I have long thought that privacy-related issues represent one of the important emerging areas of D&O liability exposure. One case that I thought represented an example of this emerging risk was the securities class action lawsuit brought against Facebook related to the Cambridge Analytica user data privacy scandal. However, when the court granted the motion to dismiss in the case, the relevance of the Cambridge Analytica case to the discussion of privacy-related issues seemed diminished. But the appellate court has now reversed in part the lower court’s dismissal, restoring the relevance of the case to the privacy-related discussion and highlighting the importance of privacy concerns as an area of emerging D&O liability risk. The Ninth Circuit’s October 18, 2023, opinion in the case can be found here.Continue Reading Ninth Circuit Revives in Part Facebook Privacy-Related Securities Suit

In a ruling last week, Delaware Vice Chancellor Travis Laster denied motions to dismiss in the shareholder derivative suit against Facebook executives for failing over the course of several years to protect users’ data privacy. The alleged privacy violations to which the lawsuit relates were the subject of a massive $5 billion penalty that Facebook agreed to pay to the FTC to settle charges that the company had violated a 2012 consent order relating to protecting users’ privacy. As discussed in a May 10, 2023, Law360 article (here), Vice Chancellor Laster made his ruling from the bench in a telephonic hearing. Vice Chancellor Laster’s ruling is also discussed in a May 10, 2023, Associated Press article (here). As discussed below, Vice Chancellor Laster’s ruling underscores the extent to which privacy-related issues represent an area of significant corporate liability exposure.Continue Reading Court Denies Dismissal Motion in Facebook User Data Privacy Derivative Suit

In my recent year-end summary of corporate and securities liability trends (here), I identified privacy as an important area of growing area of corporate risk and specifically mentioned biometric privacy issues of particular concern. Almost as if to prove my point, on January 29, 2020, in its SEC filing on Form 10-K, Facebook announced that it had agreed to pay $550 million dollars to settle a biometric data privacy class action lawsuit that had been filed on behalf Illinois users in connection with the company’s use of facial recognition software.  According to plaintiffs’ lawyers involved in the case, the settlement represents the largest-ever cash settlement to resolve a privacy-related lawsuit. This massive settlement shows the significance of privacy issues and underscores the likelihood that privacy issues – particularly biometric privacy issues – are likely to be an important corporate liability battleground concern.
Continue Reading Facebook to Pay $550 Million in Largest-Ever Privacy Settlement

Two of the most prominent examples of the rise of privacy-related securities class action lawsuits are the Cambridge Analytica scandal-related suit filed against Facebook in March 2018, and the Earnings Miss/GDPR-readiness and compliance-related securities suit filed against Facebook in July 2018. These two lawsuits were ultimately consolidated. In an interesting and detailed September 25, 2019 order (here), Northern District of California Edward J. Davila granted without prejudice the defendants’ motions to dismiss the consolidated lawsuit, finding that the plaintiffs had failed to adequately plead falsity and scienter. There are a number of interesting features to Judge Davila’s ruling, as discussed below.
Continue Reading Facebook Privacy-Related Securities Suit Dismissed Without Prejudice

On July 24, 2019, in a development that underscores the heightened significance of privacy-related issues, the Federal Trade Commission (FTC) announced that Facebook will pay a record-breaking $5 billion penalty and submit to new restrictions and a modified corporate structure. In a related development, the Securities and Exchange Commission (SEC) also announced that Facebook had agreed to a $100 million settlement to resolve the agency’s allegations that the company misled investors regarding the risk of misuse of Facebook user data. Both agency actions followed the March 2018 revelations data analytics firm Cambridge Analytica had obtained access to user data of millions of Facebook users.  The FTC’s July 24, 2019 press release about the $5 billion penalty can be found here. The SEC’s July 24, 2019 press release about the $100 million settlement can be found here.
Continue Reading Massive Facebook Settlements Underscore Privacy’s Importance as Corporate Risk

It was perhaps inevitable after Facebook’s disappointing quarterly earnings announcement last week triggered what reportedly is the largest single day share price drop ever that securities class action lawsuits against the company would follow. And indeed on Friday at least two securities class action lawsuits were filed against the company. While the lawsuit filings may have been predictable, at least one of the lawsuits contains an interesting and unexpected variant on the standard pattern –  one of the two lawsuits contains allegations that the company made misrepresentations about its readiness for the May 2018 effective date of General Data Protection Regulation (GDPR) and about the impact of GDPR compliance on the company’s business and operations. As discussed below, these allegations reflect the growing liability exposures arising from growing privacy-related concerns and regulation.  
Continue Reading Massive Facebook Stock Drop Draws GDPR-Related Securities Suit

For some time, observers (including me) have been discussing the extent to which the rising numbers of corporate data breaches would translate into to D&O litigation. There of course have been some data breach-related D&O lawsuits;  indeed, plaintiffs’ lawyers have recently for the first time managed to secure some success with these kinds of suits – as discussed here, Yahoo recently settled a data breach related securities class action lawsuit for $80 million. In light of the Yahoo settlement, the possibility for further data breach-related D&O litigation seems likely. But as I was reading the complaint in a securities class action lawsuit filed earlier this week against Facebook, I began to think that a related but slightly different data security-related concern might actually present an even more significant risk of future D&O claims.
Continue Reading Do Privacy Issues Represent the Next Big D&O Liability Exposure?