A U.S. judge ordered Facebook Inc to give shareholders emails and other records concerning how the social media company handles data privacy, after data for 87 million users was accessed by the British political consulting firm Cambridge Analytica.
In a 57-page decision on Thursday, which followed a one-day trial in March, Vice Chancellor Joseph Slights of the Delaware Chancery Court said shareholders demonstrated a credible basis to believe Facebook board members may have committed wrongdoing related to data privacy breaches.
Slights noted that Facebook had at the time of the 2015 Cambridge Analytica breach been subject to a U.S. Federal Trade Commission consent decree that required it to bolster its data security measures. The breach was not revealed until March 2018.
“Evidence presented at trial provides a credible basis to infer the board and Facebook senior executives failed to oversee Facebook’s compliance with the consent decree and its broader efforts to protect the private data of its users,” Slights wrote.
Shareholders sued Facebook last September to obtain records related to Cambridge Analytica and other breaches, and said that upon finding wrongdoing, they might sue company officers and directors through a so-called derivative lawsuit.
Derivative lawsuits are brought on behalf of companies, with money recovered from officers and directors, or their insurers, going to the companies themselves.
Facebook’s share price sank 19%, wiping out $120 billion of shareholder wealth, last July 26 after the Menlo Park, California company posted disappointing results in the first full quarter since the Cambridge Analytica breach was revealed, and said it was spending more on security measures.
Cambridge Analytica, hired by U.S. President Donald Trump’s 2016 election campaign, used profiling techniques to predict and influence voter behavior.
It shut down after the breach was disclosed, and several U.S. and European regulatory probes into Facebook ensued.
Facebook Chief Executive Mark Zuckerberg told a U.S. Senate panel in April 2018 that his company discovered the Cambridge Analytica breach in 2015, but neither conducted an audit nor told users and the FTC, Slights wrote.
Slights denied some of the shareholders’ record requests as over broad.
In a footnote, he said his decision stopped well short of concluding that Facebook officers or directors engaged in wrongdoing, and any such determination awaits another day.
The case is In re Facebook Inc Section 220 Litigation, Delaware Chancery Court, No. 2018-0661.