Securities Fraud Claims Based on Risk-Factor Statements After Facebook v. Amalgamated Bank: A Practical Guide
December 2024
By Kevin K. Russell
Risk-factor statements have become an increasingly important basis for securities fraud litigation. Plaintiffs have successfully argued in many circuits that risk-factor statements can be misleading when they describe an adverse event (like a data breach or government investigation) as a hypothetical future risk without disclosing that the risk has already materialized. Earlier this year, that theory was put in jeopardy when the Supreme Court granted certiorari in Facebook v. Amalgamated Bank to consider the argument that risk-factor statements are categorically focused on future possible events and, therefore, are incapable of misleading investors about the past. (Disclosure: I argued the case on behalf of the plaintiffs). The Court recently dismissed the case as improvidently granted, avoiding the threat for now. But the issues it raised will likely resurface in future litigation and may return to the Supreme Court in a future case. This article provides some practical guidance for plaintiffs’ counsel navigating these claims.
Background
The plaintiffs in Facebook alleged that the Company’s risk-factor statements in its Item 105 disclosures were misleading because they portrayed the misuse of user data by third-party developers as a merely hypothetical prospect when, unbeknownst to the public, a political consulting firm, Cambridge Analytica, had already obtained and misused the private data of over 30 million Facebook users without their consent.
The Ninth Circuit held that these allegations stated a claim, applying the well-established principle that describing an already-transpired risk as a merely hypothetical prospect can be misleading.
After the Supreme Court granted certiorari, Facebook principally argued that Item 105 disclosures are categorically incapable of misleading investors about past events because they are focused exclusively on identifying potential future events that may harm the company. Plaintiffs, supported by the SEC, argued to the contrary that Item 105 statements are required to identify “factors” that make an investment risky, that they therefore frequently discuss past events expressly, and that as a consequence, investors reasonably understand that a company’s description of a risk (like misappropriation of user data) in hypothetical terms can imply that the risk has not transpired.
At oral argument, the Justices appeared divided. The more liberal Justices, sometimes seemingly joined by Justice Thomas, were skeptical of Facebook’s proposed categorical rule. However, several conservatives, including the Chief Justice and Justices Kavanaugh and Gorsuch, expressed concern about imposing potentially unclear or burdensome disclosure obligations on companies. Justice Kavanaugh, in particular, suggested that any obligation to discuss past events in Item 105 disclosures should be imposed clearly by the SEC in its regulations, not by the courts in applying the general prohibition against half-truths. Justice Barrett, potentially a key vote, seemed uncomfortable with categorical rules in either direction.
A few weeks after the argument, the Court dismissed the case as “improvidently granted.” Why the Court did so, and what lessons might be drawn for Supreme Court advocacy, is a subject for another day. For now, the important point is that the dismissal leaves the questions raised in Facebook unresolved by the Supreme Court and the subject of future litigation in the lower courts.
Practical Guidance for Future Cases
While the favorable circuit precedent remains intact for now, renewed challenges to risk-factor claims are likely. Here are five strategies plaintiffs’ counsel should consider in future cases.
1. Continue to Rely on Risk Statements, But Don’t Rely on Them Exclusively
Risk-factor statements remain a viable and important basis for securities fraud claims. There is a broad—and correct—circuit consensus that describing a risk in hypothetical terms can be misleading if, unbeknownst to investors, the risk has recently materialized in a significant way.
Reviewing SEC filings for misleading risk-factor statements serves two important purposes. First, as in Facebook, the statements themselves can provide a basis for liability. Second, defendants often rely on risk-factor statements in invoking the PSLRA safe harbor for forward-looking statements, or the common law bespeaks caution defense. Those defenses require the forward-looking statement to have been “accompanied by meaningful cautionary statements.” And many courts have recognized that an Item 105 disclosure cannot provide the required cautionary statement if the risk statement is, itself, misleading because it treats an already transpired event as a merely hypothetical risk.
That said, it would be advisable not to rely exclusively on risk-factor statements whenever possible. Making risk-factor statements the sole source of liability increases the likelihood that their actionability will become a focus of litigation in the district court and on appeal. Given the favorable state of the law in many circuits, teeing up cases as potential vehicles for reconsidering that precedent is undesirable.
Additionally, it is easier to defend against a petition for certiorari seeking to raise the issue the Court ducked in Facebook if the decision below finds in the plaintiffs’ favor on multiple independent grounds. The Supreme Court prefers to take cases in which the answer to the Question Presented is outcome-determinative for the case or at least a substantial part of it.
2. Look Beyond Item 105
Companies discuss future risks in multiple contexts, not just in the Item 105 section of an annual report. For example, a CEO may discuss such risks in an earnings call or the company may address such questions in a press release.
Much of Facebook’s argument was specific to the allegedly special context of Item 105 statements, which it claimed is uniquely focused on identifying future events that could harm a company. We explained to the Supreme Court why those arguments have no merit. But there is no even arguable basis for such claims when the risks are discussed in other contexts.
Including both Item 105 and non-Item 105 risk statements may also make it more difficult for defendants to focus the lower courts’ attention on the argument the Court declined to reach in Facebook. And if a court of appeals bases a favorable decision on both types of statements, it would render the case less appealing for the Supreme Court to use to resolve the unanswered questions in Facebook.
3. Avoid Categorical Claims
One thing was clear from the Facebook oral argument: a majority of the Court would reject any categorical rule in plaintiffs’ favor, i.e., any rule holding that it is always misleading to describe a risk as hypothetical when the risk has already materialized.
The Chief Justice gave the example of warning a house guest about the risk of slipping on the stairs—that warning does not imply that no one has slipped on those stairs in the past; in fact, the listener will likely understand that the warning was given because people have slipped on those stairs previously. Facebook likewise provided plausible examples in the Item 105 context—e.g., its warning elsewhere in its Item 105 disclosure that the Company might be harmed by bad publicity. Reasonable investors likely would not view that warning as implying Facebook has not suffered bad publicity in the recent past.
Recognizing that a categorical rule in plaintiffs’ favor would be indefensible in this Supreme Court, we took the position that treating a risk as a merely hypothetical prospect can, and often does, imply that the event has not occurred—but not always. We therefore acknowledged that plaintiffs must establish that the particular risk statement, read in its textual and factual context, implies that the adverse event has not yet occurred. But we emphasized that this should be a relatively easy burden at the pleading stage, where the defendants would have to show that no reasonable juror could read the statement as implying that the risk was only a future prospect.
Unfortunately, many of the favorable circuit decisions in this area use language that could be cast as categorical, opening them up to future challenge, including in the Supreme Court. To avoid this, plaintiffs should be careful not to overplay this language or advance categorical claims.
Instead, plaintiffs should argue that circuit precedent is best read as holding that such statements can be, and often are, misleading, while holding open that a defendant can argue that reasonable investors would understand its particular challenged statements were agnostic about the past and present. Plaintiffs should emphasize that they are not advocating for or relying on any categorical rule in their cases.
4. Carefully Explain Why Statements Are Misleading
Similarly, plaintiffs should expressly and carefully explain why the statements they are challenging imply that the warned-of risk has not yet occurred. These kinds of arguments have not been particularly well developed in the case law thus far. Further consideration is therefore warranted. But here are a few things plaintiffs might point to:
Event is Unusual. Investors are unlikely to think that a risk-factor statement implies that the risk has not yet materialized when the warned-of risk happens all the time. For example, Facebook’s warning that it may be harmed by adverse publicity probably doesn’t imply that it hasn’t been subject to bad press in the past because everyone knows that Facebook is frequently subject to critical media coverage. In contrast, the same is not true of events like a serious fire at the company’s main factory, revocation of an important license, failure of a significant drug trial, initiation of a criminal investigation, etc. Describing such an event as a hypothetical risk will usually be understood to imply the risk has not yet materialized.
Magnitude is Unusual. Even when a warned-of adverse event occurs on a regular basis, a risk-factor statement may be misleading when the event has recently occurred on an unusually significant scale. For example, even if weather-related disruptions may arise regularly, it may be misleading to treat such disruptions as a merely generic, hypothetical risk if, unbeknownst to the public, a flood had recently destroyed the company’s main factory. This is particularly likely to be the situation in many securities fraud cases, which generally are brought only in the aftermath of events that cause very serious and unexpected damage to the company.
Event Would Normally Have Been Disclosed. A risk statement also may imply the warned-of risk has not yet occurred when investors would expect the company to have disclosed that kind of event if it had happened. In Facebook, for example, the public expected that if Facebook had discovered that millions of users’ private data had been misappropriated, it would have alerted the users (and therefore the public). In that context, describing the risk of misappropriation as merely theoretical is reasonably understood to imply it was only that—a hypothetical future risk.
Company Promised To Disclose It. In Facebook, the Company promised to investigate initial allegations of misappropriation and take “swift action” if it found the allegations were true. Instead, after confirming the misappropriation of user data, it kept its findings to itself and then continued to treat the prospect of such a misappropriation as a hypothetical risk in its Item 105 statement. Treating the suspected incident as a hypothetical risk in such cases may reasonably imply the promised investigation has not substantiated the rumored concerns.
The Event Is Non-Public. Even setting aside the truth-on-the-market defense, it is hard to argue that a statement misleadingly implies that something bad has not happened when investors obviously know that it has. For example, warning that fluctuations in exchange or interest rates could harm a company probably doesn’t imply that the company has not suffered from such changes in the recent past because the rates are public. The same is not true, however, for non-public events like failed drug trials or cybersecurity incidents.
5. Take a Measured Approach to Disclosure Obligations
One of the stronger arguments Facebook and its allies raised in the Supreme Court was that the Ninth Circuit’s rule would require companies to bloat their risk disclosures with comprehensive lists of every untoward thing that has ever happened to the company.
Recognizing this, we argued in Facebook that companies need only say enough to dispel the false impression that the described risk was merely a hypothetical future prospect; companies need not also catalog every instance of that event. Accordingly, we distinguished Facebook’s statements about misappropriation of user data, which spoke in purely hypothetical terms, from its discussion of cyberattacks, which Facebook noted had occurred in the past and were likely to happen again in the future. The former, we said, misleadingly implied the misappropriation had not yet occurred, while the latter was not misleading, even though it did not list every hacking event.
We were careful, however, not to say that such caveats will always suffice. Companies may respond to the Facebook litigation by including generic warnings that the risks identified in their Item 105 statements may have occurred in the past. Or they may include caveats like Facebook’s statement about past hacking events with many of their specific risk warnings. Because most significant securities litigation will arise only if a risk has materialized on a massive scale, plaintiffs should be prepared to argue that such a generic disclosure does not dispel the misleading implication that what actually happened was only a future risk.
At the same time, it would be unwise to respond to such caveats by arguing that a statement is misleading unless the company discloses every material instance of an adverse event. That result is likely to be unpalatable to many judges and risks leading courts to adopt Facebook’s proposed categorical rule that at least in the Item 105 context, risk statements never imply anything about the past.
Taking a measured approach is particularly important given the upcoming change in Administration. If courts adopt rules that appear too burdensome for issuers, the SEC may be prompted to restrict risk-factor liability through regulation.
Conclusion
The Supreme Court’s dismissal of its writ of certiorari in Facebook is a victory for investors, preserving a valuable theory of liability that can hold companies accountable when they mislead markets and injure shareholders. The decision also provides an opportunity for plaintiffs to refine their risk-factor cases in ways that will make them less vulnerable on appeal and ensure the theory is even more defensible if and when the Supreme Court returns to the questions it left unanswered in Facebook.
Copyright © 2024 Russell & Woofter LLC. All rights reserved.