Think back to 2018. Remember when Facebook was rocked by the Cambridge Analytica scandal? The social media giant had allegedly shared the information of 87 million users with the data analytics firm for targeted political ads favoring Donald Trump. Facebook is reported to have recently paid $5 billion in fines to the Federal Trade Commission (FTC) related to that action, but two Facebook shareholder suits claim that this payment was improper and intended to short-circuit the FTC’s pursuing individual claims against Mark Zuckerberg, CEO of Facebook. [1]
The District of Columbia’s attorney general last week named Zuckerberg individually in its ongoing suit against Facebook arising from the same scandal. The attorney general claims that after reviewing hundreds of thousands of pages of documents and conducting depositions of former employees and whistleblowers, it has a sufficient basis to believe that Zuckerberg was personally involved in decision-making regarding Cambridge Analytica and the alleged failure to protect user data.
The FTC and district attorney’s actions are part of the increasing trend to target officers and directors – personally – when companies that fail to enact and enforce good privacy policies plainly stating how information will and won’t be used. Both the Federal Trade Commission Act and the California Consumer Privacy Act (now the Consumer Privacy Regulation) call for accessible policies that avoid jargon and legalese, and there’s an overall shift for drafting policies to include more easy-to-read language.
That said, a “Privacy Policy” is not a document that is posted and then ignored. Rather, a privacy policy is the seminal document from which the privacy procedures of a company should be developed and flow. What exactly does that mean? It means that once a decision is made regarding the acceptable uses of company-collected data, the company must enact procedures that ensure that any use of that data is consistent with the overall policy.
The development of acceptable use policies is only the beginning. Employees must be trained on the policies and the procedures for handling such data. Reasonable physical, technical and administrative safeguards must also be implemented. A company is not permitted simply to pay lip service to the concept of privacy. If actions aren’t consistent with stated privacy policies and communications, the company could risk civil and, perhaps, criminal liability under both state and federal law.
Officers and directors may also face the increasing threat of class action suits. The Plaintiff’s Class Action Bar continues to push class action law toward supporting personal claims against corporate officers and directors for breach of fiduciary duty regarding security oversight. A settlement of a suit against Yahoo! resulted in a $29 million settlement of consolidated derivative suits against the Yahoo! officers and directors, including an $8.6 million attorney fee award. The allegations included that the Yahoo! officers and directors were personally liable for a data breach of more than 1 billion users.
Similarly, in 2019, while a federal court in Georgia dismissed a class action against the officers and directors of Equifax arising from the Equifax breach, it did not dismiss the claim against the CEO. The theory against the CEO was that he had personal knowledge of the security deficiencies that gave rise to the breach.
Even in corporate-friendly Delaware, where the law permits corporations to isolate officers and directors from personal liability via exculpatory provisions in incorporating papers, officers and directors may still face liability if they fail to prevent a data breach and such failure equates to a violation of the duty of loyalty, bad faith acts/omissions or knowing violations of law. Delaware courts also allow director liability for data breach via a so-called Caremark claim.
Caremark permits a showing of lack of good faith when a director(s) (a) utterly fails to implement any reporting or information system/controls, or (b) despite such controls, fails to monitor or oversee such operations and thereby preventing them from receiving information about dangers requiring their attention. While early attempts to link Caremark with data-breach liability have been rocky, the continuing evolution of the law suggests Caremark claims may be successful as the courts continue to define the standard of care and related duties for corporations vis-a-vis data security. As of now, no legislative national standard exists, leaving the courts to create them from scratch.
What does it all mean? In 2021 and beyond, a company’s CEO, officers and directors must understand that their corporate duties include the responsibility to meaningfully oversee privacy and the use of collected data and assure that reasonable security is in place. Simply assigning someone to write and post a privacy policy is insufficient. Simply handing-off security to the director of information technology is no longer enough. Rather, privacy and security now essentially require a cultural shift in organizations.
For more about Lowndes’ technology law services and how we can help you achieve your business goals, visit lowndes-law.com.
Founded in Orlando, Florida in 1969, Lowndes is a multi-discipline business law firm. Our attorneys represent corporate, entrepreneurial and individual clients across multiple industries locally, nationally and beyond our borders, from our offices in Florida, and through Meritas, a global alliance of independent law firms.
Drew Sorrell is an attorney and chair of the Data Governance Group at Lowndes. With expertise in technology, cybersecurity and privacy issues, along with an MBA in marketing and finance, he advises CLOs, CIOs, CTOs and technology owners at companies of all sizes in every phase of their legal needs. Reach him at drew.sorrell@lowndes-law.com.
[1] https://www.nasdaq.com/articles/dc-ag-adds-mark-zuckerbergs-name-in-the-cambridge-analytica-scandal-2021-10-20 (last visited October 25, 2021).