Friday, May 31, 2019
The Delaware Court of Chancery has ruled that plaintiffs suing Facebook established a basis to inspect records relating to compliance with a consent decree
In July 2018, Facebook, Inc. (“Facebook” or the “Company”) experienced one of the sharpest single-day market value declines in history when its stock price dropped 19%, wiping out approximately $120 billion of shareholder wealth. This unprecedented misfortune followed news reports that, in 2015, the private data of 50 million Facebook users had been poached by Cambridge Analytica, a British political consulting firm.
Facebook did not disclose this security breach to its users upon discovery or at any time thereafter. Users first learned of the breach when they read or heard about it in the news.
At the time of the Cambridge Analytica breach, Facebook was subject to a consent decree entered by the Federal Trade Commission (the “FTC”) in 2011 (the “Consent Decree”) after the FTC determined that the Company’s data privacy measures were not protecting users’ private information. Among other things, the Consent Decree required Facebook to implement more robust and verifiable data security protocols.
Soon after news of the Cambridge Analytica breach broke, reports surfaced that Facebook’s business model included incentives to monetize its users’ data without their consent. These reports were followed by news that the FTC, Federal Bureau of Investigation (“FBI”), Securities and Exchange Commission (“SEC”), Department of Justice (“DOJ”), European Information Commissioner’s Office (“ICO”) and other European authorities had all opened investigations into Facebook’s data privacy practices.
On April 11, 2018, Plaintiff, Construction and General Building Laborers’ Local No. 79 General Fund (“Local No. 79”),served a demand to inspect Facebook’s books and records (the “Demand”) under Section 220 of the Delaware General Corporation Law (“Section 220”). As required by statute, Local No. 79 stated that its purpose for inspection was to “investigate and assess the actual and potential wrongdoing, mismanagement, and breaches of fiduciary duties by the members of the Company's Board” in connection with the data privacy breaches and “to investigate the independence and disinterestedness” of the Company’s directors. In response, Facebook produced about 1,700 pages of significantly redacted books and records.
Negotiations over access broke down and suit was filed
Facebook asserted the Complaint failed to plead a credible basis to infer that Facebook’s directors breached their duty of oversight, or any other aspect of their fiduciary duties, because the Cambridge Analytica breach resulted from the unanticipated acts of third parties who had managed to compromise Facebook’s existing (and adequate) data privacy systems.
In the wake of the Consent Decree, Facebook was under a positive obligation to take specific steps to protect its users’ private data. That obligation was firmly in place at the time of the Cambridge Analytica breach. Delaware courts traditionally have viewed stockholder allegations that a board failed to oversee the company’s obligation to comply with positive law, or positive regulatory mandates, more favorably in the Caremark paradigm than allegations that a board failed to oversee the company’s efforts generally to avoid business risk. Plaintiffs have presented “some evidence” that the Board failed to oversee Facebook’s compliance with the Consent Decree resulting in unauthorized access to its users’ private data and attendant consequences to the Company. In other words, Plaintiffs have sustained their minimal burden to demonstrate a credible basis of wrongdoing justifying the inspection of certain of the Company’s books and records.
Judgment is entered for Plaintiffs. Facebook shall produce for inspection the books and records designated herein as essential to Plaintiffs’ pursuit of their proper purpose.