Local 353, I.B.E.W. Pension Fu v. Zendesk, Inc. ( 2022 )

                              NOT FOR PUBLICATION                        FILED
UNITED STATES COURT OF APPEALS                        MAR 2 2022
MOLLY C. DWYER, CLERK
U.S. COURT OF APPEALS
FOR THE NINTH CIRCUIT
LOCAL 353, I.B.E.W. PENSION FUND,               No.    21-15785
Lead Plaintiff,
D.C. Nos.    3:19-cv-06968-CRB
Plaintiff-Appellant,                         3:19-cv-07361-CRB
and
MEMORANDUM*
CHARLES REIDINGER; MANDY HO,
Plaintiffs,
v.
ZENDESK, INC.; et al.,
Defendants-Appellees,
and
ADRIAN MCDERMOTT; et al.,
Defendants.
Appeal from the United States District Court
for the Northern District of California
Charles R. Breyer, District Judge, Presiding
Argued and Submitted February 7, 2022
San Francisco, California
*
This disposition is not appropriate for publication and is not precedent
except as provided by Ninth Circuit Rule 36-3.
Before: WARDLAW, IKUTA, and BADE, Circuit Judges.
Plaintiffs Local 353, IBEW Pension Fund, Charles Reidinger and Mandy Ho
(“Plaintiffs”) appeal a district court order dismissing their Second Amended
Complaint (“SAC”) for failure to state a claim under 

.10b-5 (“Rule
10b-5”), 15 U.S.C. § 78j(b) (“Section 10(b)”), or 15 U.S.C. § 78t(a) (“Section
20(a)”). We have jurisdiction under 

, and we affirm.
1.     The district court did not err in dismissing Plaintiffs’ claim under Rule
10b-5 and Section 10(b) for failure to state a claim. To state a claim under Rule
10b-5 and Section 10(b), a plaintiff must plead “six essential elements” including
(1) falsity (a material misrepresentation or omission), and (2) scienter. Retail
Wholesale & Dep’t Store Union Loc. 338 Ret. Fund v. Hewlett-Packard Co., 

, 1274 (9th Cir. 2017). To survive a motion to dismiss, the SAC must
not only satisfy Federal Rule of Civil Procedure 8, but meet additional pleading
requirements set out in Federal Rule of Civil Procedure 9 and the Private Securities
Litigation Reform Act (“PSLRA”), 15 U.S.C. § 78u-4(b)(1), 78u-4(b)(2)(A).
2.     The district court did not err in concluding that while the SAC did
“specify” five publicly filed statements, 15 U.S.C. § 78u-4(b)(1), it did not include
facts supporting a reasonable inference that any of those statements were false or
misleading, see Retail Wholesale, 845 F.3d at 1274.
2
Plaintiffs argue that two of the five statements in Zendesk’s 2018 Form 10-K
(filed February 14, 2019)—that Zendesk “maintain[s] a comprehensive security
program,” and that it “completed the EU approval process for [its] global Binding
Corporate Rules” in 2017—were misleading because they created the impression
that Zendesk implemented the data security best practices described in those
statements no later than 2016, when in fact, the company did not implement those
practices until later.
We disagree. Neither statement makes any reference to Zendesk’s data
security practices in 2016. Statement one is in the present tense; it describes
features of Zendesk’s 2019 data security program and certifies that the current
program is “comprehensive.” Statement two simply states that the EU approved
Zendesk’s global Binding Corporate Rules in 2017. Both statements are truthful.
Plaintiffs contend, however, that based on these statements a reasonable
investor could have concluded that any data security improvements Zendesk
described would have been put in place in response to the two public hacks
Zendesk had experienced in the past, one in 2013 and one in 2016. However,
Plaintiffs plead no facts supporting a reasonable inference that either of those
hacks was a prominent enough milestone in company history that the average
investor would be led to believe every data security improvement directly followed
them. Further, the 2013 hack occurred before Zendesk began using Amazon Web
3
Services (“AWS”) and the 2016 hack involved only Defendant Svane’s personal
Twitter account.
Next, Plaintiffs argue that the remaining three statements—all of which are
risk disclosures that appeared in Zendesk’s 2018 Form 10-K (filed February 14,
2019)—were misleading because they created the impression that it was unlikely
Zendesk had suffered an undetected data breach in the past, when in reality it was
somewhat likely. Again, we disagree. None of the three statements makes
assertions as to the likelihood of such contingencies occurring. Therefore, these
statements would not give an ordinary investor reason to believe that Zendesk was
asserting that the risk that an undetected breach had occurred was particularly high
or low, or that it had changed over time.
3.     The district court did not err in finding that Plaintiffs failed to state
“with particularity” facts supporting a “strong inference,” 15 U.S.C. § 78u-
4(b)(2)(A), that Zendesk acted with the required scienter—intent to “deceive,
manipulate or defraud” or “deliberate recklessness” toward that possibility—under
either the core operations doctrine or the corporate scienter doctrine. Schueneman
v. Arena Pharms. Inc., 

, 705 (9th Cir. 2016) (internal quotation marks
omitted).
Plaintiffs fail to adequately allege scienter under the core operations doctrine
because they do not make “detailed and specific allegations” supporting a strong
4
inference that Defendants Gomez or Svane were intimately involved in the
minutiae of Zendesk’s AWS data-security policy, Zucco Partners, LLC v.
Digimarc Corp., 

, 1000 (9th Cir. 2009) (internal quotation marks
omitted), or allegations supporting a strong inference that the facts at issue (minor
changes in the company’s data security policy over a three-year period) were “of
such prominence that it would be absurd to suggest that management was without
knowledge of the matter,” S. Ferry LP, No. 2 v. Killinger, 

, 786 (9th
Cir. 2008) (emphasis added) (internal quotation marks omitted). They do allege
that, generally speaking, data security is a core element of Zendesk’s business, that
both Gomez and Svane signed Zendesk’s form 10-K which made assertions about
data security, and that in the wake of the 2019 discovery of the 2016 hack, Svane
stated that Zendesk was in a “very different state of security” in 2016 than it was in
2019. However, those allegations fall far short of the bar set by our cases.
Compare No. 84 Emp.-Teamster Joint Council Pension Tr. Fund v. America
West, 

, 937–939 (9th Cir. 2003), with Zucco, 

.
Similarly, even assuming corporate scienter is a viable theory in our circuit,
Plaintiffs fail to adequately allege scienter under that doctrine because the
statements that Plaintiffs cite to were not “so dramatically false” that at least some
corporate official must have known of their falsity upon publication. Compare In
re NVIDIA Corp. Sec. Litig., 

, 1063–64 (9th Cir. 2014) (serious
5
defects in two important products was not enough to trigger corporate scienter),
with Makor Issues & Rts., Ltd. v. Tellabs Inc., 

, 709–10 (7th Cir.
2008) (production issues, collapsing sales, and other serious issues for company’s
flagship products were enough to trigger corporate scienter).
4.     Finally, the district court did not err in dismissing Plaintiffs’ Section
20(a) claim because liability under Section 20(a) requires an underlying violation
of securities law, and the district court correctly dismissed Plaintiffs’ claim under
Rule 10b-5/Section 10(b). See In re Rigel Pharms., Inc. Sec. Litig., 

,
886 (9th Cir. 2012) (“Because Plaintiff here has failed to adequately plead a
violation of the federal securities laws, it follows that Plaintiff also has failed to
adequately plead violations of section 20(a) . . .”).
AFFIRMED.
6