In prior posts on this site, I have identified privacy-related issues as a potentially important source of future D&O claims. In making these projections, one thing I had in mind was the possibility of claims as a result of the enforcement of the EU’s General Data Protection Regulation, which went into effect in May 2018. There have in fact already been GDPR-related securities class action lawsuits filed in the U.S., including the securities suit filed in August 2018 against U.K.-incorporated media tracking company Nielsen Holdings. In a January 4, 2021 opinion, Southern District of New York Judge Jesse Freeman granted in part and denied in part the defendants’ motion to dismiss the Nielsen Holdings lawsuit. Of significance to the questions concerning privacy-related claims, the plaintiff’s allegations concerning defendants’ statements after GDPR went into effect about the GDPR’s impact on the company survived the dismissal motion. A copy of Judge Furman’s opinion can be found here.
Continue Reading GDPR-Related Securities Suit Against Nielsen Holdings in Part Survives Dismissal Motion

On December 15, 2020, the Irish Data Protection Commission (DPC) announced the imposition under the General Data Protection Regulation (GDPR) of a €450,000 fine against the social media company Twitter for its delay in reporting to DPC a data breach the company sustained in late 2018. According to the DPC’s press release about the fine, the DPC’s inquiry concerning the Twitter data breach was the first to go through the GDPR “dispute resolution” process since the GDPR’s introduction and was also  the first decision in a “big tech” case in which all EU supervisory authorities were consulted as Concerned Supervisory Authorities. The DPC’s December 9, 2020 order can be found here. The DPC’s December 15, 2020 press release can be found here.
Continue Reading In First for U.S. Tech Firm, Twitter Hit with GDPR Fine

Frank Hülsberg
Burkhard Fassbach

In the following guest post, Frank Hülsberg, partner and member of the board of directors of Grant Thornton Germany, and Burkhard Fassbach, a D&O-lawyer in private practice in Germany, take a look at key whistleblower considerations relating to GDPR compliance. I would like to thank Frank and Burkhard for allowing me to publish their article. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Frank and Burkhard’s article.
Continue Reading Guest Post: GDPR and Whistleblowing

Two of the most prominent examples of the rise of privacy-related securities class action lawsuits are the Cambridge Analytica scandal-related suit filed against Facebook in March 2018, and the Earnings Miss/GDPR-readiness and compliance-related securities suit filed against Facebook in July 2018. These two lawsuits were ultimately consolidated. In an interesting and detailed September 25, 2019 order (here), Northern District of California Edward J. Davila granted without prejudice the defendants’ motions to dismiss the consolidated lawsuit, finding that the plaintiffs had failed to adequately plead falsity and scienter. There are a number of interesting features to Judge Davila’s ruling, as discussed below.
Continue Reading Facebook Privacy-Related Securities Suit Dismissed Without Prejudice

Bill Boeck

In a number of prior posts, I suggested that privacy related issues may be a significant area of potential corporate risk in the months and years ahead. Among the potential sources of risk are the legal requirements of the General Data Protection Regulation (GDPR), the EU’s privacy regulation, which just went into effect in May 2018. Because GDPR is still relatively new, we are still learning what it means in terms of corporate risk. In the following guest post, Bill Boeck takes a look at one interesting and arguably surprising aspects of GDPR’s requirements. Bill is currently Senior Vice President and Insurance and Claims Counsel with the Lockton Companies.  He is Lockton’s global leader for cyber claims and for the development of proprietary cyber wordings and endorsements.  Bill also leads Lockton’s US financial lines claims practice. A version of this article previously was published on the Lockton Cyber Risk Update Blog. I would like to thank Bill for his willingness to allow me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Bill’s article.
Continue Reading Guest Post: Using Facebook’s “Like” Button May Violate the GDPR

The EU’s General Data Protection Regulation went into effect with great fanfare in May 2018, along with great trepidation about the potential fines regulators might impose for violation of the regulation’s requirements. In the following months, regulators imposed relatively few fines, for relatively modest amounts. However, just in the last several days, the U.K. privacy regulator has announced the potential imposition of two massive GDPR fines, underscoring the regulation’s potential huge impact. The newly announced fines, involving British Airways and Marriott International, have a number of serious implications for other companies, for the future of GDPR enforcement, and for the significance of privacy issues generally as an area of corporate risk.
Continue Reading Massive GDPR Fines Have Serious Implications for Corporate Risk

Libby Benet

In the current environment, most people are aware that there are serious pitfalls and problems involved with data security and privacy. However, business leaders may not always be aware of their legal and ethical duties for securing employee, customer, and partner information. In the following guest post, Libby Benet, JD, CIPP US, Principal Benet Consulting, takes a look at these issues, as well as the important differences between information security and privacy. I would like to thank Libby for allowing me to publish her article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Libby’s article.
Continue Reading Guest Post: Information Security and Privacy – What Business Leaders Need To Know

Bill Boeck

As most readers undoubtedly are aware, the EU’s General Data Protection Regulation went into effect on May 25, 2018. Even though the regulation has only been in effect for a few months, regulators across Europe have already starting levying fines under the regulation’s provisions. In the following guest post, Bill Boeck takes a look at the fines that have been imposed so far and considers their implications. Bill is currently Senior Vice President and Insurance and Claims Counsel with the Lockton Companies.  He is Lockton’s global leader for cyber claims and for the development of proprietary cyber wordings and endorsements.  Bill also leads Lockton’s US financial lines claims practice. A version of this article previously was published on the Lockton Cyber Risk Update Blog. I would like to thank Bill for his willingness to allow me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Bill’s article.
Continue Reading Guest Post: What Can the First GDPR Fines Tell Us?

When the European Union’s updated General Data Protection Regulation (GDPR) went into effect on May 25, 2018, media reports focused on the potentially massive fines that the regulation authorizes – the regulation authorizes fines of up to €20 million or 4 percent of a company’s annual worldwide revenue, whichever is higher, for noncompliance with the regulation’s strict data collection and use requirements. The possibility of regulatory fines of this magnitude immediately raised the question of whether or not insurance is available to protect companies against the huge financial exposure. The answer to this question, it turns out, is complicated.
Continue Reading Are GDPR Fines and Penalties Insurable?

Earlier this year when I questioned whether or not privacy-related issues might represent an important emerging area of corporate liability, I was thinking we might see privacy claims emerge over time. I was thinking a longer time frame, over the course of years. What has happened is that the privacy-related claims are materializing now. As I previously noted, in July investors filed a securities suit against Facebook following the company’s quarterly earnings release that disappointed investors in part because company’s growth rate was affected by allegedly unanticipated expenses and difficulties in complying with the EU’s update privacy requirements in the General Data Protection Regulation (GDPR), which went into effect in May.

Investors have now filed an additional lawsuit against a company reporting GDPR-related difficulties. As discussed further below, on August 8, 2018, investors filed a lawsuit against Nielsen Holdings plc after the media performance ratings company disclosed in its quarterly earnings release that GDPR-related changes affected the company’s growth rate, pressured the company’s partners and clients, and disrupted the company’s advertising “ecosystem.”  The Nielsen lawsuit underscores the suggestion that privacy-related concerns could be a significant source of corporate liability.
Continue Reading Investors Filed GDPR-Related Securities Suit Against Nielsen Holdings