Frank Hülsberg
Burkhard Fassbach

In the following guest post, Frank Hülsberg, partner and member of the board of directors of Grant Thornton Germany, and Burkhard Fassbach, a D&O-lawyer in private practice in Germany, take a look at key whistleblower considerations relating to GDPR compliance. I would like to thank Frank and Burkhard for allowing me to publish their article. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Frank and Burkhard’s article.
Continue Reading Guest Post: GDPR and Whistleblowing

Two of the most prominent examples of the rise of privacy-related securities class action lawsuits are the Cambridge Analytica scandal-related suit filed against Facebook in March 2018, and the Earnings Miss/GDPR-readiness and compliance-related securities suit filed against Facebook in July 2018. These two lawsuits were ultimately consolidated. In an interesting and detailed September 25, 2019 order (here), Northern District of California Edward J. Davila granted without prejudice the defendants’ motions to dismiss the consolidated lawsuit, finding that the plaintiffs had failed to adequately plead falsity and scienter. There are a number of interesting features to Judge Davila’s ruling, as discussed below.
Continue Reading Facebook Privacy-Related Securities Suit Dismissed Without Prejudice

Bill Boeck

In a number of prior posts, I suggested that privacy related issues may be a significant area of potential corporate risk in the months and years ahead. Among the potential sources of risk are the legal requirements of the General Data Protection Regulation (GDPR), the EU’s privacy regulation, which just went into effect in May 2018. Because GDPR is still relatively new, we are still learning what it means in terms of corporate risk. In the following guest post, Bill Boeck takes a look at one interesting and arguably surprising aspects of GDPR’s requirements. Bill is currently Senior Vice President and Insurance and Claims Counsel with the Lockton Companies.  He is Lockton’s global leader for cyber claims and for the development of proprietary cyber wordings and endorsements.  Bill also leads Lockton’s US financial lines claims practice. A version of this article previously was published on the Lockton Cyber Risk Update Blog. I would like to thank Bill for his willingness to allow me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Bill’s article.
Continue Reading Guest Post: Using Facebook’s “Like” Button May Violate the GDPR

The EU’s General Data Protection Regulation went into effect with great fanfare in May 2018, along with great trepidation about the potential fines regulators might impose for violation of the regulation’s requirements. In the following months, regulators imposed relatively few fines, for relatively modest amounts. However, just in the last several days, the U.K. privacy regulator has announced the potential imposition of two massive GDPR fines, underscoring the regulation’s potential huge impact. The newly announced fines, involving British Airways and Marriott International, have a number of serious implications for other companies, for the future of GDPR enforcement, and for the significance of privacy issues generally as an area of corporate risk.
Continue Reading Massive GDPR Fines Have Serious Implications for Corporate Risk

Libby Benet

In the current environment, most people are aware that there are serious pitfalls and problems involved with data security and privacy. However, business leaders may not always be aware of their legal and ethical duties for securing employee, customer, and partner information. In the following guest post, Libby Benet, JD, CIPP US, Principal Benet Consulting, takes a look at these issues, as well as the important differences between information security and privacy. I would like to thank Libby for allowing me to publish her article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Libby’s article.
Continue Reading Guest Post: Information Security and Privacy – What Business Leaders Need To Know

Bill Boeck

As most readers undoubtedly are aware, the EU’s General Data Protection Regulation went into effect on May 25, 2018. Even though the regulation has only been in effect for a few months, regulators across Europe have already starting levying fines under the regulation’s provisions. In the following guest post, Bill Boeck takes a look at the fines that have been imposed so far and considers their implications. Bill is currently Senior Vice President and Insurance and Claims Counsel with the Lockton Companies.  He is Lockton’s global leader for cyber claims and for the development of proprietary cyber wordings and endorsements.  Bill also leads Lockton’s US financial lines claims practice. A version of this article previously was published on the Lockton Cyber Risk Update Blog. I would like to thank Bill for his willingness to allow me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Bill’s article.
Continue Reading Guest Post: What Can the First GDPR Fines Tell Us?

When the European Union’s updated General Data Protection Regulation (GDPR) went into effect on May 25, 2018, media reports focused on the potentially massive fines that the regulation authorizes – the regulation authorizes fines of up to €20 million or 4 percent of a company’s annual worldwide revenue, whichever is higher, for noncompliance with the regulation’s strict data collection and use requirements. The possibility of regulatory fines of this magnitude immediately raised the question of whether or not insurance is available to protect companies against the huge financial exposure. The answer to this question, it turns out, is complicated.
Continue Reading Are GDPR Fines and Penalties Insurable?

Earlier this year when I questioned whether or not privacy-related issues might represent an important emerging area of corporate liability, I was thinking we might see privacy claims emerge over time. I was thinking a longer time frame, over the course of years. What has happened is that the privacy-related claims are materializing now. As I previously noted, in July investors filed a securities suit against Facebook following the company’s quarterly earnings release that disappointed investors in part because company’s growth rate was affected by allegedly unanticipated expenses and difficulties in complying with the EU’s update privacy requirements in the General Data Protection Regulation (GDPR), which went into effect in May.

Investors have now filed an additional lawsuit against a company reporting GDPR-related difficulties. As discussed further below, on August 8, 2018, investors filed a lawsuit against Nielsen Holdings plc after the media performance ratings company disclosed in its quarterly earnings release that GDPR-related changes affected the company’s growth rate, pressured the company’s partners and clients, and disrupted the company’s advertising “ecosystem.”  The Nielsen lawsuit underscores the suggestion that privacy-related concerns could be a significant source of corporate liability.
Continue Reading Investors Filed GDPR-Related Securities Suit Against Nielsen Holdings

It was perhaps inevitable after Facebook’s disappointing quarterly earnings announcement last week triggered what reportedly is the largest single day share price drop ever that securities class action lawsuits against the company would follow. And indeed on Friday at least two securities class action lawsuits were filed against the company. While the lawsuit filings may have been predictable, at least one of the lawsuits contains an interesting and unexpected variant on the standard pattern –  one of the two lawsuits contains allegations that the company made misrepresentations about its readiness for the May 2018 effective date of General Data Protection Regulation (GDPR) and about the impact of GDPR compliance on the company’s business and operations. As discussed below, these allegations reflect the growing liability exposures arising from growing privacy-related concerns and regulation.  
Continue Reading Massive Facebook Stock Drop Draws GDPR-Related Securities Suit

Earlier this year, after Facebook was sued in a securities class action following news that it had given access to personal user information to Cambridge Analytica, I questioned whether privacy issues might represent the next big corporate liability exposure. Among other things, in making this suggestion, I was taking into consideration that fact that the EU’s General Data Protection Regulation (GDPR) was about to go into effect. More recent developments confirm my view that privacy issues likely will represent an area of specific and growing concern and potential liability for companies, their management, and their boards.
Continue Reading California Enacts Sweeping Privacy Legislation