Regular readers of this blog know that one of the important emerging D&O liability exposures involves issues arising from privacy concerns. There have, in fact, been a number of important privacy-related D&O claims filed, including lawsuits relating to the EU’s General Data Protection Regulation (GDPR). Among the highest profile of these GDPR-related lawsuits is the securities class action lawsuit filed against U.K. based media rating firm Nielsen Holdings. The Nielsen securities suit survived a dismissal motion. Now, in the latest development, the Nielsen suit recently settled for $73 million. The settlement is subject to court approval. A copy of the parties’ stipulation of settlement can be found here.
Background
Nielsen is a media data analytics company best known for its television ratings service. The company’s business is broadly organized into two segments: (1) the “Buy” segment, focused on consumer purchasing and spending analytics; and (2) the “Watch” segment, focused on media audience measurement and analytics.
As discussed here, on August 8, 2018, Nielsen and certain of its executives were sued in a securities class action lawsuit filed in the Southern District of New York. Several related lawsuits were subsequently filed and ultimately consolidated. The lead plaintiffs later filed a consolidated amended complaint. In September 2019, the plaintiff filed a second consolidated amended complaint, and the defendants filed a motion to dismiss.
The plaintiffs’ amended complaint alleged that the defendants had made misrepresentations both with respect to the company’s Buy segment and with respect to the company’s Watch segment.
With respect to the Buy segment, the plaintiff alleged that in its 2016 SEC filings defendants had failed to disclose that discretionary spending was trending downward as a result of its clients’ lack of interest in the company’s analytics offerings; that the company had materially misleading revenue for casts for the Buy sector business from 2016 to 2017; and that the company had misrepresented the fair value of the Buy segment and its goodwill in the company in the company’s SEC filings.
With respect to the Watch statement, the plaintiffs’ alleged that both before and after the GPDR went into effect on May 25, 2018, the defendants had made statements that the Watch sector business would continue to grow, notwithstanding GDPR, and that its business would remain unaffected. The claims were based on company statements before GDPR went into effect that GDPR would not have “a major impact” on the Watch business, that the company was “ready” for GDPR and “in good shape” and made other reassuring statements. Similarly, after GDPR went into effect, the defendants allegedly made various reassuring statements, among other things, saying that it would be a “non-event.”
However, in July 2018, the company disclosed that it was reducing its guidance as many of the company’s customers were pulling back on their spending on Watch sector products pending further data on how GDPR would affect the market. The company also disclosed that because of GDPR-related privacy concerns the company had lost access to key data critical for its analytics. The company’s share price declined 25% on the revised guidance and other disclosures.
Dismissal Motion Denial
As discussed here, in a January 4, 2021 order, Southern District of New York Judge Jesse Furman held that the plaintiffs had not stated a claim with respect to the allegations concerning the Buy segment, except he concluded that the plaintiff had stated actionable claims with respect to the defendants’ alleged failure to disclose in its 2016 SEC filings about the decline in discretionary spending; and that the defendants had made misleading statements in 2016 and 2017 about the Buy segment goodwill.
With respect to the plaintiff’s allegations concerning the Watch statement and pertaining to the impact of GDPR on the company, Judge Furman concluded the plaintiffs’ allegations concerning the pre-GDPR statements were not actionable. These allegations, Judge Furman said, “do not come close to meeting the heightened pleading requirement.” The plaintiffs’ allegations about the pre-GDPR statements were based on post GDPR developments which amount, Judge Furman said, to “nothing more than fraud by hindsight.” Judge Furman also found that the risk factors in the company’s SEC filings contained “cautionary language” about the GDPR’s possible negative effects that “adequately warned investors of the impending risk.”
However, Judge Furman reached a different conclusion concerning the defendants’ post-GDPR statements, finding that after GDPR went into effect, the defendants “issued misleading statements regarding the regulation’s effect on Nielsen.” Company executives continued to describe GDPR as a “non-event” and to ensure investors that the company had access to all the data it needs, notwithstanding GDPR’s privacy requirements. Judge Furman said that the plaintiffs “sufficiently allege that Defendants made misleading guarantees about GDPR’s impact on Nielsen’s business that negate any previous disclosure and plausibly allege scienter.” Accordingly, Judge Furman said, “while Defendants’ motion is granted as to Plaintiffs’ pre-GDPR-related claims, it is denied as to their post-GDPR-related claims.”
Settlement and Discussion
On March 15, 2022, the parties to the securities suit filed a Stipulation of Settlement with the court, indicating that the case had settled, subject to court approval, for $73 million. The settlement stipulation does not indicate the source of the funds to be paid in the settlement; there is no indication if any of the settlement amount is to be funded by D&O insurance. The settlement says, with respect to the settlement consideration, that “Defendants shall pay, or cause to be paid, the Settlement Amount into the Escrow Account” under the timeline specified in the settlement stipulation.
The settlement of this action is a milestone of sorts as it provides a tangible measure of the extent to which privacy-related issues represent a substantial D&O risk exposure. Although to this point there have only been a relatively small number of privacy-related D&O issues, privacy remains a high profile issue and increasing numbers of jurisdictions (including U.S. states) have enacted or considered enacting privacy related legislation.
Privacy is to a certain extent related to cybersecurity, to the extent that a data breach or other cybersecurity incident can and often does involve privacy concerns. However, privacy issues can and often do arise even in the absence of a cybersecurity incident. To cite one example, there was no underlying cybersecurity incident involved in the action against Nielsen. To that extent then privacy is and should be considered to be separate from cybersecurity as a source of potential D&O exposure. The settlement in this case highlights the fact that this privacy-related exposure can be substantial.
One final note is that the signs are that privacy will remain a hot button issue. As noted in a May 2, 2022 memo from the Ropes & Gray law firm (here), Connecticut recent became the fifth state to enact a comprehensive data privacy law. Connecticut joins Colorado, California, Virginia, and Utah as states that have enacted privacy legislation. If signed by the Connecticut governor, the new law would take effect on July 1, 2023. As the law firm’s memo states, “The Connecticut Privacy Act is only further evidence of the momentum among states to pass comprehensive privacy laws that reflect a European approach to privacy through the lens of U.S. state law practices. Other state legislatures are currently considering similar comprehensive privacy bills.”