In re Intel Corp. Sec. Litig.

IN RE INTEL CORPORATION SECURITIES LITIGATION

CASE NO. 18-cv-00507-YGR

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA

March 29, 2019

ORDER GRANTING MOTION TO DISMISS WITH LEAVE TO AMEND

Re: Dkt. No. 67

Lead plaintiff Louisiana Sheriffs' Pension & Relief Fund brings this securities class action litigation alleging false and misleading statements and omissions between October 27, 2018 and January 9, 2018 (the "Class Period"), against defendants Intel Corporation ("Intel," or the "Company"), and three individual defendants, namely Brian M. Krzanich (former Chief Executive Officer or "CEO"), Robert H. Swan (Chief Financial Officer or "CFO"), and Navin Shenoy (Executive Vice-President). Specifically, plaintiff raises the following causes of action: (i) violation of Section 10(b) of the Securities Exchange Act ("Exchange Act") against all defendants and Rule 10b-5 promulgated thereunder and (ii) violation of Section 20(a) of the Exchange Act against the individual defendants.

Defendants have filed a motion to dismiss, pursuant to Federal Rules of Civil Procedure 8(a), 9(b), and 12(b)(6), and the Private Securities Litigation Reform Act of 1995 ("PSLRA"). (See Defendants' Motion to Dismiss Consolidated Complaint ("MTD"), Dkt. No. 67.) Therein, defendants challenge plaintiff's Section 10(b) claim on two grounds. First, plaintiff fails to identify any statements which were false or misleading when made. Second, plaintiff has not established a strong inference of scienter. With regard to plaintiff's Section 20(a) claim against the individual defendants, defendants argue that plaintiff has not shown an underlying predicate violation under Section 10(b) or facts establishing the element of control as to Shenoy.

Having considered the papers submitted and the pleadings in this action, the hearing held on March 12, 2019, and for the reasons set forth below, the Court hereby GRANTS the motion to dismiss WITH LEAVE TO AMEND.

I. BACKGROUND

The facts at issue in this case, as pleaded in plaintiff's Consolidated Class Action Complaint ("CCAC"), (Dkt. No. 57), are well known to the parties. Relevant allegations from the CCAC, and facts based on judicially noticeable documents and documents incorporated by reference in the CCAC, are set forth below.

A. INTEL'S SEMICONDUCTOR PRODUCTS

Intel is one of the world's largest manufacturers of processors, chipsets, and related computer components. (CCAC ¶ 2.) Intel provides processors to more than 90 percent of all personal computers and servers supporting the internet and business operations. (Id.) Sales of processors and chipsets account for over 80 percent of Intel's total annual revenue. (Id.) These components are integral to the functioning of computers, servers, smartphones, tablets, and networking and communications products. (Id. ¶ 23.)

Specifically, Intel typically offers its products as "platforms." (Id. ¶ 25.) A platform consists of a microprocessor and chipset. (Id.) A microprocessor is a computer processor on a microchip and is the main component of all computers, often referred to as the "brain" of a computer. (Id.) It is critical to a computer's performance and processing speed. (Id.) The key functional block of a microprocessor is the Central Processing Unit, or "CPU." (Id.)¹ A chipset is a computer's "nervous system," sending data between the microprocessor and inputs, displays, and storage devices such as keyboard, mouse, and monitor. (Id. ¶ 26.) The chipset performs essential logic functions and controls the access between the CPU and main memory. (Id.) Intel's success depends on continuously improving the power, speed, and performance of its processors. (Id. ¶ 32.)

Due to the "widespread use" of Intel's products and the "high profile of [its] commercial security products," Intel has warned its investors of associated cybersecurity and privacy risks. In its 2016 10-K filed in February 2017, Intel stated:

[M]alicious hackers may attempt to gain unauthorized access and corrupt the processes of hardware and software products that we manufacture . . . . [O]ur products . . . are a frequent target of computer hackers and organizations that tend to sabotage, take control of, or otherwise corrupt our . . . products . . . . We believe such attempts are increasing in number and in technical sophistication. From time to time, we encounter intrusions or unauthorized access to our . . . products . . . . While we seek to detect and investigate all unauthorized attempts and attacks against our . . . products, . . . we remain potentially vulnerable to additional known or unknown threats. Such incidents, whether successful or unsuccessful, could result in our incurring significant costs related to, for example, rebuilding internal systems, reduced inventory value, providing modifications to our products and services, defending against litigation, responding to regulatory inquiries or actions, paying damages, or taking other remedial steps with respect to third parties.

(Defendants' Motion to Dismiss Consolidated Complaint; Errata ("Amended Exhibit 9" or "2016 Form 10-K") at 20, Dkt. No. 81.)² Moreover, product webpages include an express warning that "[n]o computer system can be absolutely secure." (Xio Decl. Exh. 17 at ECF p. 5.)

B. SPECTRE AND MELTDOWN VULNERABILITIES

On June 1, 2017, an analyst from Google's Project Zero—which is dedicated to finding vulnerabilities in Google software and any software or hardware employed by its users—notified Intel and two other chipmakers (Advanced Micro Devices, Inc. and ARM Holdings) of a "CPU security issue that affects processors," later known as "Spectre." (Id. ¶ 52; see also id. ¶ 45.) Later in June, Google Project Zero identified a second vulnerability that became known as "Meltdown" and which "allows a hacker to move the highly sensitive data stored in kernel memory to the cache memory." (Id. ¶ 55; see also id. ¶ 54.)³ While the two vulnerabilitiespresent different security risks, they both allow a hacker to "trick" a computer into moving sensitive information into the cache memory, where the hacker can access the information, including secret keys, passwords, and any other sensitive information stored on a computer. (Id. ¶ 54.) Spectre and Meltdown impact nearly every Intel processor produced since 1995—approximately 90 percent of all Intel platforms. (Id. ¶ 56.) In or around September and December of 2017, additional researchers independently reported to Intel their discovery of the flaws. (Id. ¶¶ 57, 58.) Despite these reports, the CCAC alleges no actual reported hacks resulting from the Spectre and Meltdown vulnerabilities.⁴

After Google Project Zero informed Intel of the Spectre and Meltdown vulnerabilities in June 2017, the Company conducted a "detailed analysis" of the vulnerabilities in June and July of 2017 that confirmed their existence. (Id. ¶ 64.) Pursuant to Google Project Zero's standard protocol, whereby it affords companies like Intel 90 days to either disclose or remediate a threat, (id. ¶ 46),⁵ the securities vulnerabilities were supposed to be publicly disclosed in early September 2017. (Id. ¶ 65.) However, an unusual "deadline grace" was granted to Intel on August 7, 2017, extending the 90-day disclosure deadline. (Id.) Accordingly, Intel and other market participants planned to disclose simultaneously the existence of the vulnerabilities and deploy mitigations on January 9, 2018. (Id. ¶ 105; see also id. ¶ 6.) This disclosure process was consistent with the publicly-known "common practice" of "keep[ing] the news [of security vulnerabilities] from the public so hackers [cannot] take advantage of [such] flaws before they [a]re fixed." (Xiao Decl. Exh. 4 at 2; see also id. Exh. 5 at 2 ("[T]he custom is to give vendors a few months to fix the problem before it goes public and bad guys have a chance to exploit it.").)

Intel worked for "months" with a limited group of industry collaborators attempting to develop mitigations, test them, and prepare releases. (Id. ¶ 66 (emphasis removed).) Its efforts involved "multiple microprocessor vendors, operating system vendors[,] and [Original Equipment Manufacturers ('OEM')] around the world" working to understand the issue and "to develop the system software updates, to develop the firmware[,] and to integrate and test those things." (Id. ¶ 110 (internal quotation marks omitted).)⁶

In the meantime, Intel did not inform the National Security Agency, the Department of Homeland Security, the United States Computer Emergency Readiness Team ("US-CERT"), or the CERT Coordination Center ("CERT/CC") about Spectre or Meltdown even though such government agencies rely on computers, servers, and networks powered by Intel processors. (Id. ¶¶ 67, 70.) However, the Company informed select clients in or around November 2017. (Id. ¶ 70.)

Given the threat that Spectre and Meltdown posed to almost all of Intel's microprocessors, a former Intel security engineer has no doubt that Intel's CEO would have been informed of the problems. (Id. ¶ 73.) Moreover, given that Spectre and Meltdown crossed so many product lines at Intel, the engineer expects that Intel's CEO and CFO would have reviewed and approved the disclosure plan for Spectre and Meltdown. (Id.) Because the Data Center Group was one of the units directly impacted, defendant Shenoy, as head of the same, would have participated in discussions regarding potential mitigations and their impacts on performance and would have made the "final call" on which mitigations to deploy. (Id. ¶ 75 (internal quotation marks omitted).) Shenoy and other senior business leaders, in turn, would have provided Krzanich, Swan, and other corporate executives with weekly or bi-weekly reports. (Id.)

On November 29, 2017, the same day that Intel informed its OEM partners about Spectre, Krzanich sold 890,000 shares of Intel stock for nearly $40 million, netting almost $25 million in profits. (Id. ¶ 100.) This amounted to 100% of the shares he could sell under...