Plaintiff's law firm issued a press release on October 11, 2018, announcing the lawsuit. According to the press release, Alphabet was incorporated in 2015 and is the parent company of its leading subsidiary Google Inc, among others. Alphabet, through its subsidiary Google, operates a social networking website called “Google+” that allows people to communicate with their family, friends, and coworkers. Google+ users ostensibly have the ability to share and restrict the sharing of personal information according to their preferences by changing privacy settings.
Between 2015 and March 2018, a software glitch in the Google+ website permitted outside developers to access the personal profile data of Google+ members who had not opted to permit their data to be shared publicly. Defendants discovered this glitch in March 2018, ran tests to determine the impact of the glitch, and determined that the data of nearly half of a million users had been exposed to third parties. Google’s legal and policy staff drafted a memorandum regarding the security failure and shared it with senior executives. The memorandum warned that disclosing the incident would likely trigger “immediate regulatory interest.” Google’s CEO was briefed on the plan not to notify users after an internal committee had reached that decision.
The Complaint alleges that throughout the Class Period, Defendants made materially false and misleading statements regarding the Company’s business, operations and compliance policies. Specifically, the Complaint alleges Defendants made false and/or misleading statements and/or failed to disclose that: (1) the Company’s security measures had failed recently and massively, as Google had exposed the private data of hundreds of thousands of users of Google+ to third parties; (2) damage to the Company’s reputation and operating results and loss of customers from this failure of the Company’s security measures were imminent and inevitable; (3) the Company’s security protections did not shield personal user data against theft and security breaches; and (4) the Company’s security measures had been breached due to employee error, malfeasance, system errors or vulnerabilities.
On January 25, 2019, the Court issued an Order consolidating cases and appointing Lead Plaintiff and Counsel. All future docketing was ordered to be done in the lead case 18-CV-06245.
Lead Plaintiff filed a consolidated amended Complaint on April 26. Defendants filed a Motion to Dismiss the consolidated amended Complaint on May 31. On February 5, 2020, the Court issued an Order granting Defendants' Motion to Dismiss. Plaintiff was given leave to amend the Complaint.
Plaintiff did not amend the Complaint, and on March 13, 2020, the Court entered judgment in favor of Defendants and against Plaintiff. On April 9, Lead Plaintiff filed a notice appealing the Court's Dismissal Order. On June 16, 2021, the Court of Appeals affirmed in part and reversed in part the District Court's Dismissal Order, vacated the District Court's Judgment, and remanded for further proceedings.
Defendants filed a petition for writ of certiorari on October 21, 2021 with the U.S. Supreme Court. On March 7, 2022, the U.S. Supreme Court declined the petition and left in place the Court of Appeals' ruling, which remanded the case for further proceedings in the District Court.
On February 5, 2024, the parties entered into a Stipulation of Settlement.