If a company resolved a data breach in the past, does it need to disclose the potential negative fallout of that breach as a risk to investors later on? In a new petition asking the Supreme Court to take up the question, Alphabet is arguing emphatically: no. And it's using the ol' "the past is history, tomorrow's a mystery" defense.
"A 'risk' is the possibility of a future harm or loss. It captures what might occur, not what has occurred," Alphabet argued in its petition, which asks the Court to take up a case in which the State of Rhode Island is suing Alphabet over its failure to disclose a major vulnerability in Google+.
The suit stems from an October 2018 article in the Wall Street Journal that reported Google+ had exposed data on hundreds of thousands of users. According to the story, Google discovered and resolved the issue in the spring of that year, but didn't publicly disclose it until October. Then Rhode Island, which through its state pension fund is an investor in the company, and others sued, arguing Google had misled investors. The case made its way to the Ninth Circuit, which ruled againstGoogle earlier this year, finding that "[r]isk disclosures that 'speak entirely of as-yet-unrealized risks and contingencies' and do not 'alert the reader that some of these risks may already have come to fruition' can mislead reasonable investors."
Alphabet wants the Supreme Court to overturn that ruling, arguing that it "misunderstands the plain meaning of the word 'risk' and the very idea behind a risk disclosure—to warn of future dangers."
Alphabet and other companies include broad warnings about future data security risks as part of their regular investor disclosures. That, the company says, ought to be enough. The court's decision on this question "affects every conceivable industry, including the technology, automotive, chemical, energy, food, retail, and pharmaceutical sectors, to name a few," Alphabet argues.