Russian Interference and Data Privacy: Facebook Stockholders Demand Section 220 Inspection to Investigate Wrongdoing of Board and Senior Management
In In re Facebook, Inc., C.A. No. 2018-0661-JRS (Del Ch. May 30, 2019), the Delaware Court of Chancery granted a Section 220 demand for inspection of Facebook’s books and records, (the “Demand”) for the purpose of investigating potential wrongdoing on the part of the company’s Board of Directors (the “Board”). The consolidated action comes on the heels of news that the data of over 50 million Facebook users were poached by British political consulting firm, Cambridge Analytica and used to influence the 2016 Presidential Election. In April 2018, Plaintiff, Construction and General Building Laborers’ Local No. 79 General Fund (“Local No. 79”), a Facebook stockholder since 2015, served its initial Section 220 Demand. After receiving about 1,700 pages of significantly redacted books and records, Local No. 79 filed the present action to compel production which was consolidated with two similar Section 220 demands. After holding a paper record trial in March 2019, the Court ruled in favor of the Plaintiffs with some limitations on the scope of the demand.
It was clear to regulators long before the Cambridge Analytica breach that Facebook did not have adequate data privacy measures to protect its users’ private information. In 2011, the Federal Trade Commission (the “FTC”) made this determination and entered into a consent decree with Facebook requiring the company to implement more robust and verifiable data security protocols, (the “Consent Decree”). The existence of this Consent Decree would weigh heavily in the Court’s analysis of the Plaintiffs’ Section 220 Demand. Given that there was no dispute that the form and manner was proper, the Court analyzed whether there was a proper purpose for the Demand. After finding a proper purpose, the Court moved to determining the appropriate scope for the Demand.
Here, Plaintiffs sought to use evidence gathered from the Section 220 Demand to show a failure of oversight by the Board. In its proper purpose analysis, the Court noted that an intent to investigate mismanagement or wrongdoing is a proper purpose if the stockholder can prove, by a preponderance of the evidence, a “credible basis” for inferring the wrongdoing occurred. The Court emphasized that the “credible basis” standard is the lowest burden of proof under the law that can be met so long as plaintiffs put forth some evidence of wrongdoing. Further, the Court rejected, as a matter of law, the suggestion that it was required to adjudicate the merits of Plaintiffs’ director oversight claim before allowing the inspection demand to stand. Thus, the Court was able to point to six different facts presented by Plaintiffs that support a credible basis for inferring wrongdoing.
First, the Court looked to the company’s Parliamentary Committee’s report on “Disinformation and ‘Fake News’”, (the “Parliamentary Report”), which described the use of the Cambridge Analytica data in the 2016 Presidential campaign. The report also described emails between Facebook Founder and Chief Executive Officer, Mark Zuckerberg, and Chief Operating Officer, Sheryl Sandberg, that confirm Facebook intentionally and knowingly violated data privacy and competition laws. Additionally, the Parliamentary Report admitted that if Facebook had fully complied with the Consent Decree, the Cambridge Analytica breach would not have happened.
Second, the Court analogized the Consent Decree to positive law that imposed an affirmative obligation on Facebook. The Court noted that Delaware courts are more likely to find oversight liability against a board when a company disobeys positive law. Here, the Court found that the Board acted with disobedience by allowing Facebook to violate its affirmative obligations under the Consent Decree. A third potential wrongdoing was the monetization of access to Facebook user data to third parties. Specifically, Facebook’s business model was reported to include agreements to sell user data to business partners without the user’s consent or knowledge.
Fourth, the Court found a credible basis to infer that the Board knew Facebook was allowing unauthorized third-party access to user data. Specifically, news media reported that Facebook’s Chief Information Security Officer, Alex Stamos, and General Counsel, Colin Stretch reported Russian interference with the Facebook platform and potential data privacy violations to the chairman of the Audit Committee, Erskine B. Bowles and the full Board. Further, reports stated that Whatsapp co-founder, Jan Koum resigned from the Board due to Facebook’s failure to address data privacy issues.
Fifth, the Court held evidence that multiple regulatory authorities were investigating the data privacy lapses was a credible basis to infer wrongdoing. A multibillion dollar fine from the FTC for violation of the Consent Degree and £500,000 fine from the UK’s Information Commissioner’ Office for permitting third party developers to access use information without consent both support the inference of wrongdoing. Finally, the Court found that the numerous lawsuits filed, including consumer class actions, government enforcement actions, and derivatives claims all support a credible basis to infer wrongdoing. Thus, the Court concluded that Plaintiffs met the low evidentiary threshold under Section 220 and turned to evaluating the scope of the Plaintiffs’ Demand.
As a preliminary matter, the Court held that the Plaintiffs’ repeated changes to their initial Demand did not rise to the level of an abuse of the Section 220 process because their stated purposes for inspection remained constant. Instead, the Court chose to hold Plaintiffs to the documents requested in their Pre-Trial Order as refined by the parties’ meet and confer sessions. Of the seven categories of book and records sought, the Court determined that five of the categories were necessary and essential to pursue Plaintiffs’ proper purposes. Therefore, Facebook was required to produce: 1) documents relating to the federal investigations, 2) its policies and procedures with respect to data privacy and access to user data, 3) its audit materials, 4) documents concerning director independence, and 5) electronic communications in the custody of Bowles, Sanberg, Stamos, and Zuckerberg regarding whitelist practices, government investigations, and compliance with the Consent Decree.
Despite the Court’s ruling in favor of the Plaintiffs, it did put some limitations on the Demand request. Facebook was not required to produce correspondence with the FTC at or near the time of the Consent Decree, nor was it required to produce documents related to third party access to Facebook user data beyond the categories ordered. The scope of production was also limited to Board-level documents and communications rather than management-level. Additionally, the Court limited the temporal scope of the production. Rather than reaching back to 2011 as the Plaintiffs requested, the Court set the time period to begin in February 2017 as requested in Plaintiffs’ original Demand. However, the Court extended the time period for audit documents and policies and procedures to the beginning of 2013 in order to capture the time prior to the Cambridge Analytica breach (2014/2015), but long enough after the 2011 Consent Decree for Facebook to be in compliance. Finally, the Court limited the scope of production for the director independence documents to the most recent Board questionnaires given that independence for demand futility purposes is measured at the time the complaint is filed.