EU’s GDPR quickly results in two D&O securities lawsuits
As previously discussed in this publication, the European Union’s much anticipated General Data Protection Regulation (GDPR) came into force on 25 May 2018, imposing heightened privacy and reporting requirements on organizations that “monitor” or “process” the personal identifiable information of EU residents.
After Facebook Inc.’s (Facebook) recent disappointing quarterly earnings announcement on 25 July 2018, shares plummeted up to 23% in after-hours trading, eradicating approximately $130 billion from the company’s value, literally overnight. In the company’s quarterly earnings call, Facebook executives attributed the falling user base in Europe, which contributed to its poor financial results, to the GDPR privacy regulations. Perhaps predictably, two securities class action lawsuits followed. One of the lawsuits, filed on 27 July 2018 against the company and its CEO, CFO and COO, contained misrepresentation allegations related to Facebook’s statements regarding its GDPR readiness and the impact of GDPR compliance on the company’s operations. The allegations included claims that the defendants made materially false and misleading statements and/or failed to disclose that the decline in Facebook’s platform use and the increase in costs stemming from GDPR compliance had a materially adverse effect on Facebook’s financial health.
On 8 August 2018, a securities class action lawsuit was filed against Nielsen Holdings plc (Nielsen), alongside its CEO and CFO. Nielsen purportedly made various assurances to investors that, because privacy was built into its business processes, the enactment of the GDPR would not impact its business. On 26 July 2018, the company announced that it had not met financial targets for Q2 2018, and that the GDPR was affecting its partners and clients. The company’s stock then declined more than 25% over one day of trading. The subsequent lawsuit contained numerous allegations, among them that certain public representations were materially false and misleading because the company recklessly disregarded its readiness for, and the true risks of, privacy-related regulations and policies, including the GDPR, on its current and future financial and growth prospects.
It remains to be seen what further securities lawsuits will contain GDPR-related allegations. Facebook and Nielsen are far from the only companies that are subject to the legislation. For protection from securities litigation, many companies purchase a directors’ and officers’ (D&O) liability insurance policy which can provide coverage for the entity, and its directors and officers, for defence costs, settlement and judgment amounts resulting from a securities lawsuit.