In re Okta, Inc. Securities Litigation, No. 3:2022cv02990 - Document 73 (N.D. Cal. 2023)
Court Description: ORDER GRANTING IN PART AND DENYING IN PART DEFENDANTS' MOTION TO DISMISS (adding due date) (Illston, Susan) (Filed on 3/31/2023)
Download PDF
<![CDATA[
1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 8 9 Case No. 22-cv-02990-SI IN RE OKTA, INC. SECURITIES LITIGATION, 10 Re: Dkt. No. 56 11 United States District Court Northern District of California ORDER GRANTING IN PART AND DENYING IN PART DEFENDANTS’ MOTION TO DISMISS 12 13 14 On March 17, 2023, the Court held a hearing on defendants’ motion to dismiss the amended 15 complaint. For the reasons set forth below, the Court GRANTS IN PART and DENIES IN PART 16 the motion, and GRANTS Lead Plaintiff leave to amend. Any amended complaint shall be filed by 17 April 28, 2023. 18 INTRODUCTION 19 20 This securities fraud case is brought by Lead Plaintiff Nebraska Investment Council, on 21 behalf of itself and a putative class of those who purchased the publicly traded Class A common 22 stock of Okta, Inc. (“Okta”) during the period from September 1, 2021, through September 1, 2022, 23 inclusive (“Class Period”). Dkt. No. 48 (“AC”) at 1.1 This action arises from two main events and 24 their aftermath: Okta’s acquisition of Auth0, Inc. (“Auth0”) in May 2021, and a data security 25 26 27 28 1 References to the complaint are to the Amended Class Action Complaint, filed October 13, 2022, at Docket No. 48. For purposes of this motion to dismiss, the Court treats as true Lead Plaintiff’s allegations in the complaint and construes these allegations in the light most favorable to Lead Plaintiff, the nonmoving party. See Parks Sch. of Bus., Inc. v. Symington, 51 F.3d 1480, 1484 (9th Cir. 1995). United States District Court Northern District of California 1 incident that occurred in January 2022 but that was not disclosed until late March 2022. 2 Defendant Okta is a data security company that “provides identity and access management 3 (‘IAM’) software that helps companies secure user authentication into applications, and for 4 developers to build identity controls into applications, website web services, and devices. Okta 5 primarily markets the Okta Identity Cloud as a one-stop solution that provides data security for an 6 organization’s workforce.” Id. ¶¶ 2–3. Okta is a “‘growth company,’ i.e., a company that prioritizes 7 growth over profits.” Id. ¶ 4. The complaint alleges that Okta has yet to report any net income since 8 its initial public offering in 2017. Id. ¶ 51. Also named as defendants in this case are Okta’s Chief 9 Executive Officer and Co-Founder Todd McKinnon; current Chief Financial Officer Brett Tighe; 10 and current Executive Vice Chairman, Chief Operating Officer, and Co-Founder Frederic Kerrest 11 (collectively, the “individual defendants”). Id. at 1. 12 Lead Plaintiff alleges that defendants made numerous false and misleading statements and 13 omissions in filings with the Securities and Exchange Commission (“SEC”); in press releases and 14 in interviews with the media; at technology conferences; and during quarterly investor calls 15 throughout the Class Period. 16 Defendants move to dismiss the complaint, asserting that Okta consistently warned investors 17 of the challenges it faced with the acquisition of Auth0 and the integration of its sales team. Dkt. 18 No. 56 (“Mot.”) at 1. Defendants also argue that Lead Plaintiff misapprehends the January 2022 19 security incident, and that hackers were unsuccessful in actually breaching Okta’s or its customers’ 20 systems, and that Okta “promptly reported everything it knew about the intrusion[.]” Id. Defendants 21 contend, inter alia, that none of the statements challenged were false or misleading when made, that 22 Lead Plaintiff has not pled fraud with particularity, and that many of the challenged statements are 23 inactionable puffery, forward-looking, or opinions. Defendants further argue that Lead Plaintiff 24 fails to plead that the individual defendants acted with the requisite scienter. 25 BACKGROUND 26 27 28 I. Acquisition of Auth0 in May 2021 and Resulting Problems On March 3, 2021, prior to the start of the Class Period, Okta announced that it would acquire 2 United States District Court Northern District of California 1 Auth0 in a stock transaction valued at approximately $6.5 billion. AC ¶ 58. Auth0 “provided 2 customer identity and access management (‘CIAM’) software, as opposed [to] the IAM software 3 that Okta primarily provided for an employer’s workforce.” Id. ¶ 5. Additionally, where Okta 4 focuses “on pre-built, pre-configured solutions[,] . . . Auth0 is more focused on purpose-built 5 application developers.” Id. ¶ 59. In a press release, Okta explained that the Auth0 acquisition 6 would “complement Okta’s growth in the CIAM market.” Id. ¶ 58. 7 On May 3, 2021, Okta announced the successful completion of the Auth0 acquisition. Id. 8 ¶ 61. Plaintiff alleges, however, that “soon after the close of the acquisition, Okta began to 9 experience severe problems with the integration of Auth0” but failed to disclose these problems to 10 investors. See id. ¶ 8. According to CW2, a former Auth0-turned-Okta Senior Vice President, “the 11 integration process began as promising, but ultimately ‘did not go well at all’ and was a ‘complete 12 nightmare.’” Id. ¶¶ 39, 78. 13 These problems primarily took the form of employee attrition and difficulty integrating the 14 sales teams. The complaint alleges that “[i]mmediately after the acquisition of Auth0, Okta began 15 to shed senior employees.” Id. ¶ 63. According to CW4, a former Account Executive, “Auth0 16 employees started to leave Okta ‘not long after May or June’ 2021.” Id. ¶¶ 41, 66. Around August 17 2021, former Auth0 CEO (now Okta’s President of Customer Identity) Eugenio Pace announced in 18 an internal letter that senior leadership was leaving the company. Id. ¶ 65 & n.13. Auth0 executives 19 who departed around this time included the Chief Legal Officer, the Chief Human Resources 20 Officer, and the Chief Financial Officer. Id. Auth0’s former Chief Revenue Officer decided to stay 21 at Okta for a few months following the acquisition but “made it clear that he was leaving the 22 company.” Id. ¶ 65. CW5, an Account Executive during the Class Period, stated that Okta’s Chief 23 Revenue Officer (Steve Rowland) and the new President of Worldwide Field Operations (Susan St. 24 Ledger) “‘pushed out’ all of the ‘founding fathers’ of Okta as well as other employees that helped 25 build the Company—approximately 75-80% of the VPs and SVPs.” Id. ¶¶ 42, 67, 80. CW6, a 26 Senior Solutions Engineer employed by Okta from February 2019 through December 2021, 27 described a “‘mass exodus’ of salespeople – both Okta and Auth0 employees – after Auth0 was 28 acquired, around fall 2021.” Id. ¶¶ 43, 68. 3 1 On September 1, 2021, the first day of the Class Period, Defendant McKinnon announced 2 in an earnings call that the company was accelerating the timeline to unify the Okta and Auth0 sales 3 teams, moving the integration up to the start of the new fiscal year in February 2022. Id. ¶ 73. 4 McKinnon stated: We’ve made the decision to accelerate the timeline for integrating the sales organizations under Susan St. Ledger’s leadership to the beginning of the new fiscal year in February. This move will allow the unified sales team to sell both platforms and benefits customers by providing more options to meet their unique use cases. . . . 5 6 7 8 Id. 9 10 United States District Court Northern District of California 11 The complaint alleges that “[a]s the Class Period progressed and Auth0 employees continued to exit the Company, Okta created and adopted an integration plan.” Id. ¶ 77. According to CW2, “the first phase of the integration plan originally involved the integration of the go-to-market (GTM) 12 teams at each company (this included the sales and marketing teams), which was set to occur on 13 14 February 1, 2022 . . . .” Id. ¶ 78. CW2 stated that this integration plan called for retaining 200 to 300 Auth0 employees as “specialists” who would train and educate Okta employees on Auth0 15 products for approximately one year. Id. ¶¶ 79, 81. Auth0 employees would continue to sell Auth0 16 products, while Okta employees would continue selling Okta products, “with additional sales staff 17 brought on to help meet goals.” Id. ¶ 79. CW2 stated that both Okta and Auth0 senior executives 18 signed off on the integration plan and that weekly calls occurred throughout the planning period. 19 Id. ¶ 80. 20 21 22 23 24 In late 2021, according to CW2, Okta’s “finance team determined there was ‘no way’ that the integration plan was ‘humanly possible’ for FY2024 and ‘completely shut it . . . down.’”2 Id. ¶ 81. Now, the Auth0 sales employees would be “generalists” rather than specialists, and Okta and Auth0 employees would be expected to sell each other’s products, despite having no knowledge of or training on each other’s products. Id. ¶¶ 81–82. “CW2 recalled being informed of the decision 25 to scrap the integration plan around December 2021, but employees were not informed until several 26 27 28 2 It is unclear whether the reference in the complaint to FY2024 is a typo, as the allegations state that the integration plan was to go into effect at the start of fiscal year 2023. 4 United States District Court Northern District of California 1 weeks later in approximately mid-January 2022, two weeks before the integration was supposed to 2 go into effect.” Id. ¶ 83. 3 Meanwhile, Okta publicly touted the success of its acquisition of Auth0. In a press release 4 issued September 1, 2021, Defendant McKinnon is quoted as stating, “In our first quarter as a 5 combined company with Auth0, we’re off to a fantastic start.” Id. ¶¶ 71, 134. In an earnings call 6 that same day, McKinnon stated, “It’s been less than four months since we closed the acquisition of 7 Auth0, but we’ve already made a lot of progress and learned quite a bit. . . . [W]hen you think about 8 us plus Auth0, it is going very well.” Id. ¶¶ 72, 135. A few weeks later, at the Piper Sandler Virtual 9 Global Technology Conference, Defendant Kerrest stated, “So the integration has gone very well. 10 We’re about 4 months in. We’re pretty good at execution. So we had some pretty good goals for 11 ourselves, but I think we’ve been beating even those, which is great.” Id. ¶ 140. Likewise, on 12 September 15, 2021, Defendant McKinnon stated at the Citi Global Virtual Technology Conference, 13 “We’re benefiting a lot on that from our -- we have the acquisition of Auth0, we completed back in 14 May. We’re really getting into the integration now.” Id. ¶ 142. Plaintiff alleges that these 15 statements were false and misleading because defendants knowingly or recklessly omitted the 16 material fact that the company had already lost senior Auth0 and key Okta employees who were 17 critical to the success of the integration. Id. ¶¶ 137, 141. 18 19 20 21 22 23 24 25 26 27 28 Plaintiff also contends that Okta’s risk disclosures filed with the SEC during the Class Period were false and misleading. The risk disclosures all contained the following statements: The acquisition of Auth0 (the “Acquisition”) could cause disruptions to our business or business relationships, which could have an adverse impact on results of operations. . . . We may not realize potential benefits from the Acquisition because of difficulties related to integration, the achievement of synergies, and other challenges. Prior to the consummation of the Acquisition, we and Auth0 operated independently, and there can be no assurances that our businesses can be combined in a manner that allows for the achievement of substantial benefits. Any integration process may require significant time and resources, and we may not be able to manage the process successfully as our ability to acquire and integrate larger or more complex companies, products or technologies in a successful manner is unproven. If we are not able to successfully integrate Auth0’s businesses with ours or pursue our customer and product strategy 5 successfully, the anticipated benefits of the Acquisition may not be realized fully or may take longer than expected to be realized. Further, it is possible that there could be a loss of our and/or Auth0’s key employees and customers, disruption of either company’s or both companies’ ongoing businesses or unexpected issues, higher than expected costs and an overall post completion process that takes longer than originally anticipated. 1 2 3 4 Id. ¶¶ 138 (Form 10-Q dated Sept. 2, 2021), 153 (Form 10-Q dated Dec. 2, 2021) (emphases in 5 complaint); see also id. ¶¶ 159 (Form 10-K dated Mar. 7, 2021), 165 (Form 10-Q dated June 3, 6 2022).3 Lead Plaintiff alleges that “[t]hese risk disclosures were false and misleading because 7 Defendants knew or recklessly disregarded that these risks had already materialized. Specifically, 8 Defendants knew or recklessly disregarded the fact that senior Auth0 and key Okta employees had 9 already left the Company.” Id. ¶ 139; see also id. ¶¶ 154, 160, 166. 10 11 United States District Court Northern District of California II. Security Incident in January 2022 12 According to the complaint, Okta, which prides itself on making data security a priority, 13 14 15 16 17 18 19 20 “was not properly securing its administrative tools for monitoring customer tenants.” 4 AC ¶¶ 97– 98. CW6 explained that Okta had a “SuperUser tool” that “provided access to any customer in any Okta tenant anywhere in the world” and which “allowed pre-sale engineers and customer support employees to control and monitor customer tenants.” Id. ¶ 98. However, “there was no formal request or vetting process for becoming a SuperUser.” Id. ¶ 99. According to CW6, the newer and less experienced managers in the company handed out SuperUser access “like candy.” Id. The complaint states that “CW6 went on to suggest that the SuperUser tool should have been more closely guarded against hackers[,]” such as by restricting employees from accessing the tool from 21 their home laptops or through tighter controls on home laptops themselves. Id. ¶ 100. CW7 22 23 similarly “advised that it seemed too easy for anyone to access these administrative tools.” Id. ¶ 102. According to CW7, there “wasn’t much of a vetting process” to become a SuperUser, and the 24 SuperUser tool required no additional training or security measures. Id. 25 26 27 28 3 Lead Plaintiff explains that the statements highlighted in bold and italics in the complaint are those that Lead Plaintiff alleges were false or misleading. AC ¶ 133. “Tenants” in this context are comparable to “virtual servers” that Okta customer support personnel had access to for troubleshooting and monitoring purposes. AC ¶ 98 n.16. 6 4 United States District Court Northern District of California 1 The complaint additionally alleges that “Okta failed to require third parties, such as sub- 2 processors and Solutions Engineers, to comply with the security requirements that are fundamental 3 to Okta’s business.” Id. ¶ 103. “For example, Okta adopted, and strongly recommended that its 4 customers adopt, a ‘Zero Trust’ security architecture.” Id. “Zero Trust” meant that security did not 5 operate on the assumption that there was a “trusted” internal network and an “untrusted” external 6 network but that Okta would “securely enable access for the various users . . . regardless of their 7 location, device or network.” Id. 8 On January 21, 2022, hackers known as LAPSUS$ “were able to access Okta resources after 9 they compromised one of the Company’s third-party support vendors[.]” Id. ¶ 104. According to 10 the complaint, the hackers were “able to access Okta resources to view information from the 11 Company’s active customer tenants. However, . . . notwithstanding their knowledge of the data 12 breach, Defendants failed to disclose the January 2022 Breach for another two months.” Id. 13 14 15 16 17 18 19 20 21 22 23 24 On March 7, 2022, Okta filed its Form 10-K for fiscal year 2022 with the SEC. Id. ¶ 159. In it, Okta provided the following risk language related to data security: Security is a mission-critical issue for Okta and for our customers. Our approach to security spans day-to-day operational practices from the design and development of our software to how customer data is segmented and secured within our multi-tenant platform. We ensure that access to our platform is securely delegated across an organization. . . . The Okta Identity Cloud is monitored not only at the infrastructure level but also at the application and third-party integration level. Synthetic transaction monitoring allows our technical operations team to detect and resolve issues proactively. . . . . . . A summary of our risks includes, but is not limited to, the following: . . . • An application, data security or network incident may allow unauthorized access to our systems or data or our customers’ data, disable access to our service, harm our reputation, create additional liability and adversely impact our financial results. 25 26 27 28 Id. Plaintiff alleges these statements “were materially false and misleading because these risks had already materialized. Specifically, Okta had experienced the January 2022 Breach due to unsecured administrative tools used for monitoring cloud tenants and the failure to require sub-processors to 7 1 comply with Okta’s fundamental security requirements.” Id. ¶ 160. 2 On March 21, 2022, “LAPSUS$ posted screenshots on their telegram channel showing what 3 they claimed was Okta’s internal company environment.” Id. ¶ 105. On March 22, 2022, at 4:23 4 a.m., Defendant McKinnon posted the following statement on his Twitter account: 5 In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. (1 of 2) 6 7 We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January. (2 of 2) 8 United States District Court Northern District of California 9 10 Id. ¶ 106. Okta’s stock price fell $2.98 per share, or 1.76%, to close at $166.43 on March 22, 2022. 11 Id. ¶ 107. 12 Later in the day on March 22, Okta’s Chief Security Officer David Bradbury issued several 13 blog posts on the security incident. According to the complaint, “[i]n this post, Bradbury admitted 14 that Okta first detected the January 2022 Breach in January.” Id. ¶ 108. In a follow-up post, 15 Bradbury stated that “approximately 2.5%” of Okta’s customers had “potentially been impacted and 16 whose data may have been viewed or acted upon.”5 Id. Raymond James downgraded Okta from 17 “strong buy” to “market perform,” stating, “[w]hile partners were willing to trust Okta’s track 18 record, the handling of this latest security incident adds to our mounting concerns.” Id. ¶ 109. As 19 a result of the Raymond James downgrade and Okta’s update after the close of market, Okta’s stock 20 price fell $17.88 per share, or 10.74%, to close at $148.55 on March 23, 2022. Id. ¶ 110. The 21 complaint alleges, “On March 25, 2022, Okta acknowledged that it sat on this information for almost 22 two months before stating, ‘We want to acknowledge that we made a mistake.’” Id. ¶ 111. 23 24 III. Customer Responses 25 Several of the confidential witnesses described the fallout after the security incident was 26 revealed. According to CW3, a Corporate Account Executive whose territory covered half of 27 28 5 A CNN article published March 23, 2022, estimated that because Okta had over 15,000 customers, 2.5% would equate to hundreds of clients potentially impacted. AC ¶ 108. 8 United States District Court Northern District of California 1 Dallas, “the Company was saying that they were losing sales because of the breach, and CW3 noted 2 that the breach did come up with every customer she spoke with, and the Company distributed 3 ‘talking points’ to employees on how to ‘downplay’ the breach. CW3 described the breach as ‘one 4 of many hurdles’ that were necessary to clear to achieve a successful sale.” AC ¶ 113. “Similarly, 5 CW4 recalled that prospective customers were deciding against doing deals with Okta after the 6 breach.” Id. ¶ 114. CW4 was an Account Executive based in Europe who was employed by the 7 company until the first quarter of fiscal year 2023. Id. ¶ 41. CW8, a Senior Account Executive 8 whose clients were based in the New York City area, also “advised that Okta customers reacted 9 negatively to the data breach that Okta disclosed in March 2022.” Id. ¶¶ 45, 115. Following the 10 breach, Okta customers were unwilling to expand their contracts and “express[ed] that they were no 11 longer comfortable spending additional money with Okta[.]” Id. ¶ 115. The negative customer 12 reaction impacted CW8’s ability to meet quotas; although “CW8 could not quantify the amount of 13 lost business, . . . she suggested it might have been ‘tens of thousands of dollars’ in lost business.” 14 Id. This compounded Okta’s struggles in the wake of the faltering Auth0 integration. 15 On June 8, 2022, Defendant McKinnon gave a CNBC interview, where he discussed 16 customer reaction to the security incident and what the company had done to repair those 17 relationships. During the interview, McKinnon stated: 18 19 20 21 22 23 24 25 26 27 28 And anytime there’s any kind of hack, whether it’s to a third party or what any kind of talk of a breach, there’s a lot of concerns in the [sic] in the customer base because this is about trust. So, the first thing we did is we had these conversations. We talked to over 1000 customers face to face over, [sic] over video and had these conversations. I personally talked [sic] over 400. And got a ton of feedback about what we could do better, how we could make sure that our support environment was not insecure, to make sure that we communicate better, to make sure that we are instill [sic] this trust. At the end of the [sic], I think we’ve been able to do that. ... We’re committed to making this a $4 billion a year company by fiscal year, fiscal year 26. So, that’s, that’s coming up quickly. So, we have to invest to grow to that scale and we’ve always done it with a balance of efficiency. We’ve always made sure that our, that our growth rate and our [sic] and our cash flow generation was balanced towards that goal. So, we think we’re drawing the right balance to capture this market opportunity. And I think over time you’re going to see a very highly scaled profitable company that’s going to help customers and capitalize on this big market opportunity. 9 1 Id. ¶¶ 167–68 (underlined [sic]’s added by the Court). 2 3 IV. Disclosure of Attrition and Integration Challenges 4 On August 31, 2022, after the close of the trading day, Okta held its second quarter earnings 5 call. AC ¶ 126. Lead Plaintiff alleges that it was on this call that “Defendants finally disclosed 6 issues related to the integration of Auth0.” Id. Explaining the “mixed” financial results for that 7 quarter, Defendant McKinnon stated, in part: 8 And the third area we examined was impact from the integration of the Okta and Auth0 sales teams, which occurred at the beginning of this fiscal year. When talking about Auth0, it’s important to revisit the strategic rationale of why we acquired Auth0. Individually, Okta and Auth0 were leading identity providers. Together, we offer the most comprehensive identity platform in the market that is unmatched competitively and creates powerful longterm network effects for us and for our customers. Organizations around the globe are looking for scalable and secure ways to digitally interact with our customers. Together with Auth0, we win the customer identity market faster and accelerate our vision of establishing Okta as a primary cloud. 9 10 United States District Court Northern District of California 11 12 13 14 Integrations are always difficult and touch every part of an organization. While we are making progress, we’ve experienced heightened attrition within the go-to-market organization as well as some confusion in the field, both of which have impacted our business momentum. In order to improve our performance going forward, we’ve implemented a number of action items. For starters, we’re committed to stem attrition within our go-tomarket team. This is a top priority for me and my staff, and we’re in lockstep on actions to take. This includes making changes to our organizational structure to better align on our strategy, increased sales training and enablement and also improving the comp structure for the go-to-market team to ensure they feel set up for success. 15 16 17 18 19 20 21 Id. 22 In response to a question about the integration of the Auth0 and Okta sales teams, McKinnon 23 replied: 24 27 Yes, for sure. Thanks for the question. I think there’s -- in terms of -I’ll start first with sales organization. The big change on the sales organization was at the beginning of this fiscal year, so Feb 1, and that’s where we took the Auth0 sales team that sold as an independent group all through last year for the first three quarters of the -- after the acquisition and we combine them together with the Okta sales team. 28 And so, the idea there is that hundreds and hundreds of Okta reps 25 26 10 sell the whole portfolio, Okta plus Auth0. And then the Auth0 reps that came over sold the Okta portfolio and Auth0 portfolio. So that was a really significant step in the integration. In terms of -- one thing I want to clarify is that Freddy [Kerrest] doesn’t manage the sales team. 1 2 3 *** I think the headwinds are really about how do you take those hundreds and hundreds of reps and make them productive selling both customer identity cloud and workforce identity cloud, and there’s a couple of things that go into that. The first thing is that we really have to reach a new buyer for Okta, which is -- Okta traditionally was about CIOs and CISOs. But for customer identity to be successful, we have to reach VPs of technologies, CTOs, all of the chief marketing officers, chief digital officers, the whole suite of Csuite executives that will -- if we win them all and we have an identity platform for all those use cases, we can better achieve our goal of being the primary cloud and the primary piece of their strategic landscape going forward. 4 5 6 7 8 9 10 Id. ¶ 127. 11 United States District Court Northern District of California Defendants McKinnon and Tighe also told investors on the call that Okta was reevaluating 12 its current year billings outlook and its FY26 targets. McKinnon stated: 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Yes, it’s a great question. On the first part of your question, so the $4 billion FY ‘26 target, if we’re going to achieve that, when we’re going to achieve that, we have to have a successful customer identity cloud. And so as we reevaluate in the short-term how to keep that momentum going, I think it’s prudent to make sure that we reevaluate that target given the short-term changes that we’re optimizing for the customer at a cloud. And then -- and we’re committed to coming back to everyone on the next earnings call with a very detailed refined version of that -- of those commitments and that target, I think it’s very important. So, that’s the first thing. And then on the second thing, the sequence of events here, I think, which is important for everyone to understand is that the sales teams were integrated this year. So, it’s really 6 months of information and learnings that we have to iterate on this thing. It’s not -- last year, Auth0 ran as a separate sales team, and they had a great year. So, we know there’s market fit. We know we can grow this thing. It’s just about the integration of the sales teams and what that drove in terms of attrition, and some of the things we’ve talked about in terms of optimizing how we get that back on track to achieve this strategic imperative, which is we have to be the winner and the opportunity is tremendous in this long-term customer identity market. Id. ¶ 128. Defendant Tighe stated: . . . We will continue providing a full year billings outlook for FY ‘23 before discontinuing any reference to billings in FY ‘24. We are lowering our calculated billings outlook for the year by 11 approximately $140 million due to the outlook headwinds outlined earlier. We now expect calculated billings for FY ‘23 to be approximately $2.04 billion to $2.05 billion, representing growth of 27% when viewed on a like-for-like basis or 19% on an as-reported basis. 1 2 3 Given our near-term outlook, coupled with the uncertainties of the evolving macro environment, we are reevaluating our FY ‘26 targets at this time. Having said that, we will continue to balance growth and profitability, and we look forward to updating you on our long-term outlook on the Q3 earnings call. 4 5 6 Id. ¶ 129. 7 The complaint states, “On this news, the price of Okta’s stock fell dramatically overnight to 8 [sic] $22.25 per share, or over 24.3%, to open at $69.15 on September 1, 2022.” Id. ¶ 130. 9 On September 1, 2022, Defendant McKinnon was interviewed on TechCheck, where, 10 according to the complaint, “he reaffirmed that Okta was having issues obtaining new customers.” 11 United States District Court Northern District of California Id. ¶ 202. McKinnon stated, 12 21 Yeah, we have had a little bit of higher-than-average attrition in the sales team and that driving [sic] some of the near-term mixed results. I think when you look at the quarter though I think there are sales people being successful at Okta. We had a record number of $1,000,000 plus deals in the quarter and so on we had great customer retention our net retention percussion which is really emblematic of customer success is 120% plus so there’s a lot of success going on but when you think about trying to reach this new buyer and bringing two sales forces together and [sic] and sort of trying to broaden that appeal in this C suite of every organization in the world that’s challenging in [sic] a little bit more challenging than we thought it would be so we’re gonna work through those issues can [sic] move forward. I think on your macro question, we are seeing a little bit of macro change a little bit of lengthening sale cycles but, I think big picture wise that’s [sic] that’s a very small part of our mixed results, and we have a lot of these corrective actions we’re taken [sic] in short term are going to yield to a lot of positive momentum in the future. 22 Id. (underlined [sic]’s added by the Court). The price of Okta’s stock fell an additional $8.55 per 23 share that day, or over 12.3%, to close at $60.60 by the close of trading on September 1, 2022. Id. 24 ¶ 24. 13 14 15 16 17 18 19 20 25 26 V. Filing of This Lawsuit 27 On May 20, 2022, plaintiff City of Miami Fire Fighters’ and Police Officers’ Retirement 28 Trust filed suit against Okta and five individual defendants regarding the January 2022 data security 12 1 incident. Dkt. No. 1 (alleging class period of March 5, 2021, to March 22, 2022, inclusive). On 2 August 26, 2022, the Court appointed Nebraska Investment Council as Lead Plaintiff. Dkt. No. 39. 3 On October 13, 2022, Lead Plaintiff filed an amended class action complaint, which is now the 4 operative complaint, adding allegations regarding the Auth0 integration. See Dkt. No. 48. Alleging 5 that defendants committed fraud by making materially false statements and omissions throughout 6 the Class Period, Lead Plaintiff brings this securities fraud claim pursuant to Sections 10(b) and 7 20(a) of the Securities Exchange Act of 1934 (the “Exchange Act”) and Rule 10b-5(b) promulgated 8 thereunder by the SEC. Defendants now move to dismiss for failure to state a claim under Federal 9 Rules of Civil Procedure 9(b) and 12(b)(6). 10 United States District Court Northern District of California 11 LEGAL STANDARDS 12 To survive a motion to dismiss brought under Federal Rule of Civil Procedure 12(b)(6), “a 13 complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is 14 plausible on its face.” Telesaurus VPC, LLC v. Power, 623 F.3d 998, 1003 (9th Cir. 2010) (quoting 15 Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)). When evaluating a motion to dismiss, the Court need 16 not accept as true conclusory allegations, unwarranted deductions of fact, or unreasonable 17 inferences. In re Gilead Scis. Sec. Litig., 536 F.3d 1049, 1055 (9th Cir. 2008). Securities fraud 18 class actions must also “meet the higher, exacting pleading standards of Federal Rule of Civil 19 Procedure 9(b) and the Private Securities Litigation Reform Act (PSLRA).” See Tellabs, Inc. v. 20 Makor Issues & Rights, Ltd., 551 U.S. 308, 313–14 (2007). 21 Rule 9(b) requires a party alleging fraud or mistake to “state with particularity the 22 circumstances constituting fraud or mistake.” Fed. R. Civ. P. 9(b). The PSLRA further requires 23 that allegations based on false or misleading statements must also “specify each statement alleged 24 to have been misleading, the reason or reasons why the statement is misleading, and, if an allegation 25 regarding the statement or omission is made on information and belief, the complaint shall state 26 with particularity all facts on which that belief is formed.” 27 Additionally, the complaint must “state with particularity facts giving rise to a strong inference that 28 the defendant acted with the required state of mind” for “each act or omission.” Id. § 78u-4(b)(2)(A). 13 15 U.S.C. § 78u-4(b)(1)(B). United States District Court Northern District of California 1 To state a claim under Section 10(b) of the Exchange Act and SEC Rule 10b-5, the complaint 2 must plausibly allege: “(1) a material misrepresentation or omission by the defendant; (2) scienter; 3 (3) a connection between the misrepresentation or omission and the purchase or sale of a security; 4 (4) reliance upon the misrepresentation or omission; (5) economic loss; and (6) loss causation.” 5 Weston Family P’ship LLP v. Twitter, Inc., 29 F.4th 611, 619 (9th Cir. 2022) (citing Halliburton 6 Co. v. Erica P. John Fund, Inc., 573 U.S. 258, 267 (2014)). 7 To establish falsity under the first element, the misrepresentation or omission must either 8 “directly contradict what the defendant knew at that time” (i.e., is false) or “omit[ ] material 9 information” (i.e., is misleading). Khoja v. Orexigen Therapeutics, Inc., 899 F.3d 988, 1008–09 10 (9th Cir. 2018). Not all omissions are actionable. Id. at 1009. “Disclosure is required . . . only 11 when necessary ‘to make . . . statements made, in the light of the circumstances under which they 12 were made, not misleading.’” Matrixx Initiatives, Inc. v. Siracusano, 563 U.S. 27, 44 (2011) 13 (quoting 17 CFR § 240.10b–5(b)). 14 “affirmatively create an impression of a state of affairs that differs in a material way from the one 15 that actually exists.” Brody v. Transitional Hosp. Corp., 280 F.3d 997, 1006 (9th Cir. 2002) (citation 16 omitted). “To fulfill the materiality requirement there must be a substantial likelihood that the 17 disclosure of the omitted fact would have been viewed by the reasonable investor as having 18 significantly altered the ‘total mix’ of information made available.” Miller v. Thane Int’l, Inc., 519 19 F.3d 879, 889 (9th Cir. 2008) (quoting TSC Indus., Inc. v. Northway, Inc., 426 U.S. 438, 449 (1976)) 20 (cleaned up). For a statement or omission to be misleading, it must 21 The “required state of mind” for scienter covers “‘intent to deceive, manipulate, or defraud,’ 22 [and] also ‘deliberate recklessness.’” Schueneman v. Arena Pharms., 840 F.3d 698, 705 (9th Cir. 23 2016) (citations omitted). To determine whether scienter has been adequately pled, the Court must 24 determine whether “all of the facts alleged, taken collectively, give rise to a strong inference of 25 scienter.” Tellabs, 551 U.S. at 310. Plaintiffs who “seek to hold individuals and a company liable 26 on a securities fraud theory” must “allege scienter with respect to each of the individual defendants.” 27 Oregon Pub. Emps. Ret. Fund v. Apollo Grp. Inc., 774 F.3d 598, 607 (9th Cir. 2014). 28 The Supreme Court’s decisions in Tellabs, 551 U.S. at 315–18, and Matrixx Initiatives, 563 14 United States District Court Northern District of California 1 U.S. at 37–49, dictate that courts not co-mingle the inquiries of falsity and scienter. Glazer Capital 2 Mgmt., L.P. v. Forescout Techs., Inc., No. 21-16876, 2023 WL 2532061, at *11 (9th Cir. Mar. 16, 3 2023). “[T]his means that we do not impute the strong inference standard of scienter to the element 4 of falsity; we do not require a ‘strong inference of fraud.’ Falsity is subject to a particularity 5 requirement and the reasonable inference standard of plausibility set out in Twombly and Iqbal, and 6 scienter is subject to a particularity requirement and a strong inference standard of plausibility.” Id. 7 If the Court dismisses a complaint, it must decide whether to grant leave to amend. The 8 Ninth Circuit has “repeatedly held that a district court should grant leave to amend even if no request 9 to amend the pleading was made, unless it determines that the pleading could not possibly be cured 10 by the allegation of other facts.” Lopez v. Smith, 203 F.3d 1122, 1130 (9th Cir. 2000) (citations and 11 internal quotation marks omitted). 12 DISCUSSION 13 14 15 16 I. Exchange Act Claims In the analysis that follows, the Court discusses only the disputed elements of Section 10(b): material misrepresentation or omission, and scienter. 17 18 A. Employee Attrition and the Auth0 Integration 19 Lead Plaintiff challenges as false or misleading roughly 15 statements regarding the Auth0 20 integration. See Opp’n at 12 (citing AC ¶¶ 134–36, 138, 140, 142, 150–51, 153, 155–57, 162–63, 21 165). The Court concludes that these allegations fail to point to a violation of the PSLRA because 22 they suffer from a lack of specificity, particularly with regard to timing, or else they do not give rise 23 to a strong inference of scienter. 24 25 1. Statements in September and Early December 2021 26 First, the complaint lacks particularized detail about the timing of the events that would show 27 that statements made in September and early December 2021 regarding employee attrition and the 28 Auth0 integration were false or misleading when made. The complaint challenges nine statements 15 United States District Court Northern District of California 1 that defendants made during that period. See Dkt. No. 61 (“Opp’n”) at 12 (citing AC ¶¶ 134–36, 2 138, 140, 142, 150–51, 153). The dates of these alleged misstatements range from September 1, 3 2021, through December 2, 2021. But the complaint lacks particularized allegations regarding what 4 happened and when. What we know from the complaint is that three Auth0 executives left around 5 August 2021. AC ¶ 65. A fourth executive decided to stay for the first few months after the 6 acquisition but, at some unspecified time, he “made it clear he was leaving the Company.” See id. 7 CW5 states that Okta’s Steve Rowland and Susan St. Ledger “‘pushed out’ all of the ‘founding 8 fathers’ of Okta as well as other employees that helped build the Company—approximately 75-80% 9 of the VPs and SVPs,” but CW5 does not say who these employees are and when they left.6 See id. 10 ¶¶ 67, 80. CW4 recalls “that Auth0 employees started to leave Okta ‘not long after May or June’ 11 2021.” Id. ¶ 66. The complaint alleges, via CW6, that there was a “mass exodus of salespeople” 12 from both Okta and Auth0 “around fall 2021.” Id. ¶ 68. According to the complaint, “CW1 also 13 recalled hearing that the board was reviewing attrition figures in light of the companies’ cultural 14 differences and was ‘very concerned.’ CW1 clarified that this probably happened around the fall of 15 2021.” Id. ¶ 221. The complaint alleges: “As the Class Period [beginning September 1, 2021,] 16 progressed . . . Okta created and adopted an integration plan” that would go into effect in February 17 2022. Id. ¶¶ 77–78. Then, “late in 2021,” Okta’s finance team determined there was “no way” the 18 original integration plan was “humanly possible” for FY2024 and shut it down. Id. ¶ 81. CW2 19 found out about the decision to abandon the integration plan “around December 2021,” and 20 employees were informed in mid-January 2022, two weeks before the integration would go into 21 effect. Id. ¶ 83. 22 Plaintiff’s theory is that the loss of senior Auth0 and key Okta employees, as well as the 23 “mass exodus” of the salesforce, caused Okta to abandon its original integration plan, and thus 24 defendants’ statements that the integration was going well were false or misleading. Even taking 25 all of Lead Plaintiff’s allegations as true, it appears that the departure of the three Auth0 executives 26 around August 2021 had no impact on the integration plan because, according to plaintiff’s own 27 28 The complaint states that Defendants McKinnon and Kerrest are “co-founders” of Okta. See AC ¶¶ 32, 34. They remain at the company. 16 6 1 chronology of events, the original integration plan wasn’t even created and approved until after the 2 start of the Class Period in September 2021, i.e., after these executives had already departed. See 3 id. ¶¶ 65, 77. It is further unclear from the timeline whether the “mass exodus” of sales employees 4 occurred prior to any of the statements that Okta made in September and early December 2021. 5 The vagueness around timing means that plaintiff has failed to state with particularity facts 6 giving rise to a reasonable inference that the statements regarding the Auth0 integration from 7 September and early December 2021 were false or misleading when made. The Ninth Circuit 8 recently held as much in Glazer Capital Management, L.P. v. Forescout Technologies, Inc. There, 9 the appellate court explained that 10 13 [a]lthough the CWs asserted that numerous layoffs occurred at some point in 2019, these statements are unclear as to the actual timeline at which company-wide layoffs occurred. Plaintiffs’ belief that company-wide lay-offs had already begun at the time the statements were made [on March 4, May 9, or August 7, 2019] is simply not supported by the CWs’ vague statements that layoffs occurred in ‘spring 2019,’ ‘summer 2019,’ or just ‘2019.’ 14 2023 WL 2532061, at *19 (analyzing allegations on a motion to dismiss). Likewise here, the only 15 statement regarding employee attrition that is tied to a particular time period after the original 16 integration plan was created is the statement of CW6 that there was a “mass exodus” of salespeople 17 “around fall 2021.” 7 See AC ¶ 68. “Around fall 2021” is not sufficiently particularized to render 18 statements made in September and early December 2021 false or misleading when made. United States District Court Northern District of California 11 12 19 Accordingly, the Court GRANTS, without prejudice, defendants’ motion to dismiss, with 20 regard to statements made in September and early December 2021 regarding employee attrition and 21 the Auth0 integration. 22 2. 23 24 Earnings Call Statements on March 2 and June 2, 2022 The complaint also alleges misstatements by the individual defendants on quarterly earnings 25 calls on March 2 and June 2, 2022. See AC ¶¶ 155–57, 162–63. Plaintiff alleges these were 26 misstatements because the mass exodus of employees meant that Okta could not maintain a team of 27 28 The “mass exodus” language is also attributed to CW5, but CW5 does not say which employees were leaving and when. See AC ¶ 90. 17 7 1 specialized staff for Auth0 products, and that Okta and Auth0 salespeople did not have the 2 knowledge required to sell each other’s products. Id. ¶¶ 158, 164. 3 On March 2, 2022, Defendant Tighe stated, 4 My second priority is ensuring that we continue the seamless integration of Auth0 across all facets of the company. Now that the back office and go-to-market teams have been fully integrated, we will continue to refine our systems and processes to ensure that the tremendous growth opportunity we see will be realized. We are off to a great start and recognize there is still a lot of work to do. 5 6 7 Id. ¶ 155. 8 Defendant Kerrest stated, in response to a question about the sales force integration, 9 Yes. We are -- thanks a lot for the question, Jonathan. We are very excited about the integration of Auth0. We’re very excited that it’s been done in just under a year from where we are because we actually announced the acquisition a year ago tomorrow. As – to start with, I think the most important point is the go-to-market organization, which we unified under Susan’s leadership on February 1. You heard Todd talk about one team, which I think is a great position to be in. We’ve put together a lot of the core systems that we’re using to run the business. Those are all running on one platform. So we have one pane of glass and good visibility into all that and how it’s working. There’s a couple more pieces we need to finish up in terms of ticking and tying some of the systems on the back end, but those are just making sure that we’re working as one organization going forward. 10 United States District Court Northern District of California 11 12 13 14 15 16 Id. ¶ 156. 17 On the same call, McKinnon stated, 18 What we’re getting is we’re getting synergy on the -- really on the sales side. So we have -- all of the Okta reps now can sell all the products. So we increased the capacity. We can -- we increased what they can actually sell. So there’s tons of upside from that. But Eugenio has a big job to do with the Auth0 product unit, driving that. They just delivered -- you heard the results. They delivered over 80% growth, and we expect them to produce a lot in the year ahead. 19 20 21 22 Id. ¶ 157. 23 Three months later, on an earnings call on June 2, 2022, Defendant McKinnon responded to 24 a question regarding the sales integration process as follows: 25 26 27 28 . . . We just celebrated the 1-year anniversary of joining forces with Auth0, which is great. And as we’ve said in the past, the key here is keeping the momentum going in both Okta and Auth0. Both businesses were doing very well, and that’s the continued focus. We’ve made a lot of progress as a combined company. Many parts of the back office functions were integrated over the course of FY’22, 18 which is great. And we started Q1 with the combination of go to -combining the go-to-market organizations. 1 I think there’s no real finish line when it comes to integrations. But I think we’re really focused on addressing this massive customer identity access management market in a way that, frankly, no other vendor can in terms of independence and neutrality, we have the only 2 modern public cloud solutions and certainly no in-house IT can. So I think we’ve made great progress. There’s still a little bit to do, but we’re in good shape. 2 3 4 5 6 7 Id. ¶ 162. On the same call, Defendant Tighe stated: 8 And any integration or acquisition and integration of 2 companies, the sales integration is one of the biggest milestones there are. And for this integration between Auth0 and Okta, 2 great sales teams being brought together, it’s no different, right? It was a great milestone for us. It was a big one for us, and we’re pleased with the progress, thus far. 9 10 11 United States District Court Northern District of California Id. ¶ 163. 12 Suspending for the moment the question of why Okta scrapped the original integration plan, 13 the complaint alleges with particularity that around December 2021 the company decided to 14 15 abandon the integration plan it had had in place for months, and that on just two weeks’ notice Auth0 and Okta sales employees found out they would sell each other’s products while lacking the training 16 to do so. CW2 was Senior Vice President and General Manager of the Americas, who worked for 17 18 19 the company from August 2018 until July 2022. Id. ¶ 39. CW2 was “intimately involved” in the Auth0 integration, spending “eight hours per day over a period of six or seven months putting together the integration plan.” Id. CW2 recalled that the original plan involved retaining Auth0 20 employees for approximately one year, while they continued to sell Auth0 products and train and 21 educate Okta employees on those products. Id. ¶¶ 78–79. Meanwhile, Okta employees would 22 continue selling Okta products. Id. ¶ 79. However, after Okta scrapped this plan around December 23 24 2021, sales employees were given just half a month’s notice before they would begin selling each other’s products, rather than one year of working together before Okta employees began selling 25 Auth0 products. See id. ¶¶ 81–83. According to CW2, neither Okta nor Auth0 employees had 26 knowledge of each other’s products and did not receive training or education on each other’s 27 products. Id. ¶ 92. 28 19 United States District Court Northern District of California 1 Having chosen to publicly tout the integration of the sales team, it was incumbent on 2 defendants “to do so in a manner that wouldn’t mislead investors, including disclosing adverse 3 information that cut[] against the positive information.” See Schueneman, 840 F.3d at 705–06 4 (quoting Berson v. Applied Signal Tech., Inc., 527 F.3d 982, 987 (9th Cir. 2008)) (internal quotation 5 marks omitted). For instance, Defendant Kerrest’s statement that “[t]here’s a couple more pieces 6 we need to finish in terms of ticking and tying some of the systems on the back end” makes it sound 7 like the company was just tying up loose ends, not that they needed to retrain the entire salesforce 8 in the basic functions of their jobs. See AC ¶ 155. Defendant Tighe similarly referred to the 9 integration as “seamless” and implied that “[n]ow that the back office and go-to-market teams have 10 been fully integrated,” all that remained to do was “refine our systems and processes[,]” which a 11 reasonable investor would not understand to mean retraining hundreds of employees. See id. ¶ 155. 12 Defendant McKinnon’s statement that they had “increased the capacity” of the sales reps and that 13 there’s “tons of upside from that” because “all of the Okta reps now can sell all the products” 14 likewise omits the material fact that the reps were not in fact capable of selling the products because 15 they lacked the knowledge and training to do so. See id. ¶ 157. 16 The Court disagrees with defendants’ characterization of these statements as inactionable 17 corporate puffery. “The statements went beyond mere optimism by providing a concrete 18 description” of the sales team integration. See Glazer Capital Mgmt., 2023 WL 2532061, at *15 19 (cleaned up). Defendants represented that the teams were now “fully integrated,” whereas Lead 20 Plaintiff alleges that “neither Okta employees nor Auth0 employees had knowledge of each other’s 21 products” at this point. AC ¶¶ 155, 164. 22 Nor do these allegations suffer from a lack of scienter. Whether or not the newly integrated 23 sales team that Okta touted was in fact trained to sell the products they were tasked to sell, following 24 the $6.5 billion acquisition of Auth0, is of such prominence “that it would be absurd to suggest that 25 top management was unaware of [it].” See Berson, 527 F.3d at 989 (citation and internal quotation 26 marks omitted). The Court finds the statements the individual defendants made on the March 2 and 27 June 2, 2022 earnings calls to be actionable under the facts alleged in the complaint and DENIES 28 defendants’ motion to dismiss claims based on these statements. 20 1 2 Risk Disclosures in March and June 2022 3 What remains, then, of the Auth0 integration statements are Lead Plaintiff’s allegations that 4 Okta’s risk disclosures in SEC filings in March and June 2022 were materially false or misleading. 5 In its Form 10-K filed March 7, 2022, and in its Form 10-Q filed June 3, 2022, Okta made the 6 following risk disclosure regarding the acquisition of Auth0: 7 9 Further, it is possible that there could be a loss of our and/or Auth0’s key employees and customers, disruption of either company’s or both companies’ ongoing businesses or unexpected issues, higher than expected costs and an overall post-completion process that takes longer than originally anticipated. 10 AC ¶¶ 159, 165. Lead Plaintiff alleges that this was materially false or misleading because 11 defendants knew that the risk warned of had already materialized, i.e., that defendants “knew or 12 recklessly disregard the fact that the Company had lost senior Auth0 and key Okta employees, who 13 were critical to the Auth0 integration and that, as a result, the Company could no longer maintain a 14 team of specialized staff for Auth0 products.” Id. ¶ 154. 8 United States District Court Northern District of California 3. 15 16 a. Misstatements 17 Although it is a close call, the Court agrees with defendants that the allegations here 18 regarding employee attrition are not sufficiently particularized to meet the pleading threshold of 19 Federal Rule of Civil Procedure 9(b) and the PSLRA. 20 With regard to the loss of senior executives, as already explained above, the complaint 21 alleges that three Auth0 executives departed before Okta even created the original integration plan, 22 so it cannot be that their departure is what caused the integration plan to fail. The complaint also 23 lacks any allegation that Okta represented that these executives would stay on, or that their departure 24 was not part of the acquisition plan. See AC ¶¶ 65, 67. The same is true of the allegation (untethered 25 to any time period) that Okta executives “pushed out” all of the (unnamed) “‘founding fathers’ of 26 Okta as well as other employees that helped build the Company—approximately 75-80% of the VPs 27 and SVPs.” See id. ¶ 67. In fact, as we know, two of Okta’s co-founders, McKinnon and Kerrest, 28 stayed on in their roles at the company. See id. ¶¶ 32, 34. 21 United States District Court Northern District of California 1 With regard to the loss of salespeople and Auth0 employees generally, the complaint is not 2 sufficiently specific to raise a reasonable inference that the March and June 2022 risk disclosures 3 were materially false or misleading when made. CW2 explained that Okta intended to retain 200 to 4 300 Auth0 sales employees and to bring on additional sales staff. Id. ¶¶ 79, 81. But the complaint 5 gives no concrete sense of how many employees were lost and on what timeline. For instance, the 6 complaint lacks context for CW1’s statement that “only about 15% of the Auth0 employees who 7 moved to Okta during the acquisition are still at the Company,” or for CW2’s statement that “there 8 are ‘very, very few’ Auth0 people left.” Id. ¶¶ 89, 92. Neither of these confidential witnesses 9 specify the time period they are referring to, and both CW1 and CW2 have since left the company. 10 See id. ¶¶ 38 (CW1 departed in April 2022), 39 (CW2 departed in July 2022). It is unclear from the 11 allegations whether they meant that there were few Auth0 people left as of the filing of the amended 12 complaint or at some earlier time. 13 Without more specifics, the Court cannot find that the complaint pleads with particularity 14 that the risk disclosure statements regarding possible employee attrition “affirmatively create[d] an 15 impression of a state of affairs that differ[ed] in a material way from the one that actually exist[ed].” 16 See Brody, 280 F.3d at 1006. 17 b. 18 Scienter 19 Moreover, the complaint does not allege with particularity what the individual defendants 20 knew regarding employee attrition and when. Although the defendants would certainly have known 21 about the departure of high-level executives, it is not clear when the attrition of line-level sales 22 employees would have risen to the point at which the individual defendants would have found out 23 or would have been reckless in not knowing. 24 The complaint is silent about the individual defendants’ knowledge of employee attrition 25 until the quarterly call on August 31, 2022, when Defendant McKinnon stated, “While we are 26 making progress, we’ve experienced heightened attrition within the go-to-market organization as 27 well as some confusion in the field, both of which have impacted our business momentum.” See 28 AC ¶ 194. 22 United States District Court Northern District of California 1 This statement does not, as plaintiff argues, provide proof of defendants’ earlier scienter. 2 The Ninth Circuit’s decision in Ronconi v. Larkin is instructive. 253 F.3d 423 (9th Cir. 2001), 3 abrogated on other grounds as explained in Glazer Capital, 2023 WL 2532061, at *11. There, the 4 plaintiffs alleged that the defendants’ statements attributing low third quarter earnings to post- 5 merger issues amounted to a “later statement by the defendant along the lines of ‘I knew it all 6 along.’” Id. at 432. The Ninth Circuit disagreed, explaining, “The statement does not support an 7 inference that company insiders knew or with deliberate recklessness disregarded that the problems 8 would be so substantial. . . . [T]he later statement admits only that the below-expectation earnings 9 in the third quarter were a result of the prior integration of the companies’ sales force, which 10 concedes no intentional or deliberately reckless falsehood or deception at all.” Id. Here too, 11 Defendant McKinnon’s August 31, 2022 statement attributing mixed financial results in part to 12 “heightened attrition” does not support the inference that the individual defendants acted with intent 13 or deliberate recklessness in issuing the earlier risk disclosures containing general warnings about 14 possible attrition. 15 Plaintiff also makes an argument for corporate scienter through the knowledge of Okta 16 executives Susan St. Ledger and Steve Rowland. Opp’n at 34 (citing AC ¶¶ 67, 80). Yet the 17 complaint is silent as to what these executives knew regarding attrition of the company’s salesforce, 18 other than stating that they were involved in weekly status updates and “signed off on everything” 19 regarding the integration plan. See AC ¶ 80. 20 Even viewing the allegations of the complaint holistically, the Court finds scienter regarding 21 employee attrition lacking. Plaintiff’s theory is that the loss of key executives and the mass exodus 22 of salespeople caused defendants to have to abandon their original integration plan. But the 23 complaint does not actually provide details to show this happened. The complaint implies—but 24 does not actually allege with specificity—that the decision in late 2021 to abandon the initial 25 integration plan was because of the departure of too many employees. On this, CW2 stated simply 26 that “the finance team determined that there was ‘no way’ that the integration plan was ‘humanly 27 possible’ for FY2024 and ‘completely shut it [the integration plan] down.’” Id. ¶ 81. And although 28 CW2’s perspective was that the integration plan “was ripped out at the eleventh hour,” the complaint 23 United States District Court Northern District of California 1 also states that the reason employees were not notified about the change until mid-January was so 2 as not to disrupt the fiscal year end. See id. ¶ 83 (internal quotation marks omitted). This might be 3 a different situation if Okta had told investors it was going to retain specific executives while hiding 4 that those executives had already left or would do so soon. See Moradpour v. Velodyne Lidar, Inc., 5 No. 21-cv-1486-SI, 2022 WL 2391004, at *13–14 (N.D. Cal. July 1, 2022). There are no allegations 6 that Okta told investors that it would retain a certain percentage of its workforce and then hid that it 7 had not met those figures. Nor are there allegations that Okta was secretly plotting to terminate 8 employees while publicly saying they would retain them. 9 In sum, drawing all reasonable inferences in Lead Plaintiff’s favor, what Lead Plaintiff 10 describes is: following the acquisition of Auth0 in May 2021, some executives departed; and over 11 some period of time (“around fall 2021,” according to CW6) the company was not able to retain its 12 line-level salesforce; and in December 2021 Okta’s finance team pulled the plug on the original 13 sales team integration plan. Then on August 31, 2022, Defendant McKinnon cited “heightened 14 attrition” as one of the factors causing “headwinds” with the integration, which resulted in the 15 company lowering its calculated billings outlook for the year by $140 million and reevaluating its 16 FY26 targets. See AC ¶¶ 126–29. These allegations are not sufficiently particularized to create a 17 strong inference that the individual defendants knew or recklessly disregarded material facts 18 regarding employee attrition when they signed off on the risk disclosures on March 7 and June 3, 19 2022. 20 That Lead Plaintiff alleges no suspicious stock sales by senior executives also cuts against 21 the inference of scienter, particularly where the complaint is lacking overall in allegations creating 22 a strong inference of scienter as to employee attrition. Cf. In re Alphabet, Inc. Sec. Litig., 1 F.4th 23 687, 707 (9th Cir. 2021), cert. denied sub nom. Alphabet Inc. v. Rhode Island, 212 L. Ed. 2d 233, 24 142 S. Ct. 1227 (2022) (“Allegations of suspicious stock sales or information from confidential 25 witnesses are not needed where, as here, other allegations in the complaint raise a strong inference 26 of scienter.”). 27 28 Accordingly, the Court GRANTS the motion to dismiss claims regarding employee attrition as contained in the March and June 2022 risk disclosures, with leave to amend these allegations. 24 1 2 B. Data Security Incident 3 With regard to Okta’s data security and the January 2022 incident, the complaint identifies 4 five statements as false or misleading. See Opp’n at 12 (citing AC ¶¶ 143, 145, 159, 167–68). The 5 Court finds these allegations fail to plausibly allege either falsity or scienter and so do not give rise 6 to a claim under the PSLRA as currently stated in the complaint. 7 1. United States District Court Northern District of California 8 Okta’s Commitment to Data Security 9 First, the statements Lead Plaintiff highlights regarding Okta’s “commitment” to data 10 security are not actionable. See AC ¶¶ 145 (“security is of the utmost importance to us”), 159 11 (“security is a mission-critical issue for Okta and for our customers”).8 Such statements “amount to 12 vague and generalized corporate commitments, aspirations, or puffery that cannot support liability 13 under Section 10(b) and Rule 10b-5(b).” See In re Alphabet, Inc. Sec. Litig., 1 F.4th at 708 (in suit 14 alleging cybersecurity vulnerability, statements about Google’s commitment to privacy and data 15 security “do not rise to the level of ‘concrete description of the past and present’ that affirmatively 16 created a misleading impression of a ‘state of affairs that differed in a material way from the one 17 that actually existed.’”) (citation omitted). 18 2. 19 September 15, 2021 Conference Statement 20 Lead Plaintiff also challenges more specific representations that defendants made regarding 21 data security. However, the complaint lacks particularized allegations showing that these statements 22 were materially false when made. For instance, Lead Plaintiff challenges the following statement 23 (in bold and italics) that Defendant McKinnon made at the Citi Global Technology Virtual 24 Conference on September 15, 2021: 25 So if you really get to this -- to get to this real Zero Trust capability, one of the things you have to do is you have to make sure that you 26 27 28 8 Plaintiff concedes that it misattributed the statement quoted in paragraph 145 of the complaint, and that the statement was made by an Okta customer rather than an Okta VP. See Opp’n at 19 n.8. 25 know, you have an inventory and you have an accurate representation of all the machines. So you have to have like a catalog of the machines. And then that’s sometimes daunting enough. But then you have to make sure that you don’t just -- you allow that machine to only do the minimum amount of things that it should be -- it should have to do. 1 2 3 You can’t just access anything on the network. You can’t just potentially be a launching-off point for other attacks throughout your network. It has to be locked down to exactly what it has to be able to do. And to do that, you -- 9 times out of 10, you have to know the people that can do certain things from that machine. And that’s the tricky part because a lot of these machines, they have a certain role that they do just in terms of processing kind of no user-related process and information around. But then they’re left -- the administration accounts or the admin or the super user accounts are left open because it’s easy for the engineers to drop in there and, like, do some admin things and maintain some network things. 4 5 6 7 8 9 12 And that’s why -- that specific problem. Imagine the server in the server closet. You did a good job at Zero Trust. You took an inventory of the assets. You know this machine only should be able to access this other physical area of the network. You’ve really locked it down. But then you can log into that with an admin count and get anywhere. 13 AC ¶ 143. The complaint argues McKinnon’s statements were false and misleading “because they 14 omitted the material facts that Okta was not properly securing its administrative tools for monitoring 15 customer tenants and that the Company failed to require its sub-processors to comply with the 16 Company’s fundamental security requirements.” Id. ¶ 144. Yet plaintiff’s assertion is not supported 17 with specific factual allegations in the complaint. 10 United States District Court Northern District of California 11 18 The complaint relies on two confidential witnesses who stated that Okta could have done 19 better in securing SuperUser access. CW6 was a Senior Solutions Engineer at Okta from February 20 2019 through December 2021 and who had SuperUser access. Id. ¶ 43. CW6 “suggest[ed] that the 21 SuperUser tool should have been more closely guarded against hackers” and that “best practice” 22 would have been to add additional safeguards such as requiring SuperUsers to access the tool only 23 from a secure administrative station and not from their home laptops. Id. ¶ 100. CW7, an Okta 24 Senior Solutions Engineer who stopped working for the company in March 2021, “advised that, in 25 her opinion, Okta did not properly secure its administrative tools for controlling different cloud 26 tenants[.]”9 Id. ¶¶ 44, 102. 27 28 9 The complaint does not state that CW7 had SuperUser access. 26 United States District Court Northern District of California 1 For several reasons, the accounts of CW6 and CW7 are not sufficient to support the assertion 2 that Okta failed to require its sub-processors to comply with Okta’s fundamental security 3 requirements. For one, neither witness states what the complaint says they do—that Okta did not 4 require its sub-processors to comply with Okta security requirements. Moreover, the opinion of 5 CW7 is of little utility, where CW7 stopped working for Okta in March 2021, roughly ten months 6 before the security incident occurred. See id. ¶ 44. In fact, CW6 herself explained that SuperUser 7 access became more restrictive after June 2021. According to the complaint, CW6 recalled that 8 “prior to June 2021, Okta had granted Solutions Engineers full SuperUser access, meaning they had 9 full read and write access to customer tenants. However, CW6 recalled that Okta restricted 10 Solutions Engineers’ SuperUser access to read-only after June 2021 . . . .” Id. ¶ 147. Finally, it is 11 unclear how the SuperUser allegations relate to the January 2022 incident, as nowhere does the 12 complaint allege that the incident resulted from the breach of a SuperUser account. Plaintiff’s brief 13 argues that “the Company experienced a significant data security breach that was caused by Okta’s 14 failure to secure its administrative tools, such as the ‘SuperUser’ tool,” but the complaint itself does 15 not say this. See Opp’n at 7 (citing AC ¶¶ 98–104) (emphasis added). At the hearing, plaintiff’s 16 counsel conceded this, clarifying that plaintiff does not allege that SuperUser status was available 17 to third party sub-processors such as the one whose account was compromised in January 2022. 18 Rather, plaintiff’s counsel stated that the SuperUser example shows that defendants were on notice 19 that Okta was susceptible to a data breach. 20 More fundamentally, it is not clear from the excerpt quoted in the complaint exactly what 21 Defendant McKinnon is talking about at the September 15, 2021 conference. He could be opining 22 on ZeroTrust as a concept, talking about aspirations that Okta has, or describing a specific data 23 security approach that Okta has already implemented. And as defendants point out, the statement 24 does not even mention sub-processors. See Mot. at 11. 25 For all of these reasons, without more information the Court cannot find the complaint 26 sufficiently alleges the statement McKinnon made on September 15, 2021, was false or misleading 27 when made. 28 27 3. United States District Court Northern District of California 1 March 7, 2022 Risk Disclosure 2 Plaintiff also challenges the risk disclosure that Okta made in its Form 10-K, filed with the 3 SEC on March 7, 2022. In its lengthy risk disclosures, Okta made the following statement related 4 to data security: “An application, data security or network incident may allow unauthorized access 5 to our systems or data or our customers’ data, disable access to our service, harm our reputation, 6 create additional liability and adversely impact our financial results.” AC ¶ 159. 7 Plaintiff argues this statement was false and misleading because the risk warned of had 8 already materialized: “Specifically, Okta had experienced the January 2022 Breach due to unsecured 9 administrative tools used for monitoring cloud tenants and the failure to require sub-processors to 10 comply with Okta’s fundamental security requirements.” Id. ¶ 160. In their motion to dismiss, 11 defendants argue that not every security incident requires disclosure, and they dispute plaintiff’s use 12 of the term “breach.” Instead, defendants state that the complaint provides “no specific factual 13 allegations that Okta was aware of a breach—let alone a material one—by March 2022.” Mot. at 14 13. 15 Setting aside for now the parties’ dispute regarding falsity, the claim must be dismissed for 16 lack of scienter. Defendants argue, and the Court agrees, that the complaint fails to allege sufficient 17 facts showing what, if anything, the individual defendants knew about the January 2022 incident at 18 the time Okta’s Form 10-K was filed on March 7, 2022. None of the CWs allege that the individual 19 defendants knew about the incident by March 7, 2022. What the complaint states is that the incident 20 became public on March 21, 2022, when hackers posted screenshots “showing what they claimed 21 was Okta’s internal company environment.” AC ¶ 105. On March 22, 2022, at 4:23 a.m., Defendant 22 McKinnon posted on his Twitter account: 23 24 25 In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. (1 of 2) 27 We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January. (2 of 2) 28 Id. ¶ 106. Later that same day, Okta’s Chief Security Officer issued a blog post that, according to 26 28 United States District Court Northern District of California 1 plaintiff, “admitted that Okta first detected the January 2022 Breach in January.” Id. ¶ 108. The 2 complaint also alleges that “[o]n March 25, 2022, Okta acknowledged that it sat on this information 3 for almost two months before stating, ‘We want to acknowledge that we made a mistake.’” Id. 4 ¶ 111. 5 The complaint thus provides no particularized facts to support the assertion that the 6 individual defendants were aware of the January security incident by March 7, 2022. In its 7 opposition, Lead Plaintiff argues that “CW3 explained during an All-Hands Meeting following the 8 January 2022 Breach, [that] Defendants informed Okta employees that Okta ‘quickly’ knew the 9 breach occurred and shut the compromised account down.” Opp’n at 28. This misrepresents what 10 is stated in the complaint. The complaint states, “According to CW3, the data breach that occurred 11 in January 2022 and was disclosed in March 2022 was discussed at the first All-Hands Meeting 12 following the breach being publicized by news outlets[,]” i.e., after March 22, 2022. See AC ¶ 113 13 (emphasis added). Thus, CW3’s allegations do not show that the individual defendants knew of the 14 incident prior to March 7, 2022. Nor do later statements from Okta’s CEO that “Okta detected an 15 attempt to compromise the account of a third party customer support engineer” in January 2022 16 raise a strong inference that defendants were aware of the event in January. The complaint neither 17 paints a picture of “widespread deception” nor does it “sufficiently allege the individual Defendants 18 acted with scienter.” See Oregon Pub. Emps. Ret. Fund, 774 F.3d at 608. 19 Plaintiff also argues that it has adequately pled scienter under the core operations theory. 20 Opp’n at 30, 32. “Proof under this theory is not easy. A plaintiff must produce either specific 21 admissions by one or more corporate executives of detailed involvement in the minutia of a 22 company’s operations, such as data monitoring, . . .; or witness accounts demonstrating that 23 executives had actual involvement in creating [the fraud].” Police Ret. Sys. of St. Louis v. Intuitive 24 Surgical, Inc., 759 F.3d 1051, 1062 (9th Cir. 2014) (citations omitted). Here, plaintiff has pled 25 neither. 26 Finally, viewing the allegations of the complaint holistically, the Court still finds scienter 27 lacking. Plaintiff essentially theorizes that because data security was the bread and butter of the 28 company, it would be impossible for the individual defendants not to have known about the data 29 United States District Court Northern District of California 1 incident when it happened. When conducting a holistic review of the complaint, courts “must also 2 ‘take into account plausible opposing inferences’ that could weigh against a finding of scienter. . . . 3 Even if a set of allegations may create an inference of scienter greater than the sum of its parts, it 4 must still be at least as compelling as an alternative innocent explanation.” Zucco Partners, LLC v. 5 Digimarc Corp., 552 F.3d 981, 1006 (9th Cir. 2009) (quoting Tellabs, 551 U.S. at 323). Here, the 6 Court cannot say that the allegations of the complaint are at least as compelling as the alternative 7 innocent explanation, which is that a one-time attempted compromise of a third-party customer 8 support engineer account that was “investigated and contained by the subprocessor” simply did not 9 raise significant enough concerns when it happened to warrant alerting the company’s CEO, CFO, 10 and COO. See AC ¶ 106. This case is a far cry from In re Alphabet, Inc. Securities Litigation, on 11 which plaintiff relies. That case involved an ongoing security glitch that the company learned had 12 been leaving the private data of hundreds of thousands of users exposed for three years, and the 13 complaint alleged that Google executives received an internal memo from legal and policy staff 14 warning that disclosure of the security vulnerability would “almost guarantee[]” that Google’s CEO 15 would be brought to testify before Congress. 1 F.4th at 695–96. Here, the complaint lacks specific 16 allegations regarding when the individual defendants learned of the security incident, nor does the 17 incident on its face come close to the scale of the security concerns at issue in Alphabet. 18 19 4. Statements re: Customer Trust on June 8, 2022 20 Finally, plaintiff challenges statements that Defendant McKinnon made in a CNBC 21 interview on June 8, 2022. Discussing the security incident that went public in March 2022, 22 McKinnon stated, 23 24 25 26 27 28 And anytime there’s any kind of hack, whether it’s to a third party or what any kind of talk of a breach, there’s a lot of concerns in the [sic] in the customer base because this is about trust. So, the first thing we did is we had these conversations. We talked to over 1000 customers face to face over, [sic] over video and had these conversations. I personally talked [sic] over 400. And got a ton of feedback about what we could do better, how we could make sure that our support environment was not insecure, to make sure that we communicate better, to make sure that we are instill [sic] this trust. At the end of the [sic], I think we’ve been able to do that. 30 1 2 3 4 5 6 7 8 9 10 United States District Court Northern District of California 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 ... We’re committed to making this a $4 billion a year company by fiscal year, fiscal year 26. So, that’s, that’s coming up quickly. So, we have to invest to grow to that scale and we’ve always done it with a balance of efficiency. We’ve always made sure that our, that our growth rate and our [sic] and our cash flow generation was balanced towards that goal. So, we think we’re drawing the right balance to capture this market opportunity. And I think over time you’re going to see a very highly scaled profitable company that’s going to help customers and capitalize on this big market opportunity. Id. ¶¶ 167–68 (underlined [sic]’s added by the Court). Plaintiff alleges these statements were materially false and misleading when made “because Okta was actually losing sales as a direct result of the January 2022 Breach, which only compounded the severe problems the Company was having with the Auth0 integration.” Id. ¶ 169. Plaintiff clarifies this argument in the opposition brief, charging that McKinnon’s statement was false and misleading because “the January 2022 Breach had harmed Okta’s reputation and sales, as customers no longer trusted the Company and were unwilling to increase their contracts or spend more money with Okta. [AC] ¶¶ 113-15.” Opp’n at 23. The complaint as it stands is not sufficiently particularized to show a false or misleading statement when made. For evidence that the company was losing sales, plaintiff relies on accounts from CW3, CW4, and CW8. CW3 reported “that the Company was saying that they were losing sales because of the breach,” “that the breach did come up with every customer she spoke with,” and that “the Company distributed ‘talking points’ to employees on how to ‘downplay’ the breach.” AC ¶ 113. CW4 “recalled that prospective customers were deciding against doing deals with Okta after the breach.” Id. ¶ 114. And CW8 “advised that Okta customers reacted negatively to the data breach that Okta disclosed in March 2022.” Id. ¶ 115. Although “CW8 could not recall whether customers were canceling contracts outright[,]” CW8 did recall that the negative customer reaction “impacted her ability to meet quotas.” Id. “CW8 could not quantify the amount of lost business, but she suggested it might have been ‘tens of thousands of dollars’ in lost business.” Id. These allegations lack particularity regarding how much sales Okta lost and when. With the exception of a single statement from CW8 estimating lost business in the tens of thousands of 28 31 1 dollars,10 see id., nowhere does the complaint identify with particularity which sales or how many 2 were lost as a result of the data security incident. Moreover, both CW4 and CW8 left the company 3 around the time of the data security disclosure. CW4 worked as an Account Executive at Okta “until 4 the first quarter of fiscal 2023,” which began February 1, 2022. Id. ¶ 41. CW8 worked as a Senior 5 Account Executive “until spring 2022.” Id. ¶ 45. Without more detail regarding when they 6 departed, it is unclear that CW4 and CW8 would have been positioned to know the status of sales 7 when McKinnon gave his interview in early June. And CW3, who stayed at the company until 8 August 2022, does not allege having personally lost a single sale as a result of the data security 9 incident. See id. ¶¶ 40, 113. For these reasons, the complaint as it stands fails to show that the statements McKinnon 10 United States District Court Northern District of California 11 made on June 8, 2022, were materially false or misleading when made. 12 13 C. Section 20(a) 14 A claim under Section 20(a), which provides for control person liability, “must demonstrate: 15 (1) a primary violation of federal securities laws and (2) that the defendant exercised actual power 16 or control over the primary violator.” (internal quotation marks and citation omitted). A control 17 person claim under Section 20(a) requires a predicate primary violation. See Webb v. Solarcity 18 Corp., 884 F.3d 844, 858 (9th Cir. 2018). 19 Where the Court has found that plaintiff has sufficiently stated a Section 10(b) claim (i.e., 20 with regard to the March 2 and June 2, 2022 earnings call statements regarding the progress of the 21 integration), the Court also finds that plaintiff has stated a claim under Section 20(a). For the 22 remainder of the claims, where the Court has found no Section 10(b) violation is sufficiently alleged, 23 the Court likewise finds plaintiff has failed to state a claim under Section 20(a). 24 25 26 II. Request for Judicial Notice Along with their motion and reply briefs, defendants also filed a request for judicial notice. 27 28 10 The Court assumes, though the complaint does not specify, that this figure references lost business on CW8’s own sales accounts. 32 1 Dkt. Nos. 57, 58, 69. As a general rule, the Court may not consider any materials beyond the 2 pleadings when ruling on a Rule 12(b)(6) motion. Lee v. City of Los Angeles, 250 F.3d 668, 688 3 (9th Cir. 2001). However, courts considering a motion to dismiss that is governed by the PSLRA 4 may consider “documents incorporated into the complaint by reference, and matters of which a court 5 may take judicial notice.” Tellabs, 551 U.S. at 322. 6 7 At this time, the Court declines to rule on defendants’ request for judicial notice, as the Court did not rely on any of these documents in resolving the present motion. 8 CONCLUSION United States District Court Northern District of California 9 10 For the foregoing reasons and for good cause shown, the Court hereby GRANTS IN PART 11 and DENIES IN PART defendants’ motion to dismiss, with leave to amend. The motion is 12 GRANTED, except that the Court DENIES the motion as to omissions the individual defendants 13 made regarding the Auth0 integration on the March 2 and June 2, 2022 earnings calls. 14 The second amended complaint shall be due no later than April 28, 2023. 15 When amending the complaint, Lead Plaintiff shall also attach a chart that lays out, concisely 16 and with particularity, including paragraph citations to the second amended complaint: which 17 statements Lead Plaintiff alleges were materially false or misleading; who made the statements; 18 when the statements were made; and the facts (including dates) that Lead Plaintiff alleges render 19 the statement false or misleading. 20 21 22 23 24 IT IS SO ORDERED. Dated: March 31, 2023 ______________________________________ SUSAN ILLSTON United States District Judge 25 26 27 28 33
]]>
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You
should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
