On Facebook, Inc. v. Amalgamated Bank

In December 2015, The Guardian revealed that Cambridge Analytica had harvested data from 30 million Facebook users through a personality quiz created by employee Aleksandr Kogan. This data was used to create "psychographic profiles" of Facebook users initially sold to Ted Cruz's presidential campaign and later used by Donald Trump's presidential campaign. Though Cambridge Analytica agreed to delete this data in January 2016, reporters discovered in October that the firm continued using it despite its commitments. The breach remained largely contained until March 2018, when public revelations about Cambridge Analytica's continued data misuse caused Facebook's stock to plummet, harming investors alongside the users whose data was compromised.

Investors brought suit under Section 10(b) of the Securities Exchange Act of 1934 and SEC Rule 10b-5, alleging that Facebook materially misled them by characterizing data breaches as hypothetical risks in its 2016 Form 10-K when the company knew Cambridge Analytica had already improperly accessed user data. The case, Facebook v. Amalgamated Bank, was centered around a fundamental question: when does a company's characterization of a risk as hypothetical become misleading because the risk has already materialized? This question tests the boundaries of the statutory prohibition against making "any untrue statement of a material fact" or omitting material facts "necessary in order to make the statements made, in light of the circumstances under which they were made, not misleading." The Ninth Circuit ruled that investors adequately pleaded falsity, reasoning that Facebook's warnings about risks that "could" harm its business directly contradicted what the company knew when it filed its 2016 10-K. The Supreme Court granted certiorari in June 2024 and heard oral arguments in November, but just two weeks later issued a one-line order dismissing the writ as "improvidently granted" — a rare procedural move essentially admitting the Court should not have taken the case in the first place.

The Supreme Court's reticence to rule on the case became apparent during oral argument, where the Justices struggled to pinpoint the exact legal issue at stake. Facebook had portrayed the matter as a question of whether risk disclosures must include past incidents — even when they present "no known risk of ongoing or future business harm." Rather than focusing on the circuit split that Facebook emphasized in its petition for certiorari, the panel instead explored a series of hypotheticals to determine when conditional statements about future risks — if X then Y — suggest that X has not yet occurred. Justice Thomas suggested that a reasonable person would infer from Facebook's risk warnings that no data breaches had previously occurred, while Justices Sotomayor and Jackson likened Facebook's disclosures to a realtor warning about future crime risks without mentioning recent neighborhood burglaries. Even Chief Justice Roberts and Justice Kavanaugh, who seemed more inclined to support Facebook's position, found it challenging to establish a clear standard for when omitting past events renders a risk disclosure misleading. The Justices' overall uncertainty seems to have contributed to their conclusion that the case was a poor vehicle for resolving the purported circuit split that Facebook had highlighted in its petition for certiorari.

The court’s dismissal of its own certiorari reflects a guiding principle of securities law: context matters in determining whether statements are materially misleading. By declining to craft a bright-line rule, the Court effectively endorsed the case-by-case approach articulated in the Ninth Circuit's opinion, which aligned with In re Alphabet Securities Litigation in recognizing that "risk disclosures that speak entirely of as-yet-unrealized risks and contingencies and do not alert the reader that some of these risks may already have come to fruition can mislead reasonable investors." This approach requires courts to examine each statement in its full context, considering what a reasonable investor would infer from both what was said and what was omitted. The practical implication for public companies is that generic forward-looking risk factor language may constitute securities fraud when the company possesses specific internal knowledge contradicting these characterizations, particularly when those risks have already begun to materialize.

The Court's reluctance to wade into this dispute also reflects concerns about the role of the judicial branch in securities regulation. Justice Kavanaugh explicitly questioned why "the judiciary [should] walk the plank on this [. . .] when the SEC could do it," noting that “[t]he SEC knows how to write regulations that require disclosure of past events.” This judicial modesty also appeared in the Roberts court’ approach to NVIDIA Corp. et al. v. E. Ohman J:or Fonder AB et al.: like the Facebook case, the Courts initially granted certiorari before dismissing it as improvidently granted in December 2024. Ultimately, the Court left it to lower courts — and regulators — to decide when forward-looking disclosures become materially misleading.