In my recent year-end summary of corporate and securities liability trends (here), I identified privacy as an important area of growing area of corporate risk and specifically mentioned biometric privacy issues of particular concern. Almost as if to prove my point, on January 29, 2020, in its SEC filing on Form 10-K, Facebook announced that it had agreed to pay $550 million dollars to settle a biometric data privacy class action lawsuit that had been filed on behalf Illinois users in connection with the company’s use of facial recognition software.  According to plaintiffs’ lawyers involved in the case, the settlement represents the largest-ever cash settlement to resolve a privacy-related lawsuit. This massive settlement shows the significance of privacy issues and underscores the likelihood that privacy issues – particularly biometric privacy issues – are likely to be an important corporate liability battleground concern.
Continue Reading

Two of the most prominent examples of the rise of privacy-related securities class action lawsuits are the Cambridge Analytica scandal-related suit filed against Facebook in March 2018, and the Earnings Miss/GDPR-readiness and compliance-related securities suit filed against Facebook in July 2018. These two lawsuits were ultimately consolidated. In an interesting and detailed September 25, 2019 order (here), Northern District of California Edward J. Davila granted without prejudice the defendants’ motions to dismiss the consolidated lawsuit, finding that the plaintiffs had failed to adequately plead falsity and scienter. There are a number of interesting features to Judge Davila’s ruling, as discussed below.
Continue Reading

On July 24, 2019, in a development that underscores the heightened significance of privacy-related issues, the Federal Trade Commission (FTC) announced that Facebook will pay a record-breaking $5 billion penalty and submit to new restrictions and a modified corporate structure. In a related development, the Securities and Exchange Commission (SEC) also announced that Facebook had agreed to a $100 million settlement to resolve the agency’s allegations that the company misled investors regarding the risk of misuse of Facebook user data. Both agency actions followed the March 2018 revelations data analytics firm Cambridge Analytica had obtained access to user data of millions of Facebook users.  The FTC’s July 24, 2019 press release about the $5 billion penalty can be found here. The SEC’s July 24, 2019 press release about the $100 million settlement can be found here.
Continue Reading

It was perhaps inevitable after Facebook’s disappointing quarterly earnings announcement last week triggered what reportedly is the largest single day share price drop ever that securities class action lawsuits against the company would follow. And indeed on Friday at least two securities class action lawsuits were filed against the company. While the lawsuit filings may have been predictable, at least one of the lawsuits contains an interesting and unexpected variant on the standard pattern –  one of the two lawsuits contains allegations that the company made misrepresentations about its readiness for the May 2018 effective date of General Data Protection Regulation (GDPR) and about the impact of GDPR compliance on the company’s business and operations. As discussed below, these allegations reflect the growing liability exposures arising from growing privacy-related concerns and regulation.  
Continue Reading

For some time, observers (including me) have been discussing the extent to which the rising numbers of corporate data breaches would translate into to D&O litigation. There of course have been some data breach-related D&O lawsuits;  indeed, plaintiffs’ lawyers have recently for the first time managed to secure some success with these kinds of suits – as discussed here, Yahoo recently settled a data breach related securities class action lawsuit for $80 million. In light of the Yahoo settlement, the possibility for further data breach-related D&O litigation seems likely. But as I was reading the complaint in a securities class action lawsuit filed earlier this week against Facebook, I began to think that a related but slightly different data security-related concern might actually present an even more significant risk of future D&O claims.
Continue Reading