For some time, observers (including me) have been discussing the extent to which the rising numbers of corporate data breaches would translate into to D&O litigation. There of course have been some data breach-related D&O lawsuits; indeed, plaintiffs’ lawyers have recently for the first time managed to secure some success with these kinds of suits – as discussed here, Yahoo recently settled a data breach related securities class action lawsuit for $80 million. In light of the Yahoo settlement, the possibility for further data breach-related D&O litigation seems likely. But as I was reading the complaint in a securities class action lawsuit filed earlier this week against Facebook, I began to think that a related but slightly different data security-related concern might actually present an even more significant risk of future D&O claims.
Facebook of course has recently had some very high-profile problems involving third-parties’ access to user information. These problems led to the filing of the securities class action complaint against the company. The allegations in the new lawsuit involve circumstances that are in many respects unique to Facebook. However, one critical detail about the Facebook situation is that the apparently unauthorized spread of user information was not the result of a data breach; instead the user information apparently accessed under relatively common arrangements whereby Facebook allowed app developers to access user information. The concern at the heart of the current Facebook debacle involves privacy, not cybersecurity. As discussed below, privacy issues could represent a significant new source of potential D&O liability exposure.
Background
As numerous media outlets have reported, the data analytics firm Cambridge Analytica, which reportedly helped Donald Trump’s presidential campaign, obtained the Facebook data of more than 50 million users as part of a program to profile users and target them with political ads.
According to the reports, in 2014, a researcher collected the data through an app that asked users to take a personality test for academic research purposes. Around 270,000 people agreed to have their data collected through the test. Consistent with Facebook’s terms of service at the time, the app was also able to collect data of their friends. This gave the academic information of more than 50 million Facebook users, which the academic then gave to Cambridge Analytica. A former employee of the data analytics firm told The Guardian that the firm as able to use the data to create a “psychological warfare tool.”
These revelations have raised a storm of criticism of Facebook’s practices and policies. Political leaders in the U.S and Europe have launched inquiries into whether the company took appropriate steps to prevent improper access and handling of its user data. Other regulatory authorities have raised questions of whether Facebook’s practices may have violated prior consent decrees or other commitments the company made to protect user information.
The Securities Lawsuit
Following this news, the company’s share price was hit with its largest decline in four years. Readers of this blog will not be surprised to learn that among the next things that happened is that plaintiffs’ lawyers filed a securities class action lawsuit.
In a March 20, 2018 press release (here), plaintiff’s attorneys announced that they had filed a securities class action lawsuit in the Northern District of California against Facebook and certain of its directors and officers. According to the press release, the Complaint (a copy of which can be found here) alleges that the defendants mailed false and misleading statements or failed to disclose that “(i) Facebook violated its own purported data privacy policies by allowing third parties to access the personal data of millions of Facebook users without the users’ consent; (ii) discovery of the foregoing conduct would foreseeably subject the Company to heightened regulatory scrutiny; and (iii) as a result, Facebook’s public statements were materially false and misleading at all relevant times.” The complaint quotes extensively from the numerous news stories that have followed in the wake of the Cambrige Analytica revelations.
It should be noted that in addition to the investor lawsuits, at least one Facebook user has filed a consumer class action lawsuit against the company, as discussed here. The plaintiff in the lawsuit, which was also filed in the Northern District of California, alleges among other things that she was “frequently” subjected to political ads during the 2016 presidential campaign.
Discussion
As I noted at the outset, there have been (and likely will continue to be) D&O lawsuits filed against companies that experience data breaches. However, even before the filing of the new investor lawsuit against Facebook, I had noted an interesting shift in the kinds of data security lawsuits that were being filed. For example, in January, investors filed cybersecurity-related securities class action lawsuits against Intel and AMD (as discussed here and here). These companies were sued not because they had experienced data breaches; rather they were sued because of news that flaws in their processor chips created a vulnerability that made the chips susceptible to being hacked.
The new Facebook securities class action lawsuit represents an even further shift away from the more data breach-focused concerns that have triggered data security-related D&O litigation before.
Facebook itself has in fact made it a point of significant emphasis that the data release associated with the Cambridge Analytica situation did not involve a data breach. The fundamental concern behind the furor is not that user data was exposed in a breach; rather the concern is that the company allowed third parties app developers to access private user information. The outrage of politicians and others, as well as the reaction of investors that caused the company’s stock price decline, involved concerns that the company was insufficiently protective of its users’ private personal data.
There is a specific context to these events that puts the privacy issues involved in this situation in a very particular light. On May 25, 2018 – which is, according to the European Union’s webpage, less than 60 days from now – the EU’s new Global Data Protection Regulation (GDPR) will take effect. These sweeping new regulations impose strict privacy protection requirements throughout the EU, and subject violators to stringent penalties. The regulations have a broad scope, applying to companies outside the EU that collect data on citizens within the EU.
As discussed in an earlier guest post on this site (here), the new GDPR requirements were already poised to become a significant potential source of company liability – not just under the regulations themselves, but also through follow on civil litigation, as investors and others seek to hold companies liable for failing to fulfill privacy requirements and subjecting the company to liabilities and penalties.
The new Facebook lawsuit suggests that privacy-related concerns may already represent a potential new source of corporate liability exposure. The advent of the GDPR regulations will magnify these possibilities. While predictions of this kind are always tricky, it may be that privacy related issues may represent an emerging and growing area of potential D&O liability exposure.
I think it is important to note that these kinds of privacy concerns involve not just new age behemoths like Facebook that are hoovering huge volumes of personal information. Many companies are capturing vast amounts of client and customer information, many of them in traditional industries – think how much your airline, your pharmacy, your credit card company, even your electric utility know about you. Of course these companies are mining this information for their marketing efforts and pricing analyses. These companies may well be sharing this information with collaborators, joint venture partners, third-party vendors, and so on.
The recent developments at Facebook not only show the problems that can arise with the use of this kind of information, but they also underscore how claims that this kind of information was mishandled can lead to bad publicity, a corporate crisis, and even significant D&O litigation. I could be wrong, of course, but I think we will see more D&O litigation in future involving privacy issues. Indeed the advent of the GDPR could significantly increase the likelihood of these possibilities.
One final note. The Facebook lawsuit also represents another phenomenon I have noted on this blog – that is, the rise of event-driven securities litigation. As I have noted elsewhere, it used to be that securities litigation involved financial misrepresentations. But as the number of restatements has declined in recent years, there have been fewer financial misrepresentation lawsuits. Instead, some securities attorneys have now focused on companies that have experienced a setback in their operation. First comes the event, then comes the securities. This kind of event driven litigation was a significant factor in the record levels of securities class action lawsuit filings in 2017, and continues to be a significant factor so far this year.
Readers interested in a more detailed analysis of the specific allegations in the new Facebook securities lawsuit will want to take a look at Alison Frankel’s interesting March 21, 2018 post about the lawsuit on her On the Case blog, here. Among other things, Frankel suggests that the Yahoo settlement may have foreshadowed the new Facebook lawsuit. She also correctly notes that the same law firm that filed the new Facebook securities lawsuit also filed the Yahoo lawsuit.