. Because 20 the Pension Fund’s own allegations indicate that Zendesk lacked the “information” that 21 investors were supposedly “entitled to know,” Chiarella, 445 U.S. at 228, the Pension Fund 22 has not pointed to any statement that Zendesk could have made “not misleading,” Matrixx, 23 563 U.S. at 44. For example, Zendesk could not have had any “duty to disclose” the data 24
25 10 Zendesk’s statements that “if” Zendesk suffered a breach, Zendesk “may incur significant liabilities” and the breach “could result in the loss of data,” SAC ¶¶ 44, 47, 49, did not 26 misleadingly imply that Zendesk had not suffered a breach given Zendesk’s express acknowledgement of that possibility. The Pension Fund’s argument to the contrary, see Opp. at 27 6–7, relies on inapposite cases involving statements that certain risks might materialize when the 1 breach, Matrixx, 563 U.S. at 44, because Zendesk was unaware of the breach. Similarly, 2 the Pension Fund has not plausibly alleged that during the class period, Zendesk officers 3 knew, or even should have known, that someone at Zendesk had improperly shared 4 Zendesk’s AWS keys with a third party vendor in 2016. See infra part III.B. Indeed, the 5 Pension Fund cites Zendesk’s statement that it “discovered” the AWS keys had been 6 shared “during [Zendesk’s] review” of the data breach, not before Zendesk made the 7 challenged statements. SAC ¶ 64. There is similarly little reason to think that Zendesk 8 officers knew about Zendesk’s 2016 and 2017 multifactor authentication rollout and past 9 AWS logging practices, let alone their significance. Plus, with no ability to disclose the 10 data breach or the sharing of AWS keys with a single vendor, disclosure of the multifactor 11 authentication rollout and past AWS logging practices would have only served to “bury 12 shareholders in an avalanche of trivial information.” Basic, 485 U.S. at 231.11 13 The Pension Fund’s arguments to the contrary are unavailing. For example, the 14 Pension Fund argues that “[t]he timing of the breach (2016) does not render 2019 15 misstatements inactionable or any less false” because “Zendesk remained exposed to the 16 consequences of giving away its AWS keys and failing to implement other best practices.” 17 Opp. at 7. The Pension Fund reasons that if a bank “gave away the keys to its vault,” the 18 bank could not later claim that its security was “comprehensive . . . just because it installed 19 security cameras.” Id. This analogy misses the mark. There is no indication that in 2019, 20 Zendesk officers knew or were consciously or deliberately reckless in not knowing that 21 three years earlier, AWS keys had been shared with a single vendor, i.e., a business 22
23 11 The Pension Fund makes much of the Twitter account hack that Zendesk CEO Mikkel Svane experienced before 2016, after which Svane had been warned “of the need to implement multi- 24 factor authentication.” Opp. at 3 (citing SAC ¶¶ 16–18). But knowledge of a general security best practice does not equal knowledge of a specific failure to follow that best practice in an unrelated 25 context, or the resulting consequences. Similarly, Svane and CFO Elena Gomez’s certification in the February 2019 Form 10-K that they were “involved in designing and testing the Company’s 26 internal controls,” SAC ¶ 43, does not imply that they were “very familiar with Zendesk’s data security systems,” Opp. at 11 n.9, let alone that they knew or should have known about specific 27 data security mistakes that had occurred in 2016. In short, there is no plausible allegation that 1 partner. A more apt analogy would involve a bank employee—perhaps a teller— 2 disclosing sensitive information about the bank’s vault to one of the bank’s business 3 partners (say, a company that helps the bank obtain cash). There would be little reason to 4 think that the bank’s corporate officers knew about the error and could disclose it, or that 5 the error made their general statements about bank security practices three years later 6 misleading. 7 The Pension Fund has not alleged a false statement or the omission of any 8 information that Zendesk had a duty to disclose. Therefore, the Pension Fund has not 9 stated a claim for securities fraud, and the Court need not address whether the Pension 10 Fund has shown “a substantial likelihood that a reasonable shareholder would consider” 11 the information to be “important.” Basic, 485 U.S. at 224.12 12 B. Second Element: Scienter 13 The Pension Fund has not stated a claim for which relief may be granted for 14 another, independent reason. The Pension Fund has failed to “state with particularity facts 15 giving rise to a strong inference” that Zendesk or any Zendesk officer acted with the intent 16 “to deceive, manipulate, or defraud” in failing to disclose the data breach. Tellabs, 551 17 U.S. at 313–314 (quoting 15 U.S.C. § 78u–4(b)(2); Ernst & Ernst, 425 U.S. at 194 & 18 n.12). 19 Because the Pension Fund has not alleged a material false statement or omission, 20 the Pension Fund has not alleged that Zendesk or its officers had knowledge of falsity or 21 acted with conscious recklessness as to the risk that any statement was misleading without 22
23 12 Thus, as in the Court’s prior order, the Court assumes that a reasonable investor would find at least the fact of the data breach important. See supra note 1; Order Granting First MTD at 21. 24 The Court also assumes that the Pension Fund’s allegations give rise to a factual dispute as to whether a reasonable investor would care that Zendesk had accidentally shared a few AWS keys 25 in 2016 before implementing multifactor authentication and increasing its use of AWS logging features. SAC ¶ 50. As noted above, however, the Court does not assume that a reasonable 26 investor would find information about multifactor authentication and logging important in the absence of additional information regarding the sharing of AWS keys and/or the data breach. 27 More generally, because Zendesk lacked either a duty to disclose or the requisite state of mind, 1 further disclosure. 2 But even accepting the Pension Fund’s argument that Zendesk’s 2019 statements 3 were misleading, the Pension Fund has not alleged that any Zendesk officer acted 4 intentionally or with conscious recklessness. The Pension Fund’s allegations indicate that 5 Zendesk’s officers were simply unaware of the breach until September 2019. See SAC 6 ¶ 51; see also Opp. at 11 (stating that Zendesk “did not even discover” the breach until it 7 was “alerted by a third party”). Thus, the Pension Fund’s allegations contradict any 8 inference that Zendesk intended to “deceive” or “defraud” regarding the fact of the breach. 9 Tellabs, 551 U.S. at 313–314. The same analysis applies to Zendesk’s nondisclosure of its 10 failure to implement certain security best practices before the breach occurred. Of course, 11 Zendesk’s failure to detect the breach may have resulted from negligence, including 12 inadequate use of AWS’s logging features. But given Zendesk’s lack of knowledge 13 surrounding the data breach, the inference that Zendesk’s officers acted with fraudulent 14 intent when failing to disclose Zendesk’s past security mistakes rests on a multitude of 15 dubious premises. Zendesk’s officers must have not only known that someone at Zendesk 16 shared the AWS keys, Zendesk implemented multifactor authentication too late, and 17 Zendesk failed to monitor its platform effectively, but also consciously disregarded a risk 18 that these events made its general statements about data security in 2019 misleading. No 19 allegations in the Second Amended Complaint suggest this was the case. 20 The Pension Fund’s contrary arguments are meritless. First, the Pension Fund 21 argues that “the substantial contradiction between the true state of affairs and Zendesk’s 22 misstatements supports an inference of scienter.” Opp. at 8 (citing Ronconi v. Larkin, 253 23 F.3d 423, 429 (9th Cir. 2001)). As discussed above, the Court rejects the premise that 24 there was such a contradiction. Moreover, in noting that “falsity and scienter in private 25 securities fraud cases are generally strongly inferred from the same set of facts,” Ronconi 26 did not purport to hold that a showing of falsity alone creates a strong inference of scienter. 27 253 F.3d at 429. It merely held that one set of facts could, in certain circumstances, “raise 1 or misleading statements.” Id. (citation omitted). The scienter requirement exists because 2 falsity does not always equal fraud. See Tellabs, 551 U.S. at 324 (“[A] court must 3 consider plausible, nonculpable explanations for the defendant’s conduct.”). Second, the 4 Pension Fund argues that it would be “absurd to suggest that the top executives of a 5 company whose entire business revolves around collecting, storing, and processing users’ 6 sensitive information would be unaware of the failure to follow even basic best practices 7 set by AWS and Zendesk itself.” Opp. at 10. But it is far from absurd to think that in 8 2019, Zendesk officers were not aware or consciously ignorant of a single episode in 2016 9 when someone at Zendesk shared AWS keys with a third-party vendor, let alone that 10 Zendesk had implemented multifactor authentication just after that event. The second 11 amended complaint does not plausibly allege an ongoing, systematic flaunting of security 12 best practices. Cf. Flynn v. Sientra, Inc., 2016 WL 336066, at *15 (C.D. Cal. June 9, 13 2016) (stating that a company’s officers would be aware of “substandard, non-compliant 14 conditions pervading their company’s manufacturing and quality control divisions,” which 15 where “the heart” of the company) (emphasis added). 16 The Second Amended Complaint also fails to allege corporate or collective scienter 17 against Zendesk, to the extent the Ninth Circuit permits such a theory. See Glazer, 549 18 F.3d at 744. Because Zendesk’s public statements were neither false nor misleading, they 19 could not have been “so dramatically false” as to “create a strong inference that at least 20 some” Zendesk officials knew of their falsity. Id. (emphasis in original). 21 For all these reasons, the inference urged by the Pension Fund regarding Zendesk 22 and its officers’ scienter is not “as compelling as any opposing inference.” Tellabs, 551 23 U.S. at 314. The Pension Fund’s theory of Zendesk’s fraudulent intent is, at best, 24 convoluted: Zendesk’s officers did not know about a data breach, but chose to mislead 25 investors during the 2019 class period by refusing to disclose past security mistakes, while 26 nonetheless disclosing that Zendesk might have suffered an undetected breach. The 27 Pension Fund’s allegations do not support the “strong inference” that Zendesk was 1 || strongly support the competing inferences that (1) someone at Zendesk made a serious 2 || mistake by sharing AWS keys a third party vendor, which—combined with Zendesk’s 3 || failure to implement multifactor authentication, resulted in a breach; and (2) Zendesk’s 4 || failure to use logging features may have compounded these errors by letting the breach go 5 || undetected for nearly three years; but (3) Zendesk’s 2019 statements warned investors 6 || about this exact possibility; and thus (4) Zendesk’s officers did not intend Zendesk’s 7 || statements during the class period to be misleading or deliberately disregard the risk that 8 || they would be misleading. The Pension Fund’s allegations suggest that Zendesk failed to 9 || protect sensitive data, not that Zendesk intended to defraud investors.” 10 Cc. Section 20(a) Claims 11 Because the Pension Fund has not stated an underlying securities fraud claim, the 12 Pension Fund’s § 20(a) control persons claim fails. See 15 U.S.C. § 78t(a). 13 || IV. CONCLUSION 14 For the foregoing reasons, the Court GRANTS Zendesk’s motion to dismiss. 3 15 || Because it is conceivable that the Pension Fund could add allegations to cure the above- a 16 || described deficiencies, the Court grants the Pension Fund leave to amend. See Leadsinger, 2 17 || 512 F.3d at 532.4 The Pension Fund shall have 21 days from the date of this order to file 18 || another amended complaint. 19 IT ISSO ORDERED. 20 Dated: March 2, 2021 Ze CHARLES R. BREYER 21 United States District Judge 22 23 24 25 % 13 Because the Pension Fund’s allegations do not satisfy the first two elements of a § 10(b) and Rule 10b-5 claim, the Court need not consider whether the Pension Fund adequately pleaded loss 27 TS Leave to amend is appropriate given the possibility that the Pension Fund relied on the prior 4g || order’s statements regarding whether the Pension Fund had pleaded a material omission. See Fed. R. Civ. P. 15(a)(2); supra note 1.