Regular readers of this blog know that one of the important emerging D&O liability exposures involves issues arising from privacy concerns. There have, in fact, been a number of important privacy-related D&O claims filed, including lawsuits relating to the EU’s General Data Protection Regulation (GDPR). Among the highest profile of these GDPR-related lawsuits is the securities class action lawsuit filed against U.K. based media rating firm Nielsen Holdings. The Nielsen securities suit survived a dismissal motion. Now, in the latest development, the Nielsen suit recently settled for $73 million. The settlement is subject to court approval. A copy of the parties’ stipulation of settlement can be found here.
Continue Reading Nielsen Holdings Settles GDPR-Related Securities Suit
GDPR
GDPR-Related Securities Suit Against Nielsen Holdings in Part Survives Dismissal Motion
In prior posts on this site, I have identified privacy-related issues as a potentially important source of future D&O claims. In making these projections, one thing I had in mind was the possibility of claims as a result of the enforcement of the EU’s General Data Protection Regulation, which went into effect in May 2018. There have in fact already been GDPR-related securities class action lawsuits filed in the U.S., including the securities suit filed in August 2018 against U.K.-incorporated media tracking company Nielsen Holdings. In a January 4, 2021 opinion, Southern District of New York Judge Jesse Freeman granted in part and denied in part the defendants’ motion to dismiss the Nielsen Holdings lawsuit. Of significance to the questions concerning privacy-related claims, the plaintiff’s allegations concerning defendants’ statements after GDPR went into effect about the GDPR’s impact on the company survived the dismissal motion. A copy of Judge Furman’s opinion can be found here.
Continue Reading GDPR-Related Securities Suit Against Nielsen Holdings in Part Survives Dismissal Motion
In First for U.S. Tech Firm, Twitter Hit with GDPR Fine
On December 15, 2020, the Irish Data Protection Commission (DPC) announced the imposition under the General Data Protection Regulation (GDPR) of a €450,000 fine against the social media company Twitter for its delay in reporting to DPC a data breach the company sustained in late 2018. According to the DPC’s press release about the fine, the DPC’s inquiry concerning the Twitter data breach was the first to go through the GDPR “dispute resolution” process since the GDPR’s introduction and was also the first decision in a “big tech” case in which all EU supervisory authorities were consulted as Concerned Supervisory Authorities. The DPC’s December 9, 2020 order can be found here. The DPC’s December 15, 2020 press release can be found here.
Continue Reading In First for U.S. Tech Firm, Twitter Hit with GDPR Fine
Guest Post: GDPR and Whistleblowing
In the following guest post, Frank Hülsberg, partner and member of the board of directors of Grant Thornton Germany, and Burkhard Fassbach, a D&O-lawyer in private practice in Germany, take a look at key whistleblower considerations relating to GDPR compliance. I would like to thank Frank and Burkhard for allowing me to publish their article. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Frank and Burkhard’s article.
Continue Reading Guest Post: GDPR and Whistleblowing
Facebook Privacy-Related Securities Suit Dismissed Without Prejudice
Two of the most prominent examples of the rise of privacy-related securities class action lawsuits are the Cambridge Analytica scandal-related suit filed against Facebook in March 2018, and the Earnings Miss/GDPR-readiness and compliance-related securities suit filed against Facebook in July 2018. These two lawsuits were ultimately consolidated. In an interesting and detailed September 25, 2019 order (here), Northern District of California Edward J. Davila granted without prejudice the defendants’ motions to dismiss the consolidated lawsuit, finding that the plaintiffs had failed to adequately plead falsity and scienter. There are a number of interesting features to Judge Davila’s ruling, as discussed below.
Continue Reading Facebook Privacy-Related Securities Suit Dismissed Without Prejudice
Guest Post: Using Facebook’s “Like” Button May Violate the GDPR
In a number of prior posts, I suggested that privacy related issues may be a significant area of potential corporate risk in the months and years ahead. Among the potential sources of risk are the legal requirements of the General Data Protection Regulation (GDPR), the EU’s privacy regulation, which just went into effect in May 2018. Because GDPR is still relatively new, we are still learning what it means in terms of corporate risk. In the following guest post, Bill Boeck takes a look at one interesting and arguably surprising aspects of GDPR’s requirements. Bill is currently Senior Vice President and Insurance and Claims Counsel with the Lockton Companies. He is Lockton’s global leader for cyber claims and for the development of proprietary cyber wordings and endorsements. Bill also leads Lockton’s US financial lines claims practice. A version of this article previously was published on the Lockton Cyber Risk Update Blog. I would like to thank Bill for his willingness to allow me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Bill’s article.
Continue Reading Guest Post: Using Facebook’s “Like” Button May Violate the GDPR
Massive GDPR Fines Have Serious Implications for Corporate Risk
The EU’s General Data Protection Regulation went into effect with great fanfare in May 2018, along with great trepidation about the potential fines regulators might impose for violation of the regulation’s requirements. In the following months, regulators imposed relatively few fines, for relatively modest amounts. However, just in the last several days, the U.K. privacy regulator has announced the potential imposition of two massive GDPR fines, underscoring the regulation’s potential huge impact. The newly announced fines, involving British Airways and Marriott International, have a number of serious implications for other companies, for the future of GDPR enforcement, and for the significance of privacy issues generally as an area of corporate risk.
Continue Reading Massive GDPR Fines Have Serious Implications for Corporate Risk
Guest Post: Information Security and Privacy – What Business Leaders Need To Know
In the current environment, most people are aware that there are serious pitfalls and problems involved with data security and privacy. However, business leaders may not always be aware of their legal and ethical duties for securing employee, customer, and partner information. In the following guest post, Libby Benet, JD, CIPP US, Principal Benet Consulting, takes a look at these issues, as well as the important differences between information security and privacy. I would like to thank Libby for allowing me to publish her article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Libby’s article.
Continue Reading Guest Post: Information Security and Privacy – What Business Leaders Need To Know
Guest Post: What Can the First GDPR Fines Tell Us?
As most readers undoubtedly are aware, the EU’s General Data Protection Regulation went into effect on May 25, 2018. Even though the regulation has only been in effect for a few months, regulators across Europe have already starting levying fines under the regulation’s provisions. In the following guest post, Bill Boeck takes a look at the fines that have been imposed so far and considers their implications. Bill is currently Senior Vice President and Insurance and Claims Counsel with the Lockton Companies. He is Lockton’s global leader for cyber claims and for the development of proprietary cyber wordings and endorsements. Bill also leads Lockton’s US financial lines claims practice. A version of this article previously was published on the Lockton Cyber Risk Update Blog. I would like to thank Bill for his willingness to allow me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Bill’s article.
Continue Reading Guest Post: What Can the First GDPR Fines Tell Us?
Are GDPR Fines and Penalties Insurable?
When the European Union’s updated General Data Protection Regulation (GDPR) went into effect on May 25, 2018, media reports focused on the potentially massive fines that the regulation authorizes – the regulation authorizes fines of up to €20 million or 4 percent of a company’s annual worldwide revenue, whichever is higher, for noncompliance with the regulation’s strict data collection and use requirements. The possibility of regulatory fines of this magnitude immediately raised the question of whether or not insurance is available to protect companies against the huge financial exposure. The answer to this question, it turns out, is complicated.
Continue Reading Are GDPR Fines and Penalties Insurable?