Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 1 of 26 1 2 3 4 5 POMERANTZ LLP Jennifer Pafiti (SBN 282790) 468 North Camden Drive Beverly Hills, CA 90210 Telephone: (818) 532-6499 E-mail: jpafiti@pomlaw.com Attorney for Plaintiff - additional counsel on signature page - 6 UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA 7 8 9 10 FAN YUAN, Individually and on Behalf of All Others Similarly Situated, Plaintiff, 11 12 13 14 15 vs. FACEBOOK, INC., MARK E. ZUCKERBERG and DAVID M. WEHNER, Case No. CLASS ACTION COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS JURY TRIAL DEMANDED Defendants 16 17 Plaintiff Fan Yuan (“Plaintiff”), individually and on behalf of all other persons similarly 18 situated, by Plaintiff’s undersigned attorneys, for Plaintiff’s complaint against Defendants (defined 19 below), alleges the following based upon personal knowledge as to Plaintiff and Plaintiff’s own acts, 20 and information and belief as to all other matters, based upon, inter alia, the investigation conducted by 21 and through Plaintiff’s attorneys, which included, among other things, a review of the Defendants’ 22 23 public documents, conference calls and announcements made by Defendants, United States Securities 24 and Exchange Commission (“SEC”) filings, wire and press releases published by and regarding 25 Facebook, Inc. (“Facebook” or the “Company”), analysts’ reports and advisories about the Company, 26 27 28 1 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 2 of 26 1 2 and information readily obtainable on the Internet. Plaintiff believes that substantial evidentiary support will exist for the allegations set forth herein after a reasonable opportunity for discovery. 3 4 5 NATURE OF THE ACTION 1. This is a federal securities class action on behalf of a class consisting of all persons other than Defendants who purchased or otherwise acquired common shares of Facebook between February 6 7 3, 2017 and March 19, 2018, both dates inclusive (the “Class Period”). Plaintiff seeks to recover 8 compensable damages caused by Defendants’ violations of the federal securities laws and to pursue 9 remedies under Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 (the “Exchange Act”) 10 11 and Rule 10b-5 promulgated thereunder. 2. Facebook operates a social networking website that allows people to communicate with 12 13 their family, friends, and coworkers. Facebook develops technologies that facilitate the sharing of 14 information, photographs, website links, and videos. Facebook users have the ability to share and 15 restrict information based on their own specific criteria. By the end of 2017, Facebook had more than 16 2.2 billion active users. 17 3. Founded in 2004, the Company is headquartered in Menlo Park, California. The 18 Company’s common stock trades on the NASDAQ Global Select Market (“NASDAQ”) under the 19 20 21 22 23 ticker symbol “FB.” 4. Throughout the Class Period, Defendants made materially false and misleading statements regarding the Company’s business, operational and compliance policies. Specifically, Defendants made false and/or misleading statements and/or failed to disclose that: (i) Facebook violated 24 its own purported data privacy policies by allowing third parties to access the personal data of millions 25 26 of Facebook users without the users’ consent; (ii) discovery of the foregoing conduct would foreseeably 27 subject the Company to heightened regulatory scrutiny; and (iii) as a result, Facebook’s public 28 statements were materially false and misleading at all relevant times. 2 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 3 of 26 1 5. On May 16, 2017, Reuters reported that France’s Commission on Informatics and 2 Liberty (“CNIL”) had fined Facebook €150,000—the maximum amount then allowed within the 3 CNIL’s authority—for “failing to prevent its users’ data being accessed by advertisers.” The article 4 stated that the fine was said to be “part of a wider European investigation also being carried out in 5 Belgium, the Netherlands, Spain and Germany into some of Facebook’s practices.” 6 7 8 9 10 11 6. On this news, Facebook’s share price fell $5.34, or 3.55%, over two trading days, to close at $144.85 on May 17, 2017. 7. On March 17, 2018, the New York Times published an investigative report entitled “How Trump Consultants Exploited the Facebook Data of Millions,” revealing that Cambridge Analytica, a firm brought on by the Trump campaign to target voters online, used the data of 50 million people 12 13 obtained from Facebook without proper disclosures or permission. The report further stated, in part: [T]he firm harvested private information from the Facebook profiles of more than 50 million users without their permission, according to former Cambridge employees, associates and documents, making it one of the largest data leaks in the social network’s history. The breach allowed the company to exploit the private social media activity of a huge swath of the American electorate, developing techniques that underpinned its work on President Trump’s campaign in 2016. 14 15 16 17 18 *** 19 But the full scale of the data leak involving Americans has not been previously disclosed — and Facebook, until now, has not acknowledged it. Interviews with a half-dozen former employees and contractors, and a review of the firm’s emails and documents, have revealed that Cambridge not only relied on the private Facebook data but still possesses most or all of the trove. 20 21 22 23 (Emphases added.) 8. On this news, Facebook’s share price fell $12.53, or 6.76%, to close at $172.56 on 24 25 26 27 March 19, 2018. 9. On March 19, 2018, post-market, Bloomberg published an article entitled “FTC Probing Facebook For Use of Personal Data, Source Says,” disclosing that the U.S. Federal Trade Commission 28 3 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 4 of 26 1 (“FTC”) is “probing whether Facebook violated terms of a 2011 consent decree of its handling of user 2 data that was transferred to Cambridge Analytica without [user] knowledge.” Under the 2011 3 settlement with the FTC, Facebook “agreed to get user consent for certain changes to privacy settings as 4 part of a settlement of federal chargers that is deceived consumers and forced them to share more 5 personal information than they intended.” The article further stated that “if the FTC finds Facebook 6 7 violated terms of the consent decree, it has the power to fine the company more than $40,000 a day per 8 violation.” 9 10. 10 11 On March 20, 2018, several media outlets reported that the U.K. Parliament had summoned Facebook Chief Executive Officer (“CEO”) Mark Zuckerberg (“Zuckerberg”) to give evidence over the scandal involving London-based Cambridge Analytica. In a statement, the U.K. 12 13 House of Commons committee on Digital, Culture, Media and Sport Committee said: “The 14 Representatives from Facebook previously gave evidence to the inquiry in Washington DC on 15 Thursday 8th February. However, Facebook has since failed to supply requested supplementary 16 evidence to the Committee by the deadline of 14th March. Subsequent information about Facebook’s 17 connection to Cambridge Analytica raises further questions which the Committee intends to put to 18 Facebook to answer in full.” The British lawmakers stated they want to “hear from a senior Facebook 19 20 21 22 23 executive with the sufficient authority to give an accurate account of this catastrophic failure of process.” Zuckerberg was asked to respond by March 26, 2018. 11. Following these news reports, Facebook’s share price fell $7.73, or 4.48%, to close at $164.83 on March 20, 2018. 24 12. As a result of Defendants’ wrongful acts and omissions, and the precipitous decline in 25 26 27 28 the market value of the Company’s common shares, Plaintiff and other Class members have suffered significant losses and damages. JURISDICTION AND VENUE 4 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 5 of 26 1 2 13. The claims asserted herein arise under and pursuant to §§10(b) and 20(a) of the Exchange Act (15 U.S.C. §§78j(b) and §78t(a)) and Rule 10b-5 promulgated thereunder by the SEC (17 3 4 5 6 7 8 C.F.R. §240.10b-5). 14. This Court has jurisdiction over the subject matter of this action under 28 U.S.C. §1331 and §27 of the Exchange Act. 15. Venue is proper in this Judicial District pursuant to §27 of the Exchange Act (15 U.S.C. §78aa) and 28 U.S.C. §1391(b). Facebook’s principal executive offices are located within this Judicial 9 10 11 District. 16. In connection with the acts, conduct and other wrongs alleged in this Complaint, 12 Defendants, directly or indirectly, used the means and instrumentalities of interstate commerce, 13 including but not limited to, the United States mail, interstate telephone communications and the 14 facilities of the national securities exchange. 15 PARTIES 16 17 17. Plaintiff, as set forth in the accompanying Certification, purchased common shares of 18 Facebook at artificially inflated prices during the Class Period and was damaged upon the revelation of 19 the alleged corrective disclosure. 20 18. Defendant Facebook, Inc. is incorporated in Delaware, and the Company’s principal 21 executive offices are located at 1601 Willow Road, Menlo Park, California 94025. Facebook’s 22 23 securities trade on the NASDAQ under the ticker symbol “FB.” 24 19. 25 Chairman. 26 27 20. Defendant Zuckerberg has served at all relevant times as the Company’s CEO and Defendant David M. Wehner (“Wehner”) has served at all relevant times as the Company’s Chief Financial Officer (“CFO”). 28 5 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 6 of 26 1 2 3 4 5 21. The Defendants referenced above in ¶¶ 19-20 are sometimes referred to- herein as the “Individual Defendants.” 22. The Individual Defendants possessed the power and authority to control the contents of Facebook’s SEC filings, press releases, and other market communications. The Individual Defendants were provided with copies of the Company’s SEC filings and press releases alleged herein to be 6 7 misleading prior to or shortly after their issuance and had the ability and opportunity to prevent their 8 issuance or to cause them to be corrected. Because of their positions with the Company, and their 9 access to material information available to them but not to the public, the Individual Defendants knew 10 that the adverse facts specified herein had not been disclosed to and were being concealed from the 11 public, and that the positive representations being made were then materially false and misleading. The 12 13 Individual Defendants are liable for the false statements and omissions pleaded herein. 14 SUBSTANTIVE ALLEGATIONS 15 Background 16 17 23. Facebook operates a social networking website that allows people to communicate with their family, friends, and coworkers. Facebook develops technologies that facilitate the sharing of 18 information, photographs, website links, and videos. Facebook users have the ability to share and 19 20 21 restrict information based on their own specific criteria. By the end of 2017, Facebook had more than 2.2 billion active users. 22 23 Materially False and Misleading Statements Issued During the Class Period 24. The Class Period begins on February 3, 2017, when Facebook filed an annual report on 24 Form 10-K with the SEC, announcing the Company’s financial and operating results for the quarter and 25 26 fiscal year ended December 31, 2016 (the “2016 10-K”). For fiscal year 2016, Facebook reported net 27 income of $10.18 billion, or $3.49 per diluted share, on revenue of $27.63 billion, compared to net 28 income of $3.66 billion, or $1.29 per diluted share, on revenue of $17.92 billion for fiscal year 2015. 6 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 7 of 26 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 25. In the 2016 10-K, with respect to the disclosure of user data, the Company merely offered the following non-specific representation: Security breaches and improper access to or disclosure of our data or user data, or other hacking and phishing attacks on our systems, could harm our reputation and adversely affect our business. Our industry is prone to cyber-attacks by third parties seeking unauthorized access to our data or users’ data. Any failure to prevent or mitigate security breaches and improper access to or disclosure of our data or user data could result in the loss or misuse of such data, which could harm our business and reputation and diminish our competitive position. In addition, computer malware, viruses, social engineering (predominantly spear phishing attacks), and general hacking have become more prevalent in our industry, have occurred on our systems in the past, and will occur on our systems in the future. As a result of our prominence, we believe that we are a particularly attractive target for such breaches and attacks. Such attacks may cause interruptions to the services we provide, degrade the user experience, cause users to lose confidence and trust in our products, or result in financial harm to us. Our efforts to protect our company data or the information we receive may also be unsuccessful due to software bugs or other technical malfunctions; employee, contractor, or vendor error or malfeasance; government surveillance; or other threats that evolve. In addition, third parties may attempt to fraudulently induce employees or users to disclose information in order to gain access to our data or our users' data. Although we have developed systems and processes that are designed to protect our data and user data, to prevent data loss, and to prevent or detect security breaches, we cannot assure you that such measures will provide absolute security. In addition, some of our developers or other partners, such as those that help us measure the effectiveness of ads, may receive or store information provided by us or by our users through mobile or web applications integrated with Facebook. We provide limited information to such third parties based on the scope of services provided to us. However, if these third parties or developers fail to adopt or adhere to adequate data security practices, or in the event of a breach of their networks, our data or our users' data may be improperly accessed, used, or disclosed. Affected users or government authorities could initiate legal or regulatory actions against us in connection with any security breaches or improper disclosure of data, which could cause us to incur significant expense and liability or result in orders or consent decrees forcing us to modify our business practices. Any of these events could have a material and adverse effect on our business, reputation, or financial results. 24 26. The 2016 10-K contained signed certifications pursuant to SOX by the Individual 25 26 Defendants, stating that the information contained in the 2016 10-K “fairly presents, in all material 27 28 7 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 8 of 26 1 2 3 4 5 respects, the financial condition and results of operations of the Company for the periods presented therein.” 27. On May 4, 2017, Facebook filed a quarterly report on Form 10-Q with the SEC, announcing the Company’s financial and operating results for the quarter ended March 31, 2017 (the “1Q 2017 10-Q”). For the quarter, Facebook reported net income of $3.05 billion, or $1.04 per diluted 6 7 8 9 10 11 12 share, on revenue of $8.03 billion, compared to net income of $1.73 billion, or $0.60 per diluted share, on revenue of $5.38 billion for the same period in the prior year. 28. In the 1Q 2017 10-Q, the Company again offered only a non-specific representation concerning data security: Security breaches and improper access to or disclosure of our data or user data, or other hacking and phishing attacks on our systems, could harm our reputation and adversely affect our business. 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 Our industry is prone to cyber-attacks by third parties seeking unauthorized access to our data or users’ data or to disrupt our ability to provide service. Any failure to prevent or mitigate security breaches and improper access to or disclosure of our data or user data could result in the loss or misuse of such data, which could harm our business and reputation and diminish our competitive position. In addition, computer malware, viruses, social engineering (predominantly spear phishing attacks), and general hacking have become more prevalent in our industry, have occurred on our systems in the past, and will occur on our systems in the future. As a result of our prominence, we believe that we are a particularly attractive target for such breaches and attacks. Such attacks may cause interruptions to the services we provide, degrade the user experience, cause users to lose confidence and trust in our products, or result in financial harm to us. Our efforts to protect our company data or the information we receive may also be unsuccessful due to software bugs or other technical malfunctions; employee, contractor, or vendor error or malfeasance; government surveillance; or other threats that evolve. In addition, third parties may attempt to fraudulently induce employees or users to disclose information in order to gain access to our data or our users' data. Although we have developed systems and processes that are designed to protect our data and user data, to prevent data loss, and to prevent or detect security breaches, we cannot assure you that such measures will provide absolute security. In addition, some of our developers or other partners, such as those that help us measure the effectiveness of ads, may receive or store information provided by us or by our users through mobile or web applications integrated with Facebook. We provide limited information to such third parties based on the scope of services provided to us. However, if these third parties or developers fail to adopt or adhere 28 8 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 9 of 26 to adequate data security practices, or in the event of a breach of their networks, our data or our users' data may be improperly accessed, used, or disclosed. 1 2 Affected users or government authorities could initiate legal or regulatory actions against us in connection with any security breaches or improper disclosure of data, which could cause us to incur significant expense and liability or result in orders or consent decrees forcing us to modify our business practices. Any of these events could have a material and adverse effect on our business, reputation, or financial results. 3 4 5 6 7 8 29. The 1Q 2017 10-Q contained signed certifications pursuant to SOX by the Individual Defendants, stating that the information contained in the 1Q 2017 10-Q “fairly presents, in all material respects, the financial condition and results of operations of the Company for the periods presented 9 10 11 therein.” 30. The statements referenced in ¶¶ 24-29 above were materially false and/or misleading 12 because they misrepresented and/or failed to disclose the following adverse facts pertaining to the 13 Company’s business, operational and financial results, which were known to Defendants or recklessly 14 disregarded by them. Specifically, Defendants made false and/or misleading statements and/or failed to 15 disclose that: (i) Facebook violated its own purported data privacy policies by allowing third parties to 16 17 access the personal data of millions of Facebook users without the users’ consent; (ii) discovery of the 18 foregoing conduct would foreseeably subject the Company to heightened regulatory scrutiny; and (iii) 19 as a result, Facebook’s public statements were materially false and misleading at all relevant times. 20 The Truth Begins To Emerge 21 31. On May 16, 2017, post-market, Reuters published an article entitled “Facebook fined 22 23 150,000 euros by French data watchdog,” reporting that the French privacy regulator CNIL had fined 24 Facebook €150,000—the maximum amount then allowed within the CNIL’s authority—for “failing to 25 prevent its users’ data being accessed by advertisers.” The article stated, in part: 26 27 Watchdog CNIL said its fine - which was imposed on both Facebook Inc and Facebook Ireland - was part of a wider European investigation also being carried out in Belgium, the Netherlands, Spain and Germany into some of Facebook’s practices. 28 9 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 10 of 26 1 2 The 150,000 euro fine is small in the context of the company, which has quarterly revenue of about $8 billion and a stock market capitalization which stands at around $435 billion. But it is the maximum amount the CNIL could fine when it started the investigation on the tech giant. 3 4 The CNIL can now issue fines of up to 3 million euros, after the passing of a new law in October 2016. 5 *** 6 7 8 9 10 11 In a statement on Tuesday, Facebook did not say whether it would now take action as a result of the fine. “We take note of the CNIL’s decision with which we respectfully disagree,” Facebook said in a statement emailed to Reuters. 32. On this news, Facebook’s share price fell $5.34 or 3.55%, over two trading days, to close at $144.85 on May 17, 2017. 12 13 33. Even after the CNIL fine, Facebook continued to conceal the extent to which its users’ 14 data was available to third parties without user consent. On July 27, 2017, Facebook filed a quarterly 15 report on Form 10-Q with the SEC, announcing the Company’s financial and operating results for the 16 quarter ended June 30, 2017 (the “2Q 2017 10-Q”). For the quarter, Facebook reported net income of 17 $3.89 billion, or $1.32 per diluted share, on revenue of $9.32 billion, compared to net income of $2.27 18 billion, or $0.78 per diluted share, on revenue of $6.43 billion for the same period in the prior year. 19 20 21 22 23 24 25 26 27 28 34. In the 2Q 2017 10-Q, the Company again offered only a non-specific representation concerning data security: Security breaches and improper access to or disclosure of our data or user data, or other hacking and phishing attacks on our systems, could harm our reputation and adversely affect our business. Our industry is prone to cyber-attacks by third parties seeking unauthorized access to our data or users’ data or to disrupt our ability to provide service. Any failure to prevent or mitigate security breaches and improper access to or disclosure of our data or user data could result in the loss or misuse of such data, which could harm our business and reputation and diminish our competitive position. In addition, computer malware, viruses, social engineering (predominantly spear phishing attacks), and general hacking have become more prevalent in our industry, have occurred on our systems in the past, and will occur 10 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 11 of 26 on our systems in the future. As a result of our prominence, we believe that we are a particularly attractive target for such breaches and attacks. Such attacks may cause interruptions to the services we provide, degrade the user experience, cause users to lose confidence and trust in our products, or result in financial harm to us. Our efforts to protect our company data or the information we receive may also be unsuccessful due to software bugs or other technical malfunctions; employee, contractor, or vendor error or malfeasance; government surveillance; or other threats that evolve. In addition, third parties may attempt to fraudulently induce employees or users to disclose information in order to gain access to our data or our users' data. Although we have developed systems and processes that are designed to protect our data and user data, to prevent data loss, and to prevent or detect security breaches, we cannot assure you that such measures will provide absolute security. 1 2 3 4 5 6 7 8 In addition, some of our developers or other partners, such as those that help us measure the effectiveness of ads, may receive or store information provided by us or by our users through mobile or web applications integrated with Facebook. We provide limited information to such third parties based on the scope of services provided to us. However, if these third parties or developers fail to adopt or adhere to adequate data security practices, or in the event of a breach of their networks, our data or our users' data may be improperly accessed, used, or disclosed. 9 10 11 12 Affected users or government authorities could initiate legal or regulatory actions against us in connection with any security breaches or improper disclosure of data, which could cause us to incur significant expense and liability or result in orders or consent decrees forcing us to modify our business practices. Any of these events could have a material and adverse effect on our business, reputation, or financial results. 13 14 15 16 17 35. The 2Q 2017 10-Q contained signed certifications pursuant to SOX by the Individual Defendants, stating that the information contained in the 2Q 2017 10-Q “fairly presents, in all material 18 19 20 21 22 23 respects, the financial condition and results of operations of the Company for the periods presented therein.” 36. On November 2, 2017, Facebook filed a quarterly report on Form 10-Q with the SEC, announcing the Company’s financial and operating results for the quarter ended September 30, 2017 (the “3Q 2017 10-Q”). For the quarter, Facebook reported net income of $4.70 billion, or $1.59 per 24 25 26 diluted share, on revenue of $10.32 billion, compared to net income of $2.62 billion, or $0.90 per diluted share, on revenue of $7.01 billion for the same period in the prior year. 27 28 11 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 12 of 26 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 37. The 3Q 2017 10-Q, the Company again offered only a non-specific representation with respect to data security: Security breaches and improper access to or disclosure of our data or user data, or other hacking and phishing attacks on our systems, could harm our reputation and adversely affect our business. Our industry is prone to cyber-attacks by third parties seeking unauthorized access to our data or users’ data or to disrupt our ability to provide service. Any failure to prevent or mitigate security breaches and improper access to or disclosure of our data or user data could result in the loss or misuse of such data, which could harm our business and reputation and diminish our competitive position. In addition, computer malware, viruses, social engineering (predominantly spear phishing attacks), and general hacking have become more prevalent in our industry, have occurred on our systems in the past, and will occur on our systems in the future. As a result of our prominence and the types and volume of personal data on our systems, we believe that we are a particularly attractive target for such breaches and attacks. Such attacks may cause interruptions to the services we provide, degrade the user experience, cause users to lose confidence and trust in our products, impair our internal systems, or result in financial harm to us. Our efforts to protect our company data or the information we receive may also be unsuccessful due to software bugs or other technical malfunctions; employee, contractor, or vendor error or malfeasance; government surveillance; or other threats that evolve. In addition, third parties may attempt to fraudulently induce employees or users to disclose information in order to gain access to our data or our users' data. Cyber-attacks continue to evolve in sophistication and volume, and inherently may be difficult to detect for long periods of time. Although we have developed systems and processes that are designed to protect our data and user data, to prevent data loss, and to prevent or detect security breaches, we cannot assure you that such measures will provide absolute security, and we may incur significant costs in protecting against or remediating cyber-attacks. In addition, some of our developers or other partners, such as those that help us measure the effectiveness of ads, may receive or store information provided by us or by our users through mobile or web applications integrated with Facebook. We provide limited information to such third parties based on the scope of services provided to us. However, if these third parties or developers fail to adopt or adhere to adequate data security practices, or in the event of a breach of their networks, our data or our users' data may be improperly accessed, used, or disclosed. Affected users or government authorities could initiate legal or regulatory actions against us in connection with any security breaches or improper disclosure of data, which could cause us to incur significant expense and liability or result in orders or consent decrees forcing us to modify our business practices. Such incidents may also result in a decline in our active user base or engagement levels. Any of these events could have a material and adverse effect on our business, reputation, or financial results. 28 12 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 13 of 26 1 38. The 3Q 2017 10-Q contained signed certifications pursuant to SOX by the Individual 2 Defendants, stating that the information contained in the 3Q 2017 10-Q “fairly presents, in all material 3 respects, the financial condition and results of operations of the Company for the periods presented 4 therein.” 5 39. On January 31, 2018, the Company held an earnings conference call with investors and 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 analysts to discuss the Q4 2017. During the call, Defendant Zuckerberg stated in relevant part: But 2017 was also a hard year. The world feels anxious and divided and that played out on Facebook. We've seen abuse on our platform, including interference from nation states, the spread of news that is false, sensational and polarizing, and debate about the utility of social media. We have a responsibility to fully understand how our services are used and to do everything we can to amplify the good and prevent the harm. This is my personal challenge for 2018. *** Preventing false news hate speech and other abuse[] is another important area of focus for us. In order to protect the security and integrity of our platform, we're investing in both people and technology. We now have around 14,000 people working across community ops, online ops, and our security efforts. That's almost double where we were a year-ago. *** Finally, we’ve started rolling out a major ad transparent effort. We support Congress passing legislation to make all advertising more transparent. We're not going to wait for them to act. We've already begun launching a way for anyone to view the ad, a pages running on Facebook, Instagram and Messenger, even if they aren't in the intended audience. 40. On February 1, 2018, Facebook filed an annual report on Form 10-K with the SEC, announcing the Company’s financial and operating results for the quarter and fiscal year ended December 31, 2017 (the “2017 10-K”). For fiscal year 2017, Facebook reported net income of $15.93 21 22 23 24 25 26 27 billion, or $5.39 per diluted share, on revenue of $40.65 billion, compared to reported net income of $10.18 billion, or $3.49 per diluted share, on revenue of $27.63 billion for fiscal year 2016. 41. In the 2017 10-K, with respect to the disclosure of user data, the Company again only offered the following non-specific representation: Security breaches and improper access to or disclosure of our data or user data, or other hacking and phishing attacks on our systems, could harm our reputation and adversely affect our business. 28 13 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 14 of 26 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Our industry is prone to cyber-attacks by third parties seeking unauthorized access to our data or users’ data or to disrupt our ability to provide service. Any failure to prevent or mitigate security breaches and improper access to or disclosure of our data or user data, including personal information, content or payment information from users, could result in the loss or misuse of such data, which could harm our business and reputation and diminish our competitive position. In addition, computer malware, viruses, social engineering (predominantly spear phishing attacks), and general hacking have become more prevalent in our industry, have occurred on our systems in the past, and will occur on our systems in the future. We also regularly encounter attempts to create false or undesirable user accounts, purchase ads, or take other actions on our platform for purposes such as spamming, spreading misinformation, or other objectionable ends. As a result of our prominence, the size of our user base, and the types and volume of personal data on our systems, we believe that we are a particularly attractive target for such breaches and attacks. Such attacks may cause interruptions to the services we provide, degrade the user experience, cause users to lose confidence and trust in our products, impair our internal systems, or result in financial harm to us. Our efforts to protect our company data or the information we receive may also be unsuccessful due to software bugs or other technical malfunctions; employee, contractor, or vendor error or malfeasance; government surveillance; or other threats that evolve. In addition, third parties may attempt to fraudulently induce employees or users to disclose information in order to gain access to our data or our users' data. Cyber-attacks continue to evolve in sophistication and volume, and inherently may be difficult to detect for long periods of time. Although we have developed systems and processes that are designed to protect our data and user data, to prevent data loss, to disable undesirable accounts and activities on our platform, and to prevent or detect security breaches, we cannot assure you that such measures will provide absolute security, and we may incur significant costs in protecting against or remediating cyber-attacks. In addition, some of our developers or other partners, such as those that help us measure the effectiveness of ads, may receive or store information provided by us or by our users through mobile or web applications integrated with Facebook. We provide limited information to such third parties based on the scope of services provided to us. However, if these third parties or developers fail to adopt or adhere to adequate data security practices, or in the event of a breach of their networks, our data or our users' data may be improperly accessed, used, or disclosed. 21 22 23 24 25 26 27 Affected users or government authorities could initiate legal or regulatory actions against us in connection with any security breaches or improper disclosure of data, which could cause us to incur significant expense and liability or result in orders or consent decrees forcing us to modify our business practices. Such incidents may also result in a decline in our active user base or engagement levels. Any of these events could have a material and adverse effect on our business, reputation, or financial results. 42. The 2017 10-K contained signed certifications pursuant to SOX by the Individual Defendants, stating that the information contained in the 2017 10-K “fairly presents, in all material 28 14 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 15 of 26 1 2 3 4 5 6 7 8 9 10 respects, the financial condition and results of operations of the Company for the periods presented therein.” 43. relevant times, the Data Use Policy advised Facebook users, in part: Granting us permission to use your information not only allows us to provide Facebook as it exists today, but it also allows us to provide you with innovative features and services we develop in the future that use the information we receive about you in new ways. While you are allowing us to use the information we receive about you, you always own all of your information. Your trust is important to us, which is why we don't share information we receive about you with others unless we have: • • • 11 12 13 14 At all relevant times, Facebook has maintained a Data Use Policy on its website. At all received your permission; given you notice, such as by telling you about it in this policy; or removed your name and any other personally identifying information from it. (Emphases added) (https://www.facebook.com/full_data_use_policy). 44. The statements referenced in ¶¶ 33-43 above were materially false and/or misleading 15 16 because they misrepresented and/or failed to disclose the following adverse facts pertaining to the 17 Company’s business, operational and financial results, which were known to Defendants or recklessly 18 disregarded by them. Specifically, Defendants made false and/or misleading statements and/or failed to 19 disclose that: (i) Facebook continued to violate its own purported data privacy policies by permitting 20 third parties to access the personal data of millions of Facebook users without the users’ consent; (ii) 21 22 discovery of the foregoing conduct would foreseeably subject the Company to heightened regulatory 23 scrutiny; and (iii) as a result, Facebook’s public statements were materially false and misleading at all 24 relevant times. 25 26 The Truth Begins to Emerge 45. On March 17, 2018, the New York Times published an investigative report entitled “How 27 28 Trump Consultants Exploited the Facebook Data of Millions,” revealing that Cambridge Analytica, the 15 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 16 of 26 1 firm that worked to target voters online in connection with Donald Trump’s 2016 presidential 2 campaign, used the data of 50 million people obtained from Facebook without making proper 3 disclosures or obtaining permission. The report further stated in relevant part: 4 5 6 7 [T]he firm harvested private information from the Facebook profiles of more than 50 million users without their permission, according to former Cambridge employees, associates and documents, making it one of the largest data leaks in the social network’s history. The breach allowed the company to exploit the private social media activity of a huge swath of the American electorate, developing techniques that underpinned its work on President Trump’s campaign in 2016. 8 9 10 11 An examination by The New York Times and The Observer of London reveals how Cambridge Analytica’s drive to bring to market a potentially powerful new weapon put the firm — and wealthy conservative investors seeking to reshape politics — under scrutiny from investigators and lawmakers on both sides of the Atlantic. *** 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 But the full scale of the data leak involving Americans has not been previously disclosed — and Facebook, until now, has not acknowledged it. Interviews with a half-dozen former employees and contractors, and a review of the firm’s emails and documents, have revealed that Cambridge not only relied on the private Facebook data but still possesses most or all of the trove. Cambridge paid to acquire the personal information through an outside researcher who, Facebook says, claimed to be collecting it for academic purposes. During a week of inquiries from The Times, Facebook downplayed the scope of the leak and questioned whether any of the data still remained out of its control. But on Friday, the company posted a statement expressing alarm and promising to take action. *** In Britain, Cambridge Analytica is facing intertwined investigations by Parliament and government regulators into allegations that it performed illegal work on the “Brexit” campaign. The country has strict privacy laws, and its information commissioner announced on Saturday that she was looking into whether the Facebook data was “illegally acquired and used.” *** The documents also raise new questions about Facebook, which is already grappling with intense criticism over the spread of Russian propaganda and fake news. The data Cambridge collected from profiles, a portion of which was viewed by The Times, included details on users’ identities, friend networks and “likes.” Only a tiny fraction of the users had agreed to release their information to a third party. 28 16 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 17 of 26 1 2 “Protecting people’s information is at the heart of everything we do,” Mr. [Paul] Grewal [Deputy General Counsel at Facebook] said. “No systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.” 3 Still, he added, “it’s a serious abuse of our rules.” 4 *** Mr. Grewal, the Facebook deputy general counsel, said in a statement that both Dr. Kogan and “SCL Group and Cambridge Analytica certified to us that they destroyed the data in question.” 5 6 7 But copies of the data still remain beyond Facebook’s control. The Times viewed a set of raw data from the profiles Cambridge Analytica obtained. 8 (Emphases added.) 9 46. 10 On this news, Facebook’s share price fell $12.53, or 6.76%, to close at $172.56 on March 19, 2018. 11 12 47. On March 19, 2018, post-market, Bloomberg published an article entitled “FTC Probing 13 Facebook For Use of Personal Data, Source Says,” disclosing that the U.S. Federal Trade Commission 14 is “probing whether Facebook violated terms of a 2011 consent decree of its handling of user data that 15 was transferred to Cambridge Analytica without [user] knowledge.” Under the 2011 settlement with the 16 FTC, Facebook “agreed to get user consent for certain changes to privacy settings as part of a 17 18 settlement of federal chargers that is deceived consumers and forced them to share more personal 19 information than they intended.” The article further stated that “if the FTC finds Facebook violated 20 terms of the consent decree, it has the power to fine the company more than $40,000 a day per 21 violation.” 22 48. On March 20, 2018, several media outlets reported that the U.K. Parliament had 23 24 25 summoned Facebook CEO Mark Zuckerberg to give evidence over the scandal involving London-based Cambridge Analytica. In a statement, the U.K. House of Commons committee on Digital, Culture, 26 Media and Sport Committee said: “The Representatives from Facebook previously gave evidence to the 27 inquiry in Washington DC on Thursday 8th February. However, Facebook has since failed to supply 28 17 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 18 of 26 1 requested supplementary evidence to the Committee by the deadline of 14th March. Subsequent 2 information about Facebook’s connection to Cambridge Analytica raises further questions which the 3 Committee intends to put to Facebook to answer in full.” The British lawmakers stated they want to 4 “hear from a senior Facebook executive with the sufficient authority to give an accurate account of this 5 catastrophic failure of process.” Zuckerberg was asked to respond by March 26, 2018. 6 7 8 9 10 11 49. Following these news reports, Facebook’s share price fell $7.73, or 4.48%, to close at $164.83 on March 20, 2018. 50. As a result of Defendants’ wrongful acts and omissions, and the precipitous decline in the market value of the Company’s common shares, Plaintiff and other Class members have suffered significant losses and damages. 12 PLAINTIFF’S CLASS ACTION ALLEGATIONS 13 14 51. Plaintiff brings this action as a class action pursuant to Federal Rule of Civil Procedure 15 23(a) and (b)(3) on behalf of a Class, consisting of all those who purchased or otherwise acquired 16 Facebook common shares traded on the NASDAQ during the Class Period (the “Class”); and were 17 damaged upon the revelation of the alleged corrective disclosures. Excluded from the Class are 18 Defendants herein, the officers and directors of the Company, at all relevant times, members of their 19 20 21 22 23 immediate families and their legal representatives, heirs, successors or assigns and any entity in which Defendants have or had a controlling interest. 52. The members of the Class are so numerous that joinder of all members is impracticable. Throughout the Class Period, Facebook common shares were actively traded on the NASDAQ. While 24 the exact number of Class members is unknown to Plaintiff at this time and can be ascertained only 25 26 27 through appropriate discovery, Plaintiff believes that there are hundreds or thousands of members in the proposed Class. Record owners and other members of the Class may be identified from records 28 18 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 19 of 26 1 2 3 4 5 maintained by Facebook or its transfer agent and may be notified of the pendency of this action by mail, using the form of notice similar to that customarily used in securities class actions. 53. Plaintiff’s claims are typical of the claims of the members of the Class as all members of the Class are similarly affected by Defendants’ wrongful conduct in violation of federal law that is complained of herein. 6 7 54. Plaintiff will fairly and adequately protect the interests of the members of the Class and 8 has retained counsel competent and experienced in class and securities litigation. Plaintiff has no 9 interests antagonistic to or in conflict with those of the Class. 10 11 55. Common questions of law and fact exist as to all members of the Class and predominate over any questions solely affecting individual members of the Class. Among the questions of law and 12 13 fact common to the Class are: 14 • whether the federal securities laws were violated by Defendants’ acts as alleged herein; • whether statements made by Defendants to the investing public during the Class Period misrepresented material facts about the financial condition, business, operations, and management of Facebook; • whether Defendants caused Facebook to issue false and misleading financial statements during the Class Period; • whether Defendants acted knowingly or recklessly in issuing false and misleading financial statements; • whether the prices of Facebook securities during the Class Period were artificially inflated because of Defendants’ conduct complained of herein; and • whether the members of the Class have sustained damages and, if so, what is the proper measure of damages. 15 16 17 18 19 20 21 22 23 24 25 56. A class action is superior to all other available methods for the fair and efficient 26 adjudication of this controversy since joinder of all members is impracticable. Furthermore, as the 27 28 damages suffered by individual Class members may be relatively small, the expense and burden of 19 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 20 of 26 1 2 3 4 individual litigation make it impossible for members of the Class to individually redress the wrongs done to them. There will be no difficulty in the management of this action as a class action. 57. Plaintiff will rely, in part, upon the presumption of reliance established by the fraud-on- the-market doctrine in that: 5 • Defendants made public misrepresentations or failed to disclose material facts during the Class Period; • the omissions and misrepresentations were material; • Facebook common shares are traded in efficient markets; • the Company’s shares were liquid and traded with moderate to heavy volume during the Class Period; • the Company traded on the NASDAQ, and was covered by multiple analysts; • the misrepresentations and omissions alleged would tend to induce a reasonable investor to misjudge the value of the Company’s common shares; and • Plaintiff and members of the Class purchased and/or sold Facebook common shares between the time the Defendants failed to disclose or misrepresented material facts and the time the true facts were disclosed, without knowledge of the omitted or misrepresented facts. 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 58. Based upon the foregoing, Plaintiff and the members of the Class are entitled to a presumption of reliance upon the integrity of the market. 59. Alternatively, Plaintiff and the members of the Class are entitled to the presumption of reliance established by the Supreme Court in Affiliated Ute Citizens of the State of Utah v. United States, 406 U.S. 128, 92 S. Ct. 2430 (1972), as Defendants omitted material information in their Class 23 24 Period statements in violation of a duty to disclose such information, as detailed above. 25 COUNT I 26 Violation of Section 10(b) of The Exchange Act and Rule 10b-5 Against All Defendants 27 28 20 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 21 of 26 1 2 3 4 5 60. Plaintiff repeats and realleges each and every allegation contained above as if fully set forth herein. 61. This Count is asserted against Facebook and the Individual Defendants and is based upon Section 10(b) of the Exchange Act, 15 U.S.C. § 78j(b), and Rule 10b-5 promulgated thereunder by the SEC. 6 7 62. During the Class Period, Facebook and the Individual Defendants, individually and in 8 concert, directly or indirectly, disseminated or approved the false statements specified above, which 9 they knew or deliberately disregarded were misleading in that they contained misrepresentations and 10 failed to disclose material facts necessary in order to make the statements made, in light of the 11 circumstances under which they were made, not misleading. 12 13 14 63. in that they: • • 15 16 17 • 18 19 20 Facebook and the Individual Defendants violated §10(b) of the 1934 Act and Rule 10b-5 64. employed devices, schemes and artifices to defraud; made untrue statements of material facts or omitted to state material facts necessary in order to make the statements made, in light of the circumstances under which they were made, not misleading; or engaged in acts, practices and a course of business that operated as a fraud or deceit upon plaintiff and others similarly situated in connection with their purchases of Facebook common shares during the Class Period. Facebook and the Individual Defendants acted with scienter in that they knew that the 21 public documents and statements issued or disseminated in the name of Facebook were materially false 22 and misleading; knew that such statements or documents would be issued or disseminated to the 23 investing public; and knowingly and substantially participated, or acquiesced in the issuance or 24 25 dissemination of such statements or documents as primary violations of the securities laws. These 26 Defendants by virtue of their receipt of information reflecting the true facts of Facebook, their control 27 over, and/or receipt and/or modification of Facebook allegedly materially misleading statements, and/or 28 21 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 22 of 26 1 2 3 4 5 their associations with the Company which made them privy to confidential proprietary information concerning Facebook, participated in the fraudulent scheme alleged herein. 65. Individual Defendants, who are the senior officers and/or directors of the Company, had actual knowledge of the material omissions and/or the falsity of the material statements set forth above, and intended to deceive Plaintiff and the other members of the Class, or, in the alternative, acted with 6 7 reckless disregard for the truth when they failed to ascertain and disclose the true facts in the statements 8 made by them or other Facebook personnel to members of the investing public, including Plaintiff and 9 the Class. 10 11 66. As a result of the foregoing, the market price of Facebook common shares was artificially inflated during the Class Period. In ignorance of the falsity of Facebook’s and the Individual 12 13 Defendants’ statements, Plaintiff and the other members of the Class relied on the statements described 14 above and/or the integrity of the market price of Facebook common shares during the Class Period in 15 purchasing Facebook common shares at prices that were artificially inflated as a result of Facebook’s 16 and the Individual Defendants’ false and misleading statements. 17 67. Had Plaintiff and the other members of the Class been aware that the market price of 18 Facebook common shares had been artificially and falsely inflated by Facebook’s and the Individual 19 20 Defendants’ misleading statements and by the material adverse information which Facebook’s and the 21 Individual Defendants did not disclose, they would not have purchased Facebook’s common shares at 22 the artificially inflated prices that they did, or at all. 23 68. As a result of the wrongful conduct alleged herein, Plaintiff and other members of the 24 Class have suffered damages in an amount to be established at trial. 25 26 27 69. By reason of the foregoing, Facebook and the Individual Defendants have violated Section 10(b) of the 1934 Act and Rule 10b-5 promulgated thereunder and are liable to the plaintiff and 28 22 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 23 of 26 1 2 the other members of the Class for substantial damages which they suffered in connection with their purchase of Facebook common shares during the Class Period. 3 COUNT II 4 Violation of Section 20(a) of The Exchange Act Against The Individual Defendants 5 6 7 8 70. Plaintiff repeats and realleges each and every allegation contained in the foregoing paragraphs as if fully set forth herein. 71. During the Class Period, the Individual Defendants participated in the operation and 9 10 management of Facebook, and conducted and participated, directly and indirectly, in the conduct of 11 Facebook’s business affairs. Because of their senior positions, they knew the adverse non-public 12 information regarding the Company’s inadequate internal safeguards in data security protocols. 13 14 72. As officers and/or directors of a publicly owned company, the Individual Defendants had a duty to disseminate accurate and truthful information with respect to Facebook’s financial condition 15 16 17 18 19 20 and results of operations, and to correct promptly any public statements issued by Facebook which had become materially false or misleading. 73. Because of their positions of control and authority as senior officers, the Individual Defendants were able to, and did, control the contents of the various reports, press releases and public filings which Facebook disseminated in the marketplace during the Class Period. Throughout the Class 21 Period, the Individual Defendants exercised their power and authority to cause Facebook to engage in 22 23 the wrongful acts complained of herein. The Individual Defendants therefore, were “controlling 24 persons” of Facebook within the meaning of Section 20(a) of the Exchange Act. In this capacity, they 25 participated in the unlawful conduct alleged which artificially inflated the market price of Facebook 26 common shares. 27 28 23 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 24 of 26 1 2 74. By reason of the above conduct, the Individual Defendants are liable pursuant to Section 20(a) of the Exchange Act for the violations committed by Facebook. 3 4 5 PRAYER FOR RELIEF WHEREFORE, Plaintiff demands judgment against Defendants as follows: A. Determining that the instant action may be maintained as a class action under Rule 23 of 6 7 8 9 10 11 the Federal Rules of Civil Procedure, and certifying Plaintiff as the Class representative; B. Requiring Defendants to pay damages sustained by Plaintiff and the Class by reason of the acts and transactions alleged herein; C. Awarding Plaintiff and the other members of the Class prejudgment and post- judgment interest, as well as their reasonable attorneys’ fees, expert fees and other costs; and 12 13 D. Awarding such other and further relief as this Court may deem just and proper. DEMAND FOR TRIAL BY JURY 14 15 16 Plaintiff hereby demands a trial by jury. Dated: March 20, 2018 Respectfully submitted, 17 18 POMERANTZ LLP 19 By: /s/ Jennifer Pafiti Jennifer Pafiti (SBN 282790) 468 North Camden Drive Beverly Hills, CA 90210 Telephone: (818) 532-6499 E-mail: jpafiti@pomlaw.com 20 21 22 23 POMERANTZ, LLP Jeremy A. Lieberman J. Alexander Hood II 600 Third Avenue, 20th Floor New York, New York 10016 Telephone: (212) 661-1100 Facsimile: (212) 661-8665 E-mail: jalieberman@pomlaw.com E-mail: ahood@pomlaw.com 24 25 26 27 28 24 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 25 of 26 1 5 POMERANTZ LLP Patrick V. Dahlstrom Ten South La Salle Street, Suite 3505 Chicago, Illinois 60603 Telephone: (312) 377-1181 Facsimile: (312) 377-1184 E-mail: pdahlstrom@pomlaw.com 6 Attorneys for Plaintiff 2 3 4 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 25 Case 3:18-cv-01725 Document 1 Filed 03/20/18 Page 26 of 26 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 {00221758;3 }