IN THE COURT OF CHANCERY OF THE STATE OF DELAWARE
IN RE FACEBOOK, INC. : CONSOLIDATED
SECTION 220 LITIGATION : C.A. No. 2018-0661-JRS
MEMORANDUM OPINION
Date Submitted: March 7, 2019
Date Decided: May 30, 2019
Samuel L. Closic, Esquire of Prickett, Jones & Elliott, P.A., Wilmington, Delaware
and Frank R. Schirripa, Esquire and Daniel B. Rehns, Esquire of Hach Rose
Schirripa & Cheverie LLP, New York, New York, Attorneys for Plaintiff
Construction and General Building Laborers’ Local Union No. 79 General Fund and
Co-Lead Counsel.
Peter B. Andrews, Esquire, Craig J. Springer, Esquire and David M. Sborz, Esquire
of Andrews & Springer, LLC, Wilmington, Delaware; Geoffrey M. Johnson,
Esquire of Scott+Scott Attorneys At Law LLP, Cleveland Heights, Ohio; and
Donald A. Broggi, Esquire, Scott R. Jacobsen, Esquire and Jing-Li Yu, Esquire of
Scott+Scott Attorneys At Law LLP, New York, New York, Attorneys for Plaintiff
City of Birmingham Relief and Retirement System and Additional Counsel for
Plaintiffs.
Ryan M. Ernst, Esquire of O’Kelly Ernst & Joyce, LLC, Wilmington, Delaware and
Thomas J. McKenna, Esquire and Gregory M. Egleston, Esquire of Gainey
McKenna & Egleston, New York, New York, Attorneys for Plaintiff Lidia Levy and
Additional Counsel for Plaintiffs.
David E. Ross, Esquire and R. Garrett Rice, Esquire of Ross Aronstam &
Moritz LLP, Wilmington, Delaware; Orin Snyder, Esquire of Gibson, Dunn &
Crutcher LLP, New York, New York; Kristin A. Linsley, Esquire and Brian M. Lutz,
Esquire of Gibson, Dunn & Crutcher LLP, San Francisco, California; Paul J. Collins,
Esquire of Gibson, Dunn & Crutcher LLP, Palo Alto, California; and Joshua S.
Lipshutz, Esquire of Gibson, Dunn & Crutcher LLP, Washington, D.C., Attorneys
for Defendant Facebook, Inc.
SLIGHTS, Vice Chancellor
In July 2018, Facebook, Inc. (“Facebook” or the “Company”) experienced one
of the sharpest single-day market value declines in history when its stock price
dropped 19%, wiping out approximately $120 billion of shareholder wealth. This
unprecedented misfortune followed news reports that, in 2015, the private data of
50 million Facebook users had been poached by Cambridge Analytica, a British
political consulting firm.1 Facebook did not disclose this security breach to its users
upon discovery or at any time thereafter. Users first learned of the breach when they
read or heard about it in the news.
At the time of the Cambridge Analytica breach, Facebook was subject to a
consent decree entered by the Federal Trade Commission (the “FTC”) in 2011
(the “Consent Decree”) after the FTC determined that the Company’s data privacy
measures were not protecting users’ private information. Among other things, the
Consent Decree required Facebook to implement more robust and verifiable data
security protocols.
Soon after news of the Cambridge Analytica breach broke, reports surfaced
that Facebook’s business model included incentives to monetize its users’ data
without their consent. These reports were followed by news that the FTC, Federal
Bureau of Investigation (“FBI”), Securities and Exchange Commission (“SEC”),
1
The more current data indicates that the breach affected more than 87 million users.
JX 52.
1
Department of Justice (“DOJ”), European Information Commissioner’s Office
(“ICO”) and other European authorities had all opened investigations into
Facebook’s data privacy practices.
On April 11, 2018, Plaintiff, Construction and General Building Laborers’
Local No. 79 General Fund (“Local No. 79”), served a demand to inspect Facebook’s
books and records (the “Demand”) under Section 220 of the Delaware General
Corporation Law (“Section 220”).2 As required by statute,3 Local No. 79 stated that
its purpose for inspection was to “investigate and assess the actual and potential
wrongdoing, mismanagement, and breaches of fiduciary duties by the members of
the Company's Board” in connection with the data privacy breaches and “to
investigate the independence and disinterestedness” of the Company’s directors.4 In
response, Facebook produced about 1,700 pages of significantly redacted books and
records.
2
8 Del. C. § 220. As explained below, several other Facebook stockholders followed Local
No. 79 in directing Section 220 demands to Facebook. By order dated October 11, 2018,
the Court deemed Local No. 79’s Demand to be the operative demand. D.I. 17.
3
8 Del. C. § 220(b).
4
JX 54 (Local No. 79’s Demand to Inspect Books and Records) at 6.
2
When discussions between the parties regarding the scope of Facebook’s
production broke down, Local No. 79 filed its Verified Complaint to Compel
Inspection on September 6, 2018.5 In its answer to that Complaint, Facebook denied
Plaintiff had stated a proper purpose for inspection and maintained that, even if a
proper purpose had been stated, Plaintiff was not entitled to inspect any documents
beyond those already produced.6 Specifically, Facebook asserted the Complaint
failed to plead a credible basis to infer that Facebook’s directors breached their duty
of oversight, or any other aspect of their fiduciary duties, because the Cambridge
Analytica breach resulted from the unanticipated acts of third parties who had
managed to compromise Facebook’s existing (and adequate) data privacy systems.
The parties agreed to a “paper record” trial (i.e., without deposition or live
testimony). After carefully reviewing the evidence and the arguments of counsel,
I conclude in this post-trial decision that Plaintiffs have demonstrated, by a
preponderance of the evidence, a credible basis from which the Court can infer that
5
I cite to Local Union No. 79’s Verified Complaint (“Complaint”) as “Compl. ¶ __.”
(D.I. 1). Plaintiffs, City of Birmingham Retirement and Relief System (“Birmingham”)
and Lidia Levy (together with Local 79, “Plaintiffs”), also filed complaints seeking to
enforce their inspection rights under Section 220. The Court has designated the Local
Union No. 79 Complaint as the operative complaint for purposes of this consolidated
action. See D.I. 17. I cite to the Pre-Trial Stipulation and Order (“PTO”) as “PTO ¶ __.”
(D.I. 32).
6
Defendant’s Answer and Defenses to Plaintiff’s Verified Complaint Pursuant to 8 Del. C.
§ 220 (“Answer”) ¶¶ 3, 4. (D.I. 11).
3
wrongdoing occurred at the Board level in connection with the data privacy breaches
that are the subject of this action. In so finding, I reject, as a matter of law,
Facebook’s implicit suggestion that I must adjudicate the merits of Plaintiffs’
Caremark claim before allowing an otherwise proper demand for inspection to stand.
This is not the time for a merits assessment of Plaintiffs’ potential claims against
Facebook’s fiduciaries. The “credible basis” standard applicable in this Section 220
action imposes the lowest burden of proof known in our law and asks a
fundamentally different question than would be asked at a trial on the merits: has the
stockholder presented “some evidence” to support an inference of wrongdoing that
would justify allowing the stockholder to inspect Facebook’s books and records?7
While this court consistently reminds stockholders that a Caremark claim
“is possibly the most difficult theory upon which a plaintiff might hope to win a
judgment,”8 that admonition does not license this court to alter the minimum burden
of proof governing a stockholder’s qualified right to inspect books and records.
7
Seinfeld v. Verizon Commc’ns, Inc., 909 A.2d 117, 118 (Del. 2006) (“We reaffirm the
well-established law of Delaware that stockholders seeking inspection under Section 220
must present ‘some evidence’ to suggest a ‘credible basis’ from which a court can infer
that mismanagement, waste or wrongdoing may have occurred.”).
8
In re Caremark Int’l Deriv. Litig., 698 A.2d 959, 967 (Del. Ch. 1996).
4
In the wake of the Consent Decree, Facebook was under a positive obligation
to take specific steps to protect its users’ private data. That obligation was firmly in
place at the time of the Cambridge Analytica breach. Delaware courts traditionally
have viewed stockholder allegations that a board failed to oversee the company’s
obligation to comply with positive law, or positive regulatory mandates, more
favorably in the Caremark paradigm than allegations that a board failed to oversee
the company’s efforts generally to avoid business risk. Plaintiffs have presented
“some evidence” that the Board failed to oversee Facebook’s compliance with the
Consent Decree resulting in unauthorized access to its users’ private data and
attendant consequences to the Company. In other words, Plaintiffs have sustained
their minimal burden to demonstrate a credible basis of wrongdoing justifying the
inspection of certain of the Company’s books and records.9
Judgment is entered for Plaintiffs. Facebook shall produce for inspection the
books and records designated herein as essential to Plaintiffs’ pursuit of their proper
purpose.
9
At the risk of prolixity, I emphasize this Opinion stops well short of concluding that
Facebook fiduciaries engaged in any wrongdoing in connection with any data privacy
breaches that may have occurred at the Company. That merits-based determination awaits
another day.
5
I. FACTUAL BACKGROUND
The Court presided over a one-day trial on March 7, 2019. The following
facts were proven by a preponderance of the evidence against the backdrop of the
credible basis standard.10
A. The Parties
Local No. 79 has continuously owned Facebook stock since June 17, 2015.11
Defendant, Facebook, is a Delaware corporation that operates the Facebook social
10
At the outset of this recitation of facts, I acknowledge that Plaintiffs’ evidence, by
necessity, is comprised of publically available information, including a heavy dose of
newspaper and other news media reports. I am mindful that these reports are hearsay.
Even so, in a Section 220 proceeding, “[h]earsay statements may be considered, provided
they are sufficiently reliable.” Amalgamated Bank v. Yahoo! Inc., 132 A.3d 752, 778 (Del.
Ch. 2016). See also, In re Plains All Am. Pipeline, L.P., 2017 WL 6066570, at *3–4
(Del. Ch. Aug. 8, 2017) (ORDER) (relying on Los Angeles Times article to find that
stockholder had stated a credible basis to suspect wrongdoing for purposes of Section 220);
Paul v. China MediaExpress Hldgs., Inc., 2012 WL 28818, at *4 (Del. Ch. Jan. 5, 2012)
(finding plaintiff stated credible basis to suspect wrongdoing, in part, based on the
plaintiff’s identification of “numerous third-party media reports alleging fraudulent
conduct by the [company’s] officers and directors”); Leonard v. Texas, 137 S.Ct. 847, 848
(2017) (denying certiorari and relying on articles from the Washington Post and The New
Yorker for factual propositions concerning civil forfeiture). For the most part, I have
referred to the news reports as chronological markers of the events that have unfolded since
the entry of the Consent Decree. Unless otherwise indicated, I have not viewed these
reports as standalone evidence of wrongdoing at the Company. As discussed below, many
of the reports either have been acknowledged by the Company or have been corroborated
by other investigations.
11
JX 54 at 11. The other Plaintiffs also owned Facebook stock at the time they submitted
their demands—Birmingham since June 22, 2012 (JX 56) and Levy since May 12, 2012
(JX 58).
6
media platform.12 Facebook’s principal executive offices are in Menlo Park,
California.13
B. Facebook’s Business
Mark Zuckerberg founded Facebook in 2004. He serves as the Company’s
CEO and Chairman of its Board of Directors (the “Board”).14 Facebook is a social
media platform that enables its more than 2.2 billion active users to stay in touch
with friends and family, develop connections, learn about world events and circulate
individual commentary.15
As part of its business model, Facebook allows independent third-party
developers to place their applications or links to their websites (collectively, “apps”)
on the Facebook platform.16 Once apps are placed on the platform, Facebook’s users
can open the apps to interact with their Facebook “friends” through games or other
app content.17 In turn, Facebook, by agreement, allows the third-party app providers
to “whitelist,” or access, not only the data of a user that has opened the app but also
12
PTO ¶ 2.
13
Id.
14
Id. ¶ 3.
15
Answer ¶¶ 7, 8.
16
JX 103 (the Parliamentary Committee’s report on “Disinformation and ‘Fake News’”)
(the “Parliamentary Report”).
17
Id.
7
the data of that user’s Facebook “friends.”18 According to Plaintiffs, this practice of
allowing its partners to whitelist Facebook user data has made Facebook much more
vulnerable to data breaches.
C. The FTC Consent Decree
In November 2011, Facebook entered into the Consent Decree with the FTC
as the culmination of the FTC’s investigation into Facebook’s allegedly inadequate
data privacy practices.19 The Consent Decree mandates that Facebook develop and
maintain a comprehensive privacy program subject to regular assessments by a third-
party data security firm.20 The privacy program was required to (1) address privacy
risks correlated with the development and management of new and existing products
and services for consumers; and (2) protect the privacy and confidentiality of
“covered information”––personal consumer information Facebook gathered from
consumers’ interactions with the Facebook platform.21
18
See Tr. 18:9–12 (“[T]here’s a concept in Facebook, it’s a term of art . . . and it’s called
whitelisting. And it essentially gives a third party access to the entire data profile of a user
and in some instances can also give the third party access to data profiles of the user’s
friends.”). See also, JX 12; JX 103.
19
Answer ¶ 8; JX 1.
20
JX 1; JX 37.
21
JX 1 at § IV.
8
To implement the Consent Decree’s broad mandate, Facebook was required
to execute a plan to secure its user’s private data that was commensurate in scale
with the size of the Company’s user base and the complexity of its platform.22 It also
was required to track data protection outcomes in writing and to place specified
employees in positions where they could execute privacy risk assessments and
develop steps to protect the covered information as defined in the Consent Decree.23
The Company’s compliance with these mandates was to be subject to initial and
biennial assessments by an independent, experienced privacy and data protection
professional for a period of 20 years.24 During this prescribed monitoring period,
Facebook was required to inform all current and future principals, officers, directors
and managers of the specific content of the Consent Decree.25 The implementation
of the Consent Decree was to be monitored at the Board level by Facebook’s Audit
Committee.26
22
Under the privacy program, Facebook must undergo fixed internal privacy and security
risk assessments, require employees to participate in privacy training programs, guarantee
that its user and developer privacy policies and controls are crystal clear and easily
accessed, and measure and strengthen its privacy program under the direction of its privacy
governance team. See JX 37 at 7–14; JX 24 at 660.
23
JX 1 at § IV.
24
JX 1 at § V.
25
Id. at §§ VII, X.
26
JX 39 at 1468; JX 41 at 1593; JX 29 at 998; JX 13 at 401.
9
In the three bi-annual assessments completed after the entry of the Consent
Decree, an independent data privacy firm attested that Facebook had invoked
privacy controls “meet[ing] or exceed[ing] the protections required” under the
Consent Decree.27 The independent firm additionally verified that Facebook’s
privacy program “has built-in procedures to evaluate and adjust the Privacy Program
in light of testing and monitoring results, as well as other relevant circumstances.”28
In 2017, Facebook’s privacy team detected 370,000 noncompliant apps and took
corrective measures that varied from instituting constraints, to delivering cease-and-
desist letters, to eliminating the apps from the Platform.29
D. The Cambridge Analytica Breach
In 2013, Aleksandr Kogan, a Cambridge University professor and data
researcher, created a personality “quiz” app called “thisisyourdigitallife.”30 In 2014,
the app went live on the Facebook Platform, positioning itself as a “research app
used by psychologists” and assuring users that the results of the quiz would be
utilized only for academic purposes.31 About 270,000 users installed the app and
27
JX 37 at 19; JX 6; JX 27.
28
JX 37 at 14; see, e.g., JX 42 at 1627–29, 1637; JX 35 at 1352.
29
JX 67 at 9.
30
JX 44 at 2.
31
Id.
10
agreed to share their personal data, as well as aspects of their Facebook friends’
personal data.32 At the time, Facebook’s policies permitted this data sharing to
varying degrees depending on the friends’ privacy and application settings.33
In December 2015, The Guardian published a story reporting that Kogan’s
company, Global Science Research (“GSR”), sold the data of millions of Facebook
users as collected on the “thisisyourdigitalife” app to Cambridge Analytica in
violation of Facebook’s data use and platform policies.34 The article reported
Cambridge Analytica used the data to develop psychological profiles of U.S.
voters.35 Following the article’s release, the Company blocked Kogan and his app
from Facebook and obtained written verifications from Kogan, GSR, Cambridge
Analytica, a Cambridge Analytica employee and others that all Facebook user data
in their possession had been destroyed.36 Cambridge Analytica’s CEO, Alexander
Nix, then testified before the Parliament of the United Kingdom and later confirmed
32
Id.
33
JX 10; JX 30.
34
JX 30; JX 98; see JX 53 (At an April 10, 2018 combined hearing of the Senate Judiciary
and Commerce, Science and Transportation Committees (the “April 10 Senate Hearing”),
Senator Richard Blumenthal noted that the terms of service between Facebook and Kogan
explicitly allowed Kogan to sell that data.).
35
JX 30.
36
JX 44 at 2; JX 50.
11
in writing to the House of Commons that Cambridge Analytica neither owned nor
utilized Facebook user data.37 With that, Facebook believed the issue was resolved.
On March 17, 2018, The New York Times and The Guardian reported that, in
2015, Cambridge Analytica had misappropriated Facebook user data via Kogan’s
app––resurfacing the issue.38 This time, though, the articles went a step further,
revealing Cambridge Analytica lied when it conveyed to Facebook in 2016 that it
had deleted all the user data.39 Instead, according to the reports, Cambridge
Analytica kept the data and deployed it in connection with the 2016 Presidential
campaign.40 The New York Times also reported that, in response to multiple requests
for information, Facebook “downplayed the scope of the leak and questioned
whether any of the data still remained out of its control.”41 After these reports
37
JX 43; JX 46.
38
JX 45; JX 46. See also, JX 53 (Zuckerberg acknowledged at the April 10 Senate Hearing,
“[w]hat we know now is that Cambridge Analytica improperly accessed some information
about millions of Facebook members by buying it from an app developer.”).
39
JX 45; JX 46. See JX 53 (Zuckerberg further testified at the April 10 Senate hearing,
“[w]hen we first contacted Cambridge Analytica, they told us that they had deleted the
data. About a month ago, we heard new reports that suggested that wasn’t true.”).
40
JX 45; JX 46. See also, JX 53 at 17 (At the April 10 Senate Hearing, Senator Maria
Cantwell stated, “Cambridge Analytica was providing support to the Trump campaign
under Project Alamo[.]”); JX 103 at 42 (the Parliamentary Report describing the use of
Cambridge Analytica’s data in the 2016 Presidential campaign).
41
JX 45 at 2.
12
surfaced, Facebook suspended Cambridge Analytica and its employees from the
Facebook platform.42
On March 20, 2018, Bloomberg News provided further color by detailing the
many investigations that had been launched into Facebook’s data security
practices.43 Among the investigations mentioned, the article reported that the FTC
had opened an investigation into whether Facebook violated the 2011 Consent
Decree.44 According to the article, the FTC would soon deliver a notice to Facebook
detailing its concerns that the Company was not complying with the Consent Decree
and generally was not protecting its users’ private data.45 Six congressional
committees likewise had opened investigations into how Cambridge Analytica
managed to access the personal data of 50 million Facebook users.46 In response,
Facebook reportedly led staff-level briefings to prepare for inquiries by the
42
JX 44; JX 50.
43
JX 47.
44
Id. See JX 51 (the FTC’s March 26, 2018 press release confirming it was currently
pursuing a non-public investigation into Facebook’s privacy practices and compliance with
the Consent Decree).
45
JX 47.
46
Id.
13
Judiciary, Commerce and Intelligence Committees of both congressional
Chambers.47
On the same day the Bloomberg News story was published, The New York
Times reported that Alex Stamos, Facebook’s Chief Information Security Officer,
had decided to leave the Company.48 According to this report, Stamos advocated
for transparency regarding Russian agents’ use of Facebook to influence the 2016
Presidential election, but faced immutable “resistance” from the Company.49
On March 21, 2018, Bloomberg News reported a former Facebook operations
manager, Sandy Parakilas, had advised British lawmakers that he warned senior
executives at the Company about inadequate data protection guidelines but the
warnings were ignored.50 Parakilas made clear he had mapped out the data security
weaknesses within the platform, including a list of bad and potentially bad actors,
how these actors might exploit user data and the risks to which the Company might
47
Id. at 2–3.
48
JX 48. See Tr. 44:10–14.
49
Id. JX 103 at 74 (The U.K. House of Commons Digital, Culture, Media and Sports
Committee (the “Parliamentary Committee”) was “left with the impression that either
Simon Milner [Policy Director for the U.K., Middle East and Africa, at Facebook] or Mike
Schroepfer [Facebook’s Chief Technology Officer] deliberately misled the Committee or
they were deliberately not briefed by senior executives at Facebook about the extent of
Russian interference in foreign elections.”).
50
JX 49. See JX 53 at 35 (Senator Richard Blumenthal submitted a letter from Parakilas
indicating “not only a lack of resources, but lack of attention to privacy [at the
Company].”).
14
be exposed if a data breach occurred.51 Parakilas stated Facebook could have
avoided the Cambridge Analytica breach, but instead permitted third parties to
obtain users’ personally identifiable data in furtherance of its whitelist agenda.52
On March 26, 2018, the FTC issued a press release confirming it was pursuing
a non-public investigation into Facebook’s privacy practices and compliance with
the Consent Decree.53 In the press release, the FTC’s acting director, Thomas Pahl,
explained that the FTC’s primary means for maintaining consumer privacy was to
initiate enforcement actions when companies, like Facebook, failed to honor
commitments they made to maintain their customers’ privacy.54 He then emphasized
Facebook had an affirmative obligation to comply with the Consent Decree’s
privacy and data security requirements.55
On April 4, 2018, The New York Times reported the number of Facebook users
affected by the Cambridge Analytica data breach had grown from 50 million to
87 million.56 The article made a point to report that Facebook had not disclosed that
51
JX 49.
52
Id.
53
JX 51.
54
Id.
55
Id.
56
JX 52.
15
figure voluntarily, and then made the disturbing revelation that certain Facebook
search and account recovery functions may have exposed “most” of its 2 billion
users to outside parties’ information harvesting.57
The bad reports kept coming. On April 30, 2018, The New York Times
reported that Jan Koum, the founder of Facebook subsidiary, WhatsApp, and a
member of Facebook’s Board, had announced his plans to leave the Company amidst
reports that he had “grown increasingly concerned about Facebook’s position on
user data in recent years,” “was perturbed by the amount of information that
Facebook collected on people” and “wanted stronger protections for that data.” 58
Mr. Koum reportedly “personally got along with Mark Zuckerberg, Facebook’s
chief executive, [but] felt the company’s board simply paid lip service to the privacy
and security concerns he raised.”59
57
Id. See also, JX 103 at 22 (the ICO “fined Facebook because it allowed applications and
application developers to harvest the personal information of its customers who had not
given their informed consent—think of friends, and friends of friends— and then Facebook
failed to keep the information safe.”).
58
JX 57.
59
Id.
16
E. Zuckerberg Testifies Before Congress
On March 21, 2018, USA Today reported that Zuckerberg, for the first time,
had spoken on behalf of Facebook about the Cambridge Analytica breach.60
Zuckerberg characterized the controversy as “a breach of trust between Facebook
and the people who share their data with us and expect us to protect it.”61 In response
to his remarks, analysts observed, “Facebook exhibits signs of systemic
mismanagement, [] a new concern [] not contemplated until recently.”62
Within weeks of the USA Today article, Zuckerberg testified at the April 10
Senate Hearing, where he acknowledged that Facebook discovered the Cambridge
Analytica data breach in 2015, but elected not to conduct an audit concerning the
scope of that breach.63 After Facebook told Cambridge Analytica to erase and
discontinue using the collected data, the Company “considered it a closed case,”
particularly when Cambridge Analytica represented it had erased the user data.64
60
JX 104.
61
Id.
62
Id.
63
JX 53 at 11.
64
Id.
17
Having determined that the case was “closed,” Facebook did not notify the FTC or
any other outside party of the massive intrusion into its users’ private data.65
During the April 10 Senate hearing, Senator Richard Blumenthal opined that
Facebook was on notice that it was in violation of the Consent Decree, as evidenced
in part by the terms of service it had agreed to with Aleksandr Kogan and others like
him.66 These agreements, according to Senator Blumenthal, revealed Facebook’s
“willful blindness” to the fact that third parties would sell user data in violation of
the Consent Decree.67 In response, Zuckerberg stated, “[Facebook] should have
been aware that this app developer submitted a term that was in conflict with the
rules of the platform.”68
F. The Regulators Investigate
On June 5, 2018, The New York Times reported Facebook persisted in
maintaining data-sharing partnerships with a minimum of four Chinese electronics
companies––including Huawei Technologies Co., Inc., a manufacturing company
that maintained a close relationship with the Chinese government and was identified
65
Id.
66
JX 53 at 35.
67
Id.
68
Id.
18
by American intelligence officials as a national security threat.69 Agreements
providing access to private user data had been in place since at least 2010 and
continued in effect through the date of the reporting.70 The New York Times also
revealed Facebook permitted access to private user data to many other large
manufacturers as well––including Amazon.com, Inc., Apple Inc., BlackBerry Ltd.
and Samsung Electronics Co., Ltd.71
On July 2, 2018, The Washington Post reported the FBI, SEC and DOJ had
teamed up with the FTC in its investigation of Facebook’s data security practices.72
The federal investigations widened in scope to address the extent to which Facebook
69
JX 62. See also, JX 53 at 87 (Senator Jon Tester stated at the April 10 Senate hearing,
“Facebook allowed a foreign company to steal private information. They allowed a foreign
company to steal private information from tens of millions of Americans, largely without
any knowledge of their own.”).
70
JX 62. See also, JX 103 at 25 (The FTC’s 2011 complaint revealed “from May 2007 to
July 2010, [Facebook] allowed external app developers unrestricted access to information
about Facebook users’ personal profile and related information[.]”).
71
JX 62.
72
JX 68. The Parliamentary Report revealed the specifics of the FBI’s criminal complaint,
including:
the work of ‘Project Lakhta’, in which individuals have allegedly ‘engaged
in political and electoral interference operations targeting populations within
the Russian Federation and in various other countries, including, but not
limited to, the United States, members of the European Union, and
Ukraine[.]’ Since at least May 2014, Project Lakhta’s stated goal in the
United States was to spread distrust towards candidates for political office
and the political system in general.
JX 103 at 78.
19
knew that its users’ data had been misappropriated and disseminated in 2015 and the
reasons the Company failed to inform its users or investors of the breaches in real
time.73 Investigators reportedly also concentrated on inconsistencies in more recent
accounts from Facebook executives, including Zuckerberg’s testimony before
Congress.74
On November 12, 2018, The New York Times obtained an internal Facebook
document detailing agreements Facebook entered into with device manufacturers
whereby the Company provided the personal data of hundreds of millions of its
users.75 The Company reportedly failed to monitor the behavior of these third parties
after allowing them to access user data, a failure discovered in 2013 by Facebook’s
FTC-approved privacy monitor.76 Once again, Facebook never told its users of these
agreements with device manufacturers even though the vast majority of users had
not given the Company permission to distribute their information.77
73
JX 68.
74
Id.
75
JX 80.
76
Id.
77
Id.
20
The joint investigations discovered that, in 2013, in furtherance of its
commitments to the FTC, Facebook engaged PricewaterhouseCoopers (“PwC”) to
conduct an assessment of its partnerships with Microsoft and Research in Motion,
the makers of Blackberry.78 PwC discovered only “limited evidence” that Facebook
oversaw or assessed its partners’ compliance with its data use policies.79
An unredacted version of a letter from PwC uncovered by a Senate aide suggested
that PwC found “no evidence that Facebook had ever addressed the original
problem.”80
G. Facebook’s Data Protection Problems Continue
On September 28, 2018, The New York Times reported that an attack on
Facebook’s computer network had exposed the private data of 50 million users.81
The breach allowed the hackers to gain access to user accounts and potentially take
control of them.82 Then, on October 31, 2018, Business Insider reported on the
ineffectiveness of Facebook’s ad transparency tools as evidenced by the fact that
78
Id.
79
JX 80 at 2.
80
Id.
81
JX 77.
82
Id.
21
reporters had been permitted to run advertisements “paid for” by Cambridge
Analytica.83
On November 14, 2018, The New York Times reported that Alex Stamos, then
Facebook’s Chief Security Officer, told the Board on September 6, 2017, that the
Company had not eliminated suspicious Russian activity on its platform.84
In response, Board member, Sheryl Sandberg, allegedly yelled at Stamos, “[y]ou
threw us under the bus!”85 This exchange occurred after Zuckerberg and Sandberg
asked Stamos and other Facebook executives to update Facebook’s Audit
Committee on data privacy issues and after Stamos had been rebuked by Zuckerberg
and Sandberg for providing too much information.86 The article further revealed
that Zuckerberg and Sandberg intended publicly to disclose the Cambridge
Analytica breach the same day as the Company’s quarterly Board meeting in
September 2017.87 Stamos wrote the proposed report of Facebook’s findings to
83
JX 79.
84
JX 82. See also, JX 103 at 74 (The Parliamentary Report noted, “[i]n September 2017,
Alex Stamos, the then Chief Security Officer, told the members of Facebook’s Executive
Board that that Russian activity was still not under control.”).
85
JX 82 at 1.
86
JX 82 at 9–10.
87
JX 82 at 9.
22
assist Sandberg in her public comments.88 Sandberg, however, sent the report back
to Stamos because she wanted it to be less specific.89
On December 5, 2018, the Parliamentary Committee released internal
Facebook documents, including executive emails and internal presentations.90
These internal documents revealed Facebook’s business plan, first conceived in
2013, was to monetize its platform by “privatizing” user data through agreements
with certain preferred partners to “whitelist” apps and services integrated into the
platform so that Facebook and its partners could reciprocally share user data.91
Facebook entered into whitelisting agreements with companies in varied industries,
like the Royal Bank of Canada and Walgreens Co.92 In September 2013, Facebook
executed a business strategy to “review access” to user data by documenting the
business partners it would allow to have paid access to user data through the
88
Id.
89
Id.
90
JX 3–5, 7–9, 12, 21–22, 26.
91
JX 12 at 3–4, 30. As noted, “whitelisting” a third party at Facebook means to provide
that third party with complete access to user data and the data of that users’ friends,
irrespective of whether the users’ friends use the third-party app. JX 103 at 29.
92
JX 8, 22, 26.
23
“whitelist” and those who would be denied access because they were deemed to be
a competitive threat to the Company.93
According to the documents released by the Parliamentary Committee,
Zuckerberg was the first to conceive of the plan to monetize user data within the
Facebook platform and he emailed the idea and the implementing steps to Sandberg
and the Vice Presidents of the Company.94 Zuckerberg hoped to engage in
“reciprocity” in the sharing of user data if the information generated by a Facebook
business partner was valuable to the Company.95
The documents also revealed Facebook accessed users’ Android phone data
without permission and designed the Facebook platform so that it could readily
retrieve that data.96 The Facebook application installed on Android phones read
users’ call log histories and messaging histories without permission, and was
specifically engineered to “upgrade” users to this level of access without clearly
alerting them that the “upgrade” was occurring.97 Facebook’s executives believed
93
JX 7 at 1–3.
94
JX 3, 4, 5.
95
JX 5 at 1 (Sandberg wrote by email, “I think the observation that we are trying to
maximize sharing of Facebook, not just sharing in the world, is a critical one. I like full
reciprocity and this is the heart of why.”).
96
JX 21.
97
Id. at 1.
24
this effort to avoid obtaining Android’s user permissions was “a pretty high risk
thing to do.”98 Nevertheless, the plan was approved at the highest levels of
Facebook.99
On December 18, 2018, The New York Times published the latest in its series
of articles on Facebook, this time providing additional reporting regarding the
Company’s failure to disclose that it had allowed its business partners broad access
to users’ personal data.100 The New York Times interviewed former employees of
the FTC consumer protection division who were involved in the investigation
leading to the Consent Decree, and each stated that Facebook’s ongoing data sharing
partnerships likely violated the agreement.101 The New York Times also interviewed
Facebook employees, who revealed that many of these partnerships were not
captured by the Company’s privacy compliance program because they were deemed
business contracts outside of Facebook’s data policies.102 The Facebook privacy
98
Id.
99
JX 21 at 2.
100
JX 90. JX 103 at 30 (“Apps were able to circumvent users’ privacy of platform settings
and access friends’ information, even when the user disabled the Platform.”).
101
JX 90 at 3.
102
Id. at 11–12.
25
team allegedly had no means to review or propose modifications to the data-sharing
agreements that the Company’s senior officials negotiated.103
H. The Fallout
Multiple lawsuits have been filed—some as direct consumer class actions,
some as government enforcement actions and some as derivative actions against
Facebook fiduciaries—alleging that Facebook’s implementation of a business model
that exposed private user data to unauthorized third-party access has caused harm to
consumers and harm to the Company.104 Indeed, according to Fortune magazine,
Facebook is facing “dozens” of “data lawsuits.”105
On February 14, 2019, The Washington Post reported Facebook was currently
negotiating with the FTC over a “multi-billion dollar fine” for Facebook’s
103
Id.
104
See, e.g., Sbriglio v. Zuckerberg, C.A. No. 2018-0307-JRS (derivative action in
Delaware); Leagre v. Zuckerberg, C.A. No. 2018-0675-JRS (same); In re Facebook, Inc.,
Consumer Privacy User Profile Litig., C.A. No. 3:18-md02843 (a multidistrict privacy
litigation in the U.S. District Court in the Northern District of California); Yuan v.
Facebook, Inc. et al., C.A. No. 3:18-cv-01725 (a federal securities action pending in the
U.S. District Court in the Northern District of California); District of Columbia v.
Facebook, Inc., C.A. No. 2018-CA-008715 (a consumer class action brought by the United
States Government pending in the District of Columbia); State of Illinois ex rel. Foxx v.
Facebook Inc., et al., Case No. 2018-CH-03868 (Cook Cty. Cir. Ct.) (a consumer action
brought by the Cook County State’s Attorney in Illinois).
105
Jeff John Roberts, FACEBOOK HAS BEEN HIT BY DOZENS OF DATA LAWSUITS. AND
THIS COULD BE JUST THE BEGINNING (2018), http://fortune.com/2018/04/30/facebook-
data-lawsuits/ (last visited May 30, 2019).
26
mishandling of user data and violation of the Consent Decree.106 On that same day,
the Parliamentary Committee published the Parliamentary Report, revealing emails
from Zuckerberg and Sandberg that the Parliamentary Committee read as confirming
Facebook “intentionally and knowingly” violated both data privacy and competition
laws.107 The Parliamentary Report further determined that the “Cambridge
Analytica Scandal was facilitated by Facebook’s policies,” observing that the
“incident displays the fundamental weakness of Facebook in managing its
responsibilities to the people whose data is used for its own Commercial
purposes.”108
I. Procedural History
After The Guardian and The New York Times published articles on the
Cambridge Analytica breach in March 2018,109 the Company received inspection
demands from multiple Facebook stockholders under Section 220, including each of
the three plaintiffs in this consolidated action. On April 11, 2018, Plaintiff Local
No. 79 sent its Demand to Facebook’s Board. The Demand focused on Facebook’s
failure to secure its users’ private data and specified three purposes for inspection of
106
JX 102.
107
JX 103.
108
Id.
109
JX 45; JX 46.
27
Facebook’s books and records: (1) to “investigate and assess the actual and potential
wrongdoing, mismanagement, and breaches of fiduciary duty by members of the
Company’s Board[;]” (2) to “assess the ability of the Company’s Board to
impartially consider a demand for action (including for the filing of a derivative
lawsuit on the Company’s behalf[;]” and (3) to “take appropriate action in the event
the members of the Company’s Board did not discharge their fiduciary duties,
including the preparation and filing of a shareholder derivative lawsuit, if
appropriate.”110
The Demand sought eight categories of “Board Materials” that, by definition,
encompassed both Board and committee materials, to include “all presentations,
board packages, recordings, agenda, summaries, memoranda, charts, transcripts,
notes, minutes of meetings, drafts of minutes of meetings, exhibits distributed at
meetings, summaries of meetings, or resolutions.”111 As for timeframe, the Demand
sought “all books, records, and documents within the Company’s possession,
custody, or control for and/or relating to the period February 3, 2017 to present.”112
110
Compl. Ex. A at 6 ¶ 47.
111
Compl. Ex. A at 5–6, n. 5.
112
Id. at 6.
28
In its May 1, 2018 response to the Demand (the “Demand Response”),
Facebook asserted that the Demand failed to meet the requirements of Section 220
by failing to “provide a credible basis to support a finding of actionable
mismanagement,” primarily because the news articles identified in the Demand did
not directly implicate Facebook’s directors.113 Further, Facebook stated that if Local
No. 79 sought to investigate a Caremark claim, the Demand failed to provide any
evidence that Facebook “‘utterly failed to implement a reporting system or ignored
red flags.’”114 Facebook also maintained that the stockholder’s eight inspection
requests were overbroad because the requests were “akin to civil litigation discovery
requests, seeking broad categories of documents relating to the Company’s privacy
policies, risk management and compliance issues, and Board issues.”115
While maintaining its objections to the Demand and subject to the parties
entering into an appropriate confidentiality agreement, Facebook agreed to produce
certain Board minutes and related materials apparently in hopes of avoiding
litigation.116 On June 12 and 18, 2018, Facebook produced 1,694 pages of its books
113
JX 60 at 3.
114
Id. at 4 (quoting Beatrice Corwin Living Irrevocable Tr. v. Pfizer, Inc., 2016
WL 4548101, at *5 (Del. Ch. Sept. 1, 2016)).
115
Id. at 5–6.
116
Compl. Ex. B; see Compl. ¶ 54. See also, JX 59; JX 60.
29
and records.117 Of that total, 1,612 pages were redacted completely and marked as
“non-responsive,” containing no information, or produced with only a title or other
information identifying the document.118 Ignoring the date parameters stated in the
Demand, the production included documents dated between January 2014 and
December 2017.119 Rather than identify the category of documents identified in the
Demand to which the produced documents were responsive, the Demand Response
created its own category, “all documents relating to unauthorized access of third-
party user data.”120
On September 6, 2018, Local No. 79 filed its Complaint in which it repeated
the allegations of wrongdoing stated in its Demand but omitted certain of the specific
categories of documents it had originally sought in the Demand.121
On September 28, 2018, Facebook answered the Complaint and raised the same
defenses it had stated in its Demand Response, including that Plaintiffs lack a proper
purpose for the Demand and seek an overbroad production of books and records
117
PX 1–22.
118
Id.
119
Id.
120
JX 97 at 6.
121
D.I. at 1.
30
given the stated purposes for inspection.122 On October 11, 2018, the Court entered
a Stipulation and Order consolidating this action with two related Section 220
actions—the Birmingham action and the Levy action.123 Under the consolidation
order, the Local No. 79 Complaint became the operative complaint, and the Demand
became the operative demand.124 The trial occurred on March 7, 2019.
In a commendable effort to clarify the issues for trial, the parties met on
September 12, 2018, to discuss the scope of documents Plaintiffs sought to inspect.
The following day, Plaintiffs provided a revised (and broader) list of requested books
and records, identified custodians from whom documents should be collected and
clarified that the Company should collect documents generated from January 1, 2011
through the present.125 The documents requested were:
Board and Committee Meeting Materials
o Minutes, presentations, agendas, and resolutions for the Board
and Board Committees of Facebook;
o Any notes taken or other written materials generated by the
Board members in connection with any meeting of the Board of
Facebook or any committee of the Board; and
o Unredacted versions of relevant non-privileged documents
produced in response to Shareholder’s Demand for Books and
Records.
122
D.I. at 11.
123
D.I. at 17.
124
PTO ¶ 15.
125
JX 76.
31
Senior Management Material
o Relevant written materials generated by or provided to Mark
Zuckerberg including emails, reports, presentations, and
business plans;
o Relevant written materials generated by or provided to
Facebook’s internet security, regulatory affairs or other relevant
departments; and
o Non-privileged relevant written materials generated by or
provided to Facebook’s legal department.
Relevant policies or procedures of Facebook;
Documents produced to the government in connection with the 2011 consent
decree and Cambridge Analytica and the resulting investigations;
Board independence materials—any board questionnaires for each board
member;
Organizational charts for Facebook’s relevant departments;
All documents produced to other stockholders in response to Section 220
demands or otherwise;
Privilege log as set forth in paragraph four of the June 2018 Confidentiality
Stipulation; and
Electronic communications by and between the board, executives and senior
management relating to the subject matter in the Demand and Complaint.126
Needless to say, the revised list sought a substantially expanded scope of documents
than Plaintiffs requested in the Demand.
On January 2, 2019, the parties met again to discuss the scope of production
and Facebook ultimately asked Plaintiffs to prepare a form of order they would ask
the Court to enter if the parties litigated the matter through trial.127 Plaintiffs agreed
126
Id.
127
JX 92.
32
and, on January 16, 2019, provided their proposed form of order that defined the
categories of documents to be produced as follows:
(1) the 2011 Consent Decree and related correspondence with the FTC;
(2) the investigations conducted by the Department of Justice,
Securities and Exchange Commission, and Federal Bureau of
Investigation regarding Defendant’s sharing of personal
information and related correspondence with each of those
agencies;
(3) third party access to and handling of Facebook user data, including
but not limited to agreements with other companies regarding the
same;
(4) how the Facebook platform shares user data, including but not
limited to design decisions regarding the Facebook application
programming interface (“API”) and third party access to the
Facebook platform;
(5) Defendant’s general compliance policies and procedures respecting
data privacy and access to user data;
(6) Defendant’s internal investigation policies, procedures and
protocols;
(7) the Atlas (SOC1 & SOC 2/3), Custom Audience (SOC 2/3) and
Workplace (SOC 2/3) audits performed by or on behalf of
Defendant, and any other internal investigations or audits
performed regarding topics 1–6;
(8) any other regulatory, criminal, and civil investigations and civil
lawsuits regarding topics 1–6; and
(9) documents relating to the independence of Defendant’s directors
and committees of the Board.128
Plaintiffs provided their proposed list of custodians a week later, including
(1) all members of Facebook’s Audit Committee since 2011; (2) any person who
presented to the Audit Committee since 2011; (3) a list of seven Facebook officers,
128
JX 94.
33
including its general counsel; and (4) Facebook officers/directors Zuckerberg and
Sandberg.129 Ultimately, this exercise did not lead to an agreement.
In the Pre-Trial Order, the categories of books and records and the custodians
from whom Plaintiffs sought records changed again. There, Plaintiffs sought:
[H]ard-copy and electronic documents from the period of January 1,
2011 through December 31, 2018, received or authored by any member
of Facebook’s Board relating to the following topics are necessary and
essential to the purposes stated in the Local No. 79 Section 220
Demand:
(1) the Consent Decree that Facebook entered into with the United
States Federal Trade Commission in November 2011 and related
correspondence with the [FTC];
(2) the investigations conducted by the United States Department of
Justice, Securities and Exchange Commission, and Federal Bureau
of Investigation regarding Facebook’s sharing of personal
information and related correspondence with each of those
agencies;
(3) compliance with the European Union’s General Data Privacy
Regulation and related correspondence with European regulators;
(4) third party access to and handling of Facebook user data, including
but not limited to agreements with other companies regarding the
same;
(5) how the Facebook platform shares user data, including but not
limited to design decisions regarding the Facebook application
programming interface (“API”) and third party access to the
Facebook platform;
(6) Facebook’s general compliance policies and procedures respecting
data privacy and access to user data;
(7) Facebook’s internal investigation policies, procedures and
protocols;
(8) the Atlas (SOC1 & SOC 2/3), Custom Audience (SOC 2/3) and
Workplace (SOC 2/3) audits performed by or on behalf of
129
JX 95.
34
Facebook, and any other internal investigations or audits performed
regarding topics 1–7;
(9) any other regulatory, criminal, and civil investigations and civil
lawsuits regarding topics 1–7; and
(10) documents relating to the independence of Facebook’s directors
and committees of the Board (collectively, “Plaintiffs’ Responsive
Topics”).130
Plaintiffs also requested electronic communications, including emails, concerning
these topics from the following custodians: Erskine B. Bowles, Sam Lessin, Sheryl
Sandberg, Alex Stamos, Colin Stretch and Mark Zuckerberg.131 Defendants
addressed this version of Plaintiffs’ demand for inspection in their Pre-Trial Brief
and at trial.
Plaintiffs’ demand took on yet another form in Plaintiffs’ Pre-Trial Brief,
where the categories were stated to include:
(1) The 2011 FTC Consent Order and related correspondence with the FTC;
(2) Investigations conducted by the [DOJ], [SEC], [FBI] and [ICO] regarding
Facebook’s sharing of personal information and related correspondence
with each of those agencies;
(3) Third party access to and handling of Facebook user data, including but
not limited to, design decisions regarding the Facebook application
programming interface (“API”) and third-party access to the Facebook
platform;
(4) Facebook’s general compliance policies and procedures respecting data
privacy and access to user data;
(5) Facebook’s internal investigation policies, procedures and protocols;
(6) Facebook’s Atlas (SOC1 & SOC 2/3), Custom Audience (SOC 2/3) and
Workplace (SOC 2/3) audits performed on behalf of the Company, and
130
PTO ¶ 18.
131
Id. at ¶ 19.
35
any other internal investigations or audits performed regarding the topics
identified in items 2–6 above; and
(7) The independence of Facebook’s directors and committees of the
Board.132
The temporal range remained from January 1, 2011 to the present.133 And Plaintiffs
again requested electronic communications, including emails, concerning the
designated topics from Erskine B. Bowles, Sam Lessin, Sheryl Sandberg, Alex
Stamos, Colin Stretch and Mark Zuckerberg.134 This latest iteration formed the basis
of Plaintiffs’ arguments at trial.135
II. ANALYSIS
Plaintiffs argue the evidence presented at trial provides a credible basis from
which the court can infer that mismanagement, waste or wrongdoing may have
occurred. Specifically, they contend they have presented some evidence that
members of the Board and Facebook senior management knowingly implemented
policies that placed user data at risk of misappropriation and failed to monitor
Facebook’s compliance with the Consent Decree and, more generally, its efforts to
protect its users’ private information. The books and records identified in the
132
Pls.’ Pre-Trial Br. 33–38.
133
Id. at 39.
134
Id. at 40–42.
135
Tr. at 41:2–43:23.
36
Demand, say Plaintiffs, are necessary and proper to investigate this potential
wrongdoing.
Facebook responds that Plaintiffs have failed to demonstrate a credible basis
to infer Facebook’s directors breached their Caremark obligations. Even if a
credible basis to infer wrongdoing has been demonstrated, Facebook argues
Plaintiffs’ inspection requests are not “circumscribed with [requisite] precision
[because they are not] limited to those documents that are necessary, essential and
sufficient to the stockholder’s purpose.”136
There is no dispute that Plaintiffs have satisfied Section 220’s so-called “form
and manner” requirements.137 Accordingly, I begin my substantive analysis by
addressing whether Plaintiffs have stated a proper purpose for inspection. After
concluding that they have, I turn to the dispute regarding the scope of the documents
to be produced.
A. Section 220’s Minimal Burden of Proof
The standard for evaluating a demand for books and records under
Section 220 is well settled. A stockholder of a Delaware corporation may inspect
the corporation’s books and records for any “proper purpose” rationally related to
136
Marathon P’rs, L.P. v. M&F Worldwide Corp., 2004 WL 1728604, at *4 (Del. Ch.
July 30, 2004).
137
See Amalgamated Bank v. Yahoo!, 132 A.3d at 775–76 (discussing “form and manner”
requirements).
37
the stockholder’s “interest as a stockholder.”138 An intent to investigate
mismanagement or wrongdoing is a proper purpose if supported by the requisite
evidentiary showing.139 To demonstrate that an investigative purpose is proper, the
stockholder must prove, by a preponderance of the evidence, “a credible basis from
which the court can infer that mismanagement, waste or wrongdoing may have
occurred.”140 The “credible basis” standard is the lowest burden of proof known in
our law; it requires merely that the plaintiff put forward “some evidence” of
wrongdoing.141 After demonstrating a proper purpose, “[a] plaintiff seeking
inspection must [next] demonstrate that ‘each category of books and records
requested is essential and sufficient to [its] stated purpose.’”142
138
8 Del. C. § 220(b) (“A proper purpose shall mean a purpose reasonably related to such
person’s interest as a stockholder.”).
139
Seinfeld, 909 A.2d at 121 (“It is well established that a stockholder’s desire to
investigate wrongdoing or mismanagement is a ‘proper purpose.’”).
140
Id. at 118 (internal quotation marks omitted).
141
Id. at 118 (explaining that to satisfy the credible basis standard the stockholder must
present “some evidence” of wrongdoing); Id. at 123 (“Although the threshold for a
stockholder in a section 220 proceeding is not insubstantial, the ‘credible basis’ standard
sets the lowest possible burden of proof.”).
142
Henry v. Phixios Hldgs., Inc., 2017 WL 2928034, at *11 (Del. Ch. July 10, 2017)
(quoting Thomas & Betts Corp. v. Leviton Mfg. Co., 681 A.2d 1026, 1035 (Del. 1996)).
See also, Sec. First Corp. v. U.S. Die Casting and Dev. Co., 687 A.2d 563, 569 (Del. 1997)
(When making a Section 220 demand, the plaintiff must show by a preponderance of the
evidence “that each category of books and records is essential to the accomplishment of
the stockholder’s articulated purpose for the inspection.”).
38
B. Plaintiffs Have Demonstrated Proper Purposes for Inspection
The preponderance of the evidence presented at trial provides a credible basis
to infer the Board and Facebook senior executives failed to oversee Facebook’s
compliance with the Consent Decree and its broader efforts to protect the private
data of its users. I summarize that evidence below.
First, Plaintiffs presented the Parliamentary Report where, after summarizing
emails, meeting minutes, witness interviews and other evidence, the Parliamentary
Committee concluded the “Cambridge Analytica Scandal was facilitated by
Facebook’s policies and the incident displays the fundamental weakness of
Facebook in managing its responsibilities to the people whose data is used for its
own Commercial purposes.”143 According to the Parliamentary Report,
“[i]f [Facebook] had fully complied with the [Consent Decree], [the Cambridge
Analatica scandal] . . . would not have happened.”144 The Parliamentary Report went
on to summarize evidence that Facebook had implemented a business plan to
143
JX 103 at 24–25, 92; JX 3–5, 7–9, 12, 21–22, 26. “In total, the Committee held 23 oral
evidence sessions, reviewed over 170 written submissions, heard evidence from
73 witnesses, asked 4,350 questions of these witnesses, and had many exchanges of public
and private correspondence with individuals and organizations.” JX 103 at 10.
See In re UnitedHealth Gp., Inc. Section 220 Litigation, 2018 WL 1110849, at *7 (Del. Ch.
Feb. 28, 2018) (finding credible basis to suspect wrongdoing was evidenced by a complaint
brought on behalf of the Department of Justice, which included “references to, and
quotations from, the Company’s internal emails, letters, audit reports, charts, attestations,
policies, presentation materials, and memoranda”).
144
JX 103 at 90.
39
“override its users’ privacy settings in order to transfer data to some app developers”
and “to charge high prices . . . for the exchange of that data.”145 And, importantly,
the Parliamentary Report concluded that the Board was aware of data privacy
breaches but attempted “to deflect attention” from these breaches to avoid
scrutiny.146
Second, the Consent Decree demonstrates that an enforceable regulatory order
mandated that Company management and the Board implement and monitor
Facebook’s compliance with specifically identified and detailed data privacy
procedures.147 Lest there be any doubt about whether the Board was aware of the
specific requirements of the Consent Decree, the document itself makes clear that it
is to be “deliver[ed] . . . to . . . all current and future principals, officers, directors,
and managers[.]”148 While there is certainly room to defend the claim, there is some
evidence the Board knew of the Company’s obligations to implement data security
145
Id.
146
JX 103 at 72.
147
JX 1. The Consent Decree explicitly requires Facebook “and its representatives” to
“disclose to [Facebook’s] users . . . the categories of nonpublic user information that will
be disclosed to such third parties[,]” “the identity or specific categories of such third
parties” and “obtain the user’s affirmative express consent.” Id. Facebook “and its
representatives” must also “implement procedures reasonably designed to ensure that
covered information cannot be accessed by any third party from servers under [Facebook’s
control[.]” Id. And Facebook must “establish and implement, and thereafter maintain, a
comprehensive privacy program[.]” Id. at § II.
148
JX 1 at § VII.
40
measures, knew the Company had not implemented or maintained those measures
as required by the Consent Decree and, nevertheless, condoned the Company’s
monetization of its users’ private data in violation of the Consent Decree.149
The Consent Decree was an affirmative obligation imposed on the Company
much like positive law. The legal academy has observed that Delaware courts are
more inclined to find Caremark oversight liability at the board level when the
company operates in the midst of obligations imposed upon it by positive law yet
fails to implement compliance systems, or fails to monitor existing compliance
systems, such that a violation of law and resulting liability occurs.150 Professor
149
The Parliamentary Report concluded, “[t]he Cambridge Analytica scandal was
facilitated by Facebook’s policies. If it had fully complied with the FTC settlement, it
would not have happened.” JX 103 at 28.
150
In other words, it is more difficult to plead and prove Caremark liability based on a
failure to monitor and prevent harm flowing from risks that confront the business in the
ordinary course of its operations. Failure to monitor compliance with positive law,
including regulatory mandates, on the other hand, is more likely to give rise to oversight
liability. See James D. Cox & Randall S. Thomas, Corporate Darwinism: Disciplining
Managers in a World with Weak Shareholder Litigation, 95 N.C. L. Rev. 19, 55–56 (2016)
(“Indeed, the division between [In re Massey Energy Co.] and [In re Citigroup Inc.
S’holder Deriv. Litig.] may be that Citigroup involved a challenge to legitimate business
practices, whereas Massey is riveted, as was Caremark, on the directors’ conscious
disregard of the corporation’s adherence with the law when implementing business
strategies . . . . [T]he facts required to satisfy even Massey reflect such an abandonment of
the directors’ monitoring role as to suggest outright complicity in the lawless acts rather
than a want of oversight.”); Donald C. Langevoort, Caremark and Compliance: A Twenty-
Year Lookback, 90 Temp. L. Rev. 727, 735 (2018) (“[T]he moment the board is brought
into the compliance risk discussion, liability exposure increases to at least a small extent,
and Caremark itself no longer sets the applicable standard.”). See also, In re Citigroup
Inc. S’holder Deriv. Litig., 964 A.2d 106, 131 (Del. Ch. 2009) (“There are significant
41
Elizabeth Pollman aptly describes this as a circumstance where the board acts with
“disobedience.”151 Our law does not countenance board level disobedience.
Stated differently,
Delaware law does not charter law breakers. Delaware law allows
corporations to pursue diverse means to make a profit, subject to a
critical statutory floor, which is the requirement that Delaware
corporations only pursue “lawful business” by “lawful acts.” As a
result, a fiduciary of a Delaware corporation cannot be loyal to a
Delaware corporation by knowingly causing it to seek profit by
violating the law . . . . Telling your parents that all the kids are getting
caught shoplifting, cheating, or imbibing illegal substances is not,
fortunately, a good excuse. For fiduciaries of Delaware corporations,
there is no room to flout the law governing the corporation’s affairs.
If the fiduciaries of a Delaware corporation do not like the applicable
law, they can lobby to get it changed. But until it is changed, they must
differences between failing to oversee employee fraudulent or criminal conduct and failing
to recognize the extent of a Company’s business risk.”); In re Goldman Sachs Gp., Inc.
S’holder Litig., 2011 WL 4826104, at *21 (Del. Ch. Oct. 12, 2011) (“As a preliminary
matter, this Court has not definitively stated whether a board’s Caremark duties include a
duty to monitor business risk.”); Asbestos Workers Local 42 Pension Fund v. Bammann,
2015 WL 2455469, at *14 (Del. Ch. May 22, 2015) (“It is not entirely clear under what
circumstances a stockholder derivative plaintiff can prevail against the directors on a theory
of oversight liability for failure to monitor business risk under Delaware law; the Plaintiff
cites no examples where such an action has successfully been maintained.”) (emphasis in
original); Reiter on Behalf of Capital One Fin. Corp. v. Fairbank, 2016 WL 6081823, at
*8 (Del. Ch. Oct. 18, 2016) (“In applying the Caremark theory of liability, even in the face
of alleged red flags, this Court has been careful to distinguish between failing to fulfill
one’s oversight obligations with respect to fraudulent or criminal conduct as opposed to
monitoring the business risk of the enterprise.”); Okla. Firefighters Pension & Ret. Sys. v.
Corbat, No. 12151, 2017 WL 6452240, at *18 (Del. Ch. Dec. 18, 2017) (“Banamex made
a risky business decision that turned out poorly for the company. That suggests a failure
to monitor or properly limit business risk, a theory of director liability that this Court has
never definitively accepted. Indeed, evaluation of risk is a core function of the exercise of
business judgment.”).
151
Elizabeth Pollman, Corporate Disobedience, 68 Duke L.J. 709, 756 (2019).
42
act in good faith to ensure that the corporation tries to comply with its
legal duties.152
Plaintiffs have presented a credible basis to infer that the Board acted with
disobedience by allowing Facebook to violate the Consent Decree. They are entitled
to inspect books and records to investigate that potential wrongdoing.
Third, Plaintiffs point to information released to the public sphere since they
initiated their Demand indicating that a key component of Facebook’s business plan
was to monetize access to user data through agreements with partners based on
“reciprocity,” even after entering into the Consent Decree.153 Facebook’s long-term
business model was to “go with full reciprocity and access to app friends,”
permitting business partners to obtain full information from users, including the
user’s Facebook friends.154 There is some evidence Facebook whitelisted these
business partners, giving them unauthorized access to the Facebook platform and
Facebook’s user data for a substantial fee.155 All the while, its users were left in the
dark.156
152
In re Massey Energy Co., 2011 WL 2176479, at *20–21 (Del. Ch. May 31, 2011)
(internal footnote omitted) (Strine, V.C.).
153
JX 103 at 26–28.
154
Id. at 35–36.
155
JX 3–5, 7–9, 12, 21–22, 26; JX 103 at 29–31.
156
JX 103 at 30 (“Apps were able to circumvent users’ privacy of platform settings and
access friends’ information, even when the user disabled the Platform.”).
43
Fourth, Plaintiffs presented a credible basis to infer the Board knew the
Company was allowing unauthorized third-party access to user data. The New York
Times reported Erskine Bowles, chairman of the Audit Committee, received a report
from Stamos, then Chief Information Security Officer, and Colin Stretch,
Facebook’s General Counsel, about Russian interference with the Facebook
platform and potential data privacy violations.157 On the same day, Bowles
questioned Zuckerberg and Sandberg at a full Board meeting regarding the extent to
which they, and other Facebook senior management, had been transparent with the
Board regarding data privacy issues.158 At that meeting, Stamos expressed concerns
that the Company had not monitored the protection of user data carefully, prompting
Sandberg, as noted above, to accuse Stamos of “throw[ing] us under the bus!”159
According to The New York Times, the Company’s failure adequately to address data
privacy ultimately led Whatsapp co-founder, Jan Koum, to resign from the Board.160
157
JX 82 at 9–10. The Board also received a presentation on the results of an audit
regarding privacy and data use. PX 16 at 34; PX 22 at 21–23.
158
JX 82 at 9–10.
159
Id.
160
JX 57. See In re Plains All Am. Pipeline, L.P., 2017 WL 6066570, at *3–4 (Del. Ch.
Aug. 8, 2017) (ORDER) (newspaper article deemed reliable evidence to support
stockholder’s showing of a credible basis to suspect wrongdoing for purposes of Section
220); Paul v. China MediaExpress Hldgs., Inc., 2012 WL 28818, at *4 (Del. Ch. Jan. 5,
2012) (same).
44
Fifth, Plaintiffs have provided evidence that multiple regulatory authorities
have opened investigations into Facebook’s data privacy lapses.161 Perhaps most
troubling, following the Cambridge Analytica breach, the FTC opened an
investigation to determine the extent to which Facebook violated the Consent
Decree.162 News outlets have recently reported the investigation could result in a
multibillion dollar fine against Facebook––the largest fine ever imposed by the
FTC.163
After the Cambridge Analytica scandal, the ICO fined Facebook the
maximum fine permitted under British law, £500,000, for permitting third party
developers to access user information without sufficient consent.164 In addition, the
Parliamentary Report revealed the ICO concluded that Facebook’s “business
161
As noted, the FBI, DOJ and SEC have all opened independent investigations into the
Company stemming from its data privacy violations. JX 68. See Freund v. Lucent Tech.,
2003 WL 139766, at *3 (Del. Ch. Jan. 9, 2003) (finding that a Securities and Exchange
Commission investigation, financial restatements and pending civil suits comprised a
“record [that] adequately supplies ‘some credible basis’ to support an inference of waste
or mismanagement[.]”) (citing Sec. First Corp. v. U.S. Die Casting & Dev. Co., 687 A.2d
563, 567 (Del. 1997)).
162
JX 51, 52.
163
JX 102.
164
JX 78.
45
practices and the way applications interact with data on the platform have
contravened data protections law.”165
Finally, Facebook is subject to numerous lawsuits based on the same
underlying misconduct.166 These complaints further support Plaintiffs’ credible
basis to infer wrongdoing.167
In light of the low Section 220 evidentiary threshold, I am satisfied Plaintiffs
have proven “legitimate issues of wrongdoing.”168 Stated differently, Plaintiffs have
presented some evidence that Facebook’s directors and officers may have breached
their Caremark duties, particularly in light of the Consent Decree in place at the time
of most of the data privacy breaches alleged in this action.169 Accordingly, they have
165
JX 103 at 23.
166
Supra note 104 and accompanying text.
167
See Elow v. Express Scripts Hldg. Co., 2017 WL 2352151, at *6 (Del. Ch. May 31,
2017) (“[P]leadings in [a private suit against defendant], coupled with the statements made
by [defendant’s] management, are enough to meet the ‘lowest burden of proof’ set by
Delaware law.”) (citing Seinfeld, 909 A.2d at 123); UnitedHealth, 2018 WL 1110849, at *7
(finding credible basis to suspect wrongdoing was evidenced by the contents of a complaint
against the company brought on behalf of the Department of Justice).
168
Sec. First Corp., 687 A.2d at 568 (“[T]he threshold may be satisfied by a credible
showing, through documents, logic, testimony or otherwise, that there are legitimate issues
of wrongdoing.”).
169
Given my finding that Plaintiffs have presented some evidence of Board level
knowledge of Facebook’s failure to implement data protection measures, and of the
Board’s failure to monitor what measures were in place, I decline to address Plaintiffs’
argument that the “core operations doctrine” should be applied to infer Board level
knowledge and involvement. See In re Fitbit, Inc. S’holder Deriv. Litig., 2018
WL 6587159, at *15 (Del. Ch. Dec. 14, 2018), appeal refused, 2019 WL 190933 (Del. Ch.
46
demonstrated a proper purpose to inspect certain documents related to this potential
wrongdoing.170
Having demonstrated a credible basis to investigate wrongdoing in connection
with Facebook’s protection of data privacy, Plaintiffs have also supported their
Demand to inspect books and records relating to director independence. Should
stockholders elect to pursue claims against Facebook fiduciaries arising from the
data privacy breaches, those claims most likely would be derivative claims asserted
on behalf of the Company. It is well settled that the desire to investigate director
independence is a proper purpose, particularly in instances where the stockholder
seeks to investigate whether demand upon the board to pursue claims on behalf of
the company would be futile.171
Jan. 14, 2019) (denying a motion to dismiss based on the core operations doctrine and
“well-pled facts” that the Board and management would have been aware of problems
encountered in the development of a new product that was responsible for a substantial
portion of the company’s revenue).
170
Facebook cites Marathon P’rs, L.P. v. M&F Worldwide Corp. to argue that Plaintiffs
have presented only “speculation of mismanagement.” 2004 WL 1728604, at *7 (Del. Ch.
July 30, 2004). Marathon is distinguishable on its facts, as the plaintiff there suspected the
directors breached their Revlon duties when they rebuffed a single overture by a potential
acquirer outside of any bidding process. Id. Unlike Marathon, this case involves a
company that was under a positive obligation to implement certain data privacy protections
and some evidence that the levers of control within the Company may have failed to
oversee compliance with those obligations in a manner that has caused harm to the
Company.
171
Our courts regularly find that a stockholder states a proper purpose when he seeks to
investigate director independence and disinterestedness as he investigates possible
derivative claims. See, e.g., Amalgamated Bank v. Yahoo!, 132 A.3d at 784–85
(“[T]he Delaware Supreme Court has indicated that a plaintiff could obtain ‘a file of the
47
C. The Effect of Plaintiffs’ Ever-Changing Demand
Plaintiffs’ have reshaped their requests to inspect books and records from their
initial Demand, through the parties’ meet and confer sessions, the pre-trial
stipulation, Plaintiffs’ pre-trial brief and, finally, trial. This metamorphosis has
confounded the Court’s analysis and justifiably frustrated the Company. 172
A stockholder’s right to inspect books and records must be balanced against the
corporation’s right to be apprised of what the stockholder is asking for and why.173
In Fuchs Family Trust v. Parker Drilling Co., the court denied the plaintiff’s
demand for inspection, partly because its late-term modification of the demand was
prejudicial to the defendants.174 There, the plaintiff’s initial demand letter sought
eight categories of documents and described its purpose as the investigation of
possible mismanagement and violation of law by the company. 175 In its complaint,
disclosure questionnaires for the board’ or similar materials that could ‘provide more detail
about the thickness of the relationship[s]’ in the boardroom.”) (citing Del. Cty. Empls.’ Ret.
Fund v. Sanchez, 124 A.3d 1017, 1024 (Del. 2015)).
172
I say metamorphosis rather than evolution because there has been no linear progression
in Plaintiffs’ requests for books and records; they have expanded and contracted with no
apparent pattern.
173
Thomas & Betts Corp. v. Leviton Mfg. Co., 681 A.2d 1026, 1031 (Del. 1996)
(“Undergirding this discretion [to determine the scope of inspection] is a recognition that
the interests of the corporation must be harmonized with those of the inspecting
stockholder.”).
174
Fuchs Family Tr. v. Parker Drilling Co., 2015 WL 1036106 (Del. Ch. Mar. 4, 2015).
175
Id. at *3.
48
the plaintiff modified its purpose and narrowed the scope of its demand.176 The
demand changed again eight days before trial and after both parties had filed pre-
trial briefs, when the plaintiff “updated” the demand by substantially broadening the
scope of the documents requested.177 The court refused to enforce the eleventh-hour
update upon finding the defendant had been prejudiced by the moving targets set by
the plaintiff:
Given the circumstances, [the plaintiff’s] late attempt to expand its
inspection must be rejected. ‘Strict adherence to the section
220 procedural requirements for making an inspection demand protects
the right of the corporation to receive and consider a demand in proper
form before litigation is initiated.’ [The defendant’s] right to
consider [the plaintiff’s] demand properly would be substantially
impaired by forcing it to adapt its response and defense to [the
plaintiff’s] evolving requests.178
The court then rejected the plaintiff’s effort to enforce its demand after finding the
books and records plaintiff sought were not “necessary and essential” to fulfill its
stated purpose.179 Other decisions of this court are in accord.180
176
Id. at *3–4.
177
Id. at *4 (emphasis in original).
178
Id. (“Even beyond concerns related to Section 220’s requirements, forcing [the
defendant] to defend against issues raised only a week before trial would be at odds with
fundamental fairness.”).
179
Id. at *7.
180
See, e.g., Beatrice Corwin Living Irrevocable Tr., 2016 WL 4548101, at *7 (denying
plaintiffs’ Section 220 demand because it “was not clearly made until after trial” and
refusing plaintiffs’ attempts to expand the scope of their demand by adding participants in
the alleged mismanagement and a new theory because the attempted expansions came too
49
While Plaintiffs’ lack of precision in formulating its Demand, particularly
with respect to the scope of documents requested, has provoked justified frustration
and has questions regarding possible abuse of the Section 220 process, I am satisfied
there has been no such abuse here. Plaintiffs’ stated purposes for inspection have
remained constant throughout the various iterations of their Demand. And their lack
of focus regarding the documents they seek, while unfortunate, does not evidence a
lack of good faith. In my view, the proper approach here is to hold Plaintiffs to the
request for documents as stated in the Pre-Trial Order, a request that was refined by
the parties’ several meet and confer sessions.181 This is the version of the Demand
that Defendants addressed in their pre-trial brief and at trial. The scope of documents
requested in that version, therefore, has been properly joined for decision.
late); Highland Select Equity Fund, L.P. v. Motient Corp., 906 A.2d 156, 167 (Del. Ch.
2006) (holding the plaintiff’s multiple amendments to its demand reflected a lack of
precision that, in turn, suggested the plaintiff had not articulated a proper purpose in the
first place). But see Apogee Invs., Inc. v. Summit Equities LLC, 2017 WL 4269013, at *4
(Del. Ch. Sept. 22, 2017) (granting plaintiff’s motion for leave to amend its demand—after
plaintiff had already modified the scope of its demand on several occasions—and rejecting
the defendant’s argument that the amendment reflected a “creeping expansion” of claims
on the eve of trial, and would have the same prejudicial effect on the defendant as identified
in Fuchs Family). In Apogee, the court explained that, unlike in Fuchs Family, where the
plaintiff broadened its demand after both parties had filed opening pre-trial briefs, and eight
days before trial, the “trial in this case is weeks away, pretrial briefing has not yet taken
place, and [the defendant] has been aware of the mismanagement and party loan purposes
since at least December 2016.” Id.
181
PTO ¶ 18, 19. See Apogee, 2017 WL 4269013, at *4 (enforcing post-litigation demand
upon finding that the Company had been given an adequate opportunity to respond to it).
50
D. Scope of Production
Plaintiffs seek to inspect seven categories of books and records they claim
“address the crux” of their stated purposes.182 Some of these materials are
“necessary and essential”; others are not.183 Specifically, I am satisfied that the
following categories of non-privileged documents184 relating to the following topics
(the “Ordered Documents”) are “necessary and essential” to pursue Plaintiffs’ proper
purposes and should be produced:
(1) Hard-copy documents provided to, or generated by, the Board
relating to investigations conducted by the FTC, DOJ, SEC, FBI and
ICO regarding Facebook’s data privacy practices (“Investigation
Documents”);
(2) Facebook’s formally adopted policies and procedures respecting
data privacy and access to user data, including those promulgated
following the entry of the Consent Decree (“Policies and
Procedures”);
Pls.’ Pre-Trial Br. 27 (quoting Wal-Mart Stores, Inc. v. Ind. Elec. Works Pension Tr.
182
Fund IBEW, 95 A.3d 1264, 1271 (Del. 2014)).
183
Wal-Mart Stores, 95 A.3d at 1278 (discussing the “necessary and essential” standard).
184
Plaintiffs have invoked the so-called Garner exception to the attorney-client privilege
as a basis to defeat the Company’s assertion of privilege. See Garner v. Wolfinbarger,
430 F.2d 1093, 1104 (5th Cir. 1970) (listing “good-cause” factors that would justify an
exception to the privilege asserted by a fiduciary in response to a stockholder’s request for
documents). This exception is “narrow, exacting, and intended to be very difficult to
satisfy.” Wal-Mart Stores, 95 A.3d at 1278. Plaintiffs have not met their heavy burden
under Garner because, on this record, they have not demonstrated that the privileged
information they seek “is both necessary to prosecute the action and unavailable from other
sources.” Buttonwood Tree Value P’rs, L.P. v. R.L. Polk & Co., 2018 WL 346036, at *4
(Del. Ch. Jan. 10, 2018). This is “the most important of the Garner factors. See id. at *3,
*5 n.24 (declining to apply Garner where necessity/unavailability factor not met even
though the other two principal factors were satisfied); Elow v. Express Scripts Hldg. Co.,
2018 WL 2110946, at *2 (Del. Ch. Apr. 27, 2018) (same).
51
(3) Facebook’s Atlas (SOC1 & SOC 2/3), Custom Audience (SOC 2/3)
and Workplace (SOC 2/3) audits performed on behalf of the
Company, and any other formal internal audits performed regarding
compliance with Facebook formal data privacy policies and
procedures or with the Consent Decree (“Audit Documents”);
(4) documents concerning the independence of Facebook’s directors
and committees of the Board, particularly the Board disclosure
questionnaires (“Independence Documents”); and
(5) electronic communications, if coming from, directed to or copied to
a member of the Board, concerning Facebook’s post-Consent
Decree whitelist practices, post-Consent Decree government
investigations into Facebook’s data privacy practices and
compliance with the Consent Decree, to be collected from the
following custodians: Erskine B. Bowles, Sheryl Sandberg, Alex
Stamos, and Mark Zuckerberg (“Communication Documents”).185
185
Plaintiffs have presented evidence that Board members were not saving their
communications regarding data privacy issues for the boardroom. See JX 103 at 24, 30–
36 (Parliamentary Report found emails from Zuckerberg, Sandberg and other senior
management relating to the extent to which Facebook was complying with data privacy
laws and relating to the scope of its whitelisting agreements); JX 3, 4, 5 (emails among
executives and Board members discussing Zuckerberg’s plan to monetize user data within
the Facebook platform). See Yahoo!, 132 A.3d at 791–94 (ordering the production of
electronic documents and emails because they were “corporate records” that would “show
what [key players] knew and when”); KT4 P’rs, 203 A.3d at 754–55 (reversing trial court
for not ordering production of emails upon finding the plaintiff had presented evidence that
board members were communicating by email regarding the subjects of the stockholder’s
investigation and defendant had “not buttressed its claims [that emails were not necessary]
with any evidence that other materials would be sufficient to accomplish [the
stockholder’s] purpose.”). Here, Plaintiffs’ Demand sought Board level documents
concerning Facebook’s compliance with the Consent Decree and response to government
investigations into Facebook’s data privacy practices. In response, Facebook produced a
compilation of highly redacted Board minutes that contain essentially no information
regarding the relevant subjects. See, e.g., PX 1–22. When considered against the backdrop
of the evidence of Board level email communications Plaintiffs have introduced in this
record, the Company’s production of redacted Board minutes hardly “buttresses” its claim
that these books and records are sufficient “to accomplish [Plaintiffs’] purpose.” KT4 P’rs,
203 A.3d at 754–55.
52
Because many of Plaintiffs’ document demands landed with the precision of
buckshot,186 I have tailored the inspection award to the purposes articulated in their
inspection Demand. Thus, I have denied Plaintiffs’ request for correspondence with
the FTC at or near the time the Consent Decree was entered because those documents
are far removed from what Plaintiffs seek to investigate now. I have similarly denied
Plaintiffs’ request for documents relating to “third party access to and handling of
Facebook user data, including agreements with other companies regarding the same”
beyond any such documents that might be within the Ordered Documents. The full
breadth of the third-party documents Plaintiffs seeks extend far beyond what is
necessary and essential.187 Also, except for the Policies and Procedures and Audit
Documents, I have limited the scope of production to Board-level documents (and
communications) because management-level communications are not, on this
record, necessary and essential to Plaintiffs’ investigation of their Caremark-based
claims. Finally, I have limited the custodians from whom the Company must collect
electronic communications to comport with the evidence in the record, or lack of
186
Id. at 776 (“The production order ‘must be carefully tailored.’ Framed metaphorically,
it should be ‘circumscribed with rifled precision’ to target the plaintiff’s proper purpose.”)
(quoting Sec. First, 687 A.2d at 565, 570).
187
Cook v. Hewlett-Packard Co., 2014 WL 311111, at *5 (Del. Ch. Jan. 30, 2014) (holding
that Section 220 demands should not amount to “fishing expeditions”).
53
evidence, regarding the role of specific Facebook executives in the Company’s post-
Consent Decree data privacy compliance.188
While the temporal scope of discovery should a derivative claim be brought
may well be broader, I am satisfied that Plaintiffs’ demand for documents dating
back to 2011 is too broad for a Section 220 inspection.189 Claims relating to conduct
in 2011, or conduct giving rise to the Consent Decree, likely would be time-barred.190
Moreover, the Cambridge Analytica events primarily took place in 2014 and 2015.191
And, importantly, the original Demand sought documents for a “period February 3,
2017 to present.”192 With these facts in mind, I am satisfied the scope of production
of Communication Documents, for reasons of burden and expense, and Investigation
188
I have also removed Facebook’s General Counsel, Colin Stretch, as a custodian both
because Plaintiffs have failed to demonstrate that his documents are essential to accomplish
their purpose and also to minimize the extent of post judgment privilege disputes. See Sec.
First Corp., 687 A.2d at 569 (holding that Section 220 plaintiff must show by a
preponderance of the evidence “that each category of books and records is essential to the
accomplishment of the stockholder’s articulated purpose for the inspection.”).
189
See, e.g., Okla. Firefighters Pension & Ret. Sys. v. Citigroup Inc., 2015 WL 1884453,
at *7 & n.61 (Del. Ch. Apr. 24, 2015) (“substantially narrow[ing]” the starting date for
defendant to produce documents to 2011, where plaintiffs requested materials from 2008);
UnitedHealth, 2018 WL 1110849, at *10 (holding that Section 220 demand seeking
documents over an eight year span too broad.).
190
See Graulich, 2011 WL 1843813, at *1, *6 (finding derivative claims resulting from
Section 220 action investigating possible corporate mismanagement from 6–8 years prior
to the demand would likely be time-barred).
191
See JX 45; JX 46.
192
Compl. Ex. A at 6.
54
Documents, for reasons of temporal relevance and burden, should be limited to the
time specified in the original Demand—February 3, 2017 to present. As for the
Audit Documents, the scope of production shall be from January 2013 to present, in
order to capture a time just prior to the Cambridge Analytica breach and far enough
removed from the Consent Decree that the Company’s compliance with the privacy
program and third-party audit requirements of that mandate should have been
evident. As for the Policies and Procedures, the scope of production shall be from
January 2013 to present, not only to capture the time prior to the Cambridge
Analytica breach but also to reveal the Company and the Board’s response to the
Consent Decree. Finally, as for the Independence Documents, the scope of
production will be limited to the most recent Board questionnaires given that the
Board’s independence for demand futility purposes will be measured as of the time
the complaint alleging demand futility is filed.193
III. CONCLUSION
For the foregoing reasons, a judgment shall be entered in favor of Plaintiffs
that directs Facebook to allow inspection of the books and records designated in this
193
See Rales v. Blasband, 634 A.2d 927, 934 (Del. 1993) (“[A] court must determine
whether or not the particularized factual allegations of a derivative stockholder complaint
create a reasonable doubt that, as of the time the complaint is filed, the board of directors
could have properly exercised its independent and disinterested business judgment in
responding to a demand.”) (emphasis supplied).
55
Memorandum Opinion. The parties shall confer and submit a joint proposed
implementing order and final judgment within fifteen (15) days.
56