Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

In re Facebook

Court of Chancery of Delaware

May 30, 2019

IN RE FACEBOOK, INC. SECTION 220 LITIGATION

          Date Submitted: March 7, 2019

          Samuel L. Closic, Esquire of Prickett, Jones & Elliott, P.A., Wilmington, Delaware and Frank R. Schirripa, Esquire and Daniel B. Rehns, Esquire of Hach Rose Schirripa & Cheverie LLP, New York, New York, Attorneys for Plaintiff Construction and General Building Laborers' Local Union No. 79 General Fund and Co-Lead Counsel.

          Peter B. Andrews, Esquire, Craig J. Springer, Esquire and David M. Sborz, Esquire of Andrews & Springer, LLC, Wilmington, Delaware; Geoffrey M. Johnson, Esquire of Scott䧊 Attorneys At Law LLP, Cleveland Heights, Ohio; and Donald A. Broggi, Esquire, Scott R. Jacobsen, Esquire and Jing-Li Yu, Esquire of Scott䧊 Attorneys At Law LLP, New York, New York, Attorneys for Plaintiff City of Birmingham Relief and Retirement System and Additional Counsel for Plaintiffs.

          Ryan M. Ernst, Esquire of O'Kelly Ernst & Joyce, LLC, Wilmington, Delaware and Thomas J. McKenna, Esquire and Gregory M. Egleston, Esquire of Gainey McKenna & Egleston, New York, New York, Attorneys for Plaintiff Lidia Levy and Additional Counsel for Plaintiffs.

          David E. Ross, Esquire and R. Garrett Rice, Esquire of Ross Aronstam & Moritz LLP, Wilmington, Delaware; Orin Snyder, Esquire of Gibson, Dunn & Crutcher LLP, New York, New York; Kristin A. Linsley, Esquire and Brian M. Lutz, Esquire of Gibson, Dunn & Crutcher LLP, San Francisco, California; Paul J. Collins, Esquire of Gibson, Dunn & Crutcher LLP, Palo Alto, California; and Joshua S. Lipshutz, Esquire of Gibson, Dunn & Crutcher LLP, Washington, D.C., Attorneys for Defendant Facebook, Inc.

          MEMORANDUM OPINION

          SLIGHTS, VICE CHANCELLOR

         In July 2018, Facebook, Inc. ("Facebook" or the "Company") experienced one of the sharpest single-day market value declines in history when its stock price dropped 19%, wiping out approximately $120 billion of shareholder wealth. This unprecedented misfortune followed news reports that, in 2015, the private data of 50 million Facebook users had been poached by Cambridge Analytica, a British political consulting firm.[1] Facebook did not disclose this security breach to its users upon discovery or at any time thereafter. Users first learned of the breach when they read or heard about it in the news.

         At the time of the Cambridge Analytica breach, Facebook was subject to a consent decree entered by the Federal Trade Commission (the "FTC") in 2011 (the "Consent Decree") after the FTC determined that the Company's data privacy measures were not protecting users' private information. Among other things, the Consent Decree required Facebook to implement more robust and verifiable data security protocols.

         Soon after news of the Cambridge Analytica breach broke, reports surfaced that Facebook's business model included incentives to monetize its users' data without their consent. These reports were followed by news that the FTC, Federal Bureau of Investigation ("FBI"), Securities and Exchange Commission ("SEC"), Department of Justice ("DOJ"), European Information Commissioner's Office ("ICO") and other European authorities had all opened investigations into Facebook's data privacy practices.

         On April 11, 2018, Plaintiff, Construction and General Building Laborers' Local No. 79 General Fund ("Local No. 79"), served a demand to inspect Facebook's books and records (the "Demand") under Section 220 of the Delaware General Corporation Law ("Section 220").[2] As required by statute, [3] Local No. 79 stated that its purpose for inspection was to "investigate and assess the actual and potential wrongdoing, mismanagement, and breaches of fiduciary duties by the members of the Company's Board" in connection with the data privacy breaches and "to investigate the independence and disinterestedness" of the Company's directors.[4] In response, Facebook produced about 1, 700 pages of significantly redacted books and records.

         When discussions between the parties regarding the scope of Facebook's production broke down, Local No. 79 filed its Verified Complaint to Compel Inspection on September 6, 2018.[5] In its answer to that Complaint, Facebook denied Plaintiff had stated a proper purpose for inspection and maintained that, even if a proper purpose had been stated, Plaintiff was not entitled to inspect any documents beyond those already produced.[6] Specifically, Facebook asserted the Complaint failed to plead a credible basis to infer that Facebook's directors breached their duty of oversight, or any other aspect of their fiduciary duties, because the Cambridge Analytica breach resulted from the unanticipated acts of third parties who had managed to compromise Facebook's existing (and adequate) data privacy systems.

         The parties agreed to a "paper record" trial (i.e., without deposition or live testimony). After carefully reviewing the evidence and the arguments of counsel, I conclude in this post-trial decision that Plaintiffs have demonstrated, by a preponderance of the evidence, a credible basis from which the Court can infer that wrongdoing occurred at the Board level in connection with the data privacy breaches that are the subject of this action. In so finding, I reject, as a matter of law, Facebook's implicit suggestion that I must adjudicate the merits of Plaintiffs' Caremark claim before allowing an otherwise proper demand for inspection to stand. This is not the time for a merits assessment of Plaintiffs' potential claims against Facebook's fiduciaries. The "credible basis" standard applicable in this Section 220 action imposes the lowest burden of proof known in our law and asks a fundamentally different question than would be asked at a trial on the merits: has the stockholder presented "some evidence" to support an inference of wrongdoing that would justify allowing the stockholder to inspect Facebook's books and records?[7]While this court consistently reminds stockholders that a Caremark claim "is possibly the most difficult theory upon which a plaintiff might hope to win a judgment, "[8] that admonition does not license this court to alter the minimum burden of proof governing a stockholder's qualified right to inspect books and records.

         In the wake of the Consent Decree, Facebook was under a positive obligation to take specific steps to protect its users' private data. That obligation was firmly in place at the time of the Cambridge Analytica breach. Delaware courts traditionally have viewed stockholder allegations that a board failed to oversee the company's obligation to comply with positive law, or positive regulatory mandates, more favorably in the Caremark paradigm than allegations that a board failed to oversee the company's efforts generally to avoid business risk. Plaintiffs have presented "some evidence" that the Board failed to oversee Facebook's compliance with the Consent Decree resulting in unauthorized access to its users' private data and attendant consequences to the Company. In other words, Plaintiffs have sustained their minimal burden to demonstrate a credible basis of wrongdoing justifying the inspection of certain of the Company's books and records.[9]

         Judgment is entered for Plaintiffs. Facebook shall produce for inspection the books and records designated herein as essential to Plaintiffs' pursuit of their proper purpose.

         I. FACTUAL BACKGROUND

         The Court presided over a one-day trial on March 7, 2019. The following facts were proven by a preponderance of the evidence against the backdrop of the credible basis standard.[10]

         A. The Parties

         Local No. 79 has continuously owned Facebook stock since June 17, 2015.[11]Defendant, Facebook, is a Delaware corporation that operates the Facebook social media platform.[12] Facebook's principal executive offices are in Menlo Park, California.[13]

         B. Facebook's Business

         Mark Zuckerberg founded Facebook in 2004. He serves as the Company's CEO and Chairman of its Board of Directors (the "Board").[14] Facebook is a social media platform that enables its more than 2.2 billion active users to stay in touch with friends and family, develop connections, learn about world events and circulate individual commentary.[15]

         As part of its business model, Facebook allows independent third-party developers to place their applications or links to their websites (collectively, "apps") on the Facebook platform.[16] Once apps are placed on the platform, Facebook's users can open the apps to interact with their Facebook "friends" through games or other app content.[17] In turn, Facebook, by agreement, allows the third-party app providers to "whitelist," or access, not only the data of a user that has opened the app but also the data of that user's Facebook "friends."[18] According to Plaintiffs, this practice of allowing its partners to whitelist Facebook user data has made Facebook much more vulnerable to data breaches.

         C. The FTC Consent Decree

         In November 2011, Facebook entered into the Consent Decree with the FTC as the culmination of the FTC's investigation into Facebook's allegedly inadequate data privacy practices.[19] The Consent Decree mandates that Facebook develop and maintain a comprehensive privacy program subject to regular assessments by a third-party data security firm.[20] The privacy program was required to (1) address privacy risks correlated with the development and management of new and existing products and services for consumers; and (2) protect the privacy and confidentiality of "covered information"--personal consumer information Facebook gathered from consumers' interactions with the Facebook platform.[21]

         To implement the Consent Decree's broad mandate, Facebook was required to execute a plan to secure its user's private data that was commensurate in scale with the size of the Company's user base and the complexity of its platform.[22] It also was required to track data protection outcomes in writing and to place specified employees in positions where they could execute privacy risk assessments and develop steps to protect the covered information as defined in the Consent Decree.[23]The Company's compliance with these mandates was to be subject to initial and biennial assessments by an independent, experienced privacy and data protection professional for a period of 20 years.[24] During this prescribed monitoring period, Facebook was required to inform all current and future principals, officers, directors and managers of the specific content of the Consent Decree.[25] The implementation of the Consent Decree was to be monitored at the Board level by Facebook's Audit Committee.[26]

         In the three bi-annual assessments completed after the entry of the Consent Decree, an independent data privacy firm attested that Facebook had invoked privacy controls "meet[ing] or exceed[ing] the protections required" under the Consent Decree.[27] The independent firm additionally verified that Facebook's privacy program "has built-in procedures to evaluate and adjust the Privacy Program in light of testing and monitoring results, as well as other relevant circumstances."[28]In 2017, Facebook's privacy team detected 370, 000 noncompliant apps and took corrective measures that varied from instituting constraints, to delivering cease-and-desist letters, to eliminating the apps from the Platform.[29]

         D. The Cambridge Analytica Breach

         In 2013, Aleksandr Kogan, a Cambridge University professor and data researcher, created a personality "quiz" app called "thisisyourdigitallife."[30] In 2014, the app went live on the Facebook Platform, positioning itself as a "research app used by psychologists" and assuring users that the results of the quiz would be utilized only for academic purposes.[31] About 270, 000 users installed the app and agreed to share their personal data, as well as aspects of their Facebook friends' personal data.[32] At the time, Facebook's policies permitted this data sharing to varying degrees depending on the friends' privacy and application settings.[33]

         In December 2015, The Guardian published a story reporting that Kogan's company, Global Science Research ("GSR"), sold the data of millions of Facebook users as collected on the "thisisyourdigitalife" app to Cambridge Analytica in violation of Facebook's data use and platform policies.[34] The article reported Cambridge Analytica used the data to develop psychological profiles of U.S. voters.[35] Following the article's release, the Company blocked Kogan and his app from Facebook and obtained written verifications from Kogan, GSR, Cambridge Analytica, a Cambridge Analytica employee and others that all Facebook user data in their possession had been destroyed.[36] Cambridge Analytica's CEO, Alexander Nix, then testified before the Parliament of the United Kingdom and later confirmed in writing to the House of Commons that Cambridge Analytica neither owned nor utilized Facebook user data.[37] With that, Facebook believed the issue was resolved.

         On March 17, 2018, The New York Times and The Guardian reported that, in 2015, Cambridge Analytica had misappropriated Facebook user data via Kogan's app--resurfacing the issue.[38] This time, though, the articles went a step further, revealing Cambridge Analytica lied when it conveyed to Facebook in 2016 that it had deleted all the user data.[39] Instead, according to the reports, Cambridge Analytica kept the data and deployed it in connection with the 2016 Presidential campaign.[40] The New York Times also reported that, in response to multiple requests for information, Facebook "downplayed the scope of the leak and questioned whether any of the data still remained out of its control."[41] After these reports surfaced, Facebook suspended Cambridge Analytica and its employees from the Facebook platform.[42]

         On March 20, 2018, Bloomberg News provided further color by detailing the many investigations that had been launched into Facebook's data security practices.[43] Among the investigations mentioned, the article reported that the FTC had opened an investigation into whether Facebook violated the 2011 Consent Decree.[44] According to the article, the FTC would soon deliver a notice to Facebook detailing its concerns that the Company was not complying with the Consent Decree and generally was not protecting its users' private data.[45] Six congressional committees likewise had opened investigations into how Cambridge Analytica managed to access the personal data of 50 million Facebook users.[46] In response, Facebook reportedly led staff-level briefings to prepare for inquiries by the Judiciary, Commerce and Intelligence Committees of both congressional Chambers.[47]

         On the same day the Bloomberg News story was published, The New York Times reported that Alex Stamos, Facebook's Chief Information Security Officer, had decided to leave the Company.[48] According to this report, Stamos advocated for transparency regarding Russian agents' use of Facebook to influence the 2016 Presidential election, but faced immutable "resistance" from the Company.[49]

         On March 21, 2018, Bloomberg News reported a former Facebook operations manager, Sandy Parakilas, had advised British lawmakers that he warned senior executives at the Company about inadequate data protection guidelines but the warnings were ignored.[50] Parakilas made clear he had mapped out the data security weaknesses within the platform, including a list of bad and potentially bad actors, how these actors might exploit user data and the risks to which the Company might be exposed if a data breach occurred.[51] Parakilas stated Facebook could have avoided the Cambridge Analytica breach, but instead permitted third parties to obtain users' personally identifiable data in furtherance of its whitelist agenda.[52]

         On March 26, 2018, the FTC issued a press release confirming it was pursuing a non-public investigation into Facebook's privacy practices and compliance with the Consent Decree.[53] In the press release, the FTC's acting director, Thomas Pahl, explained that the FTC's primary means for maintaining consumer privacy was to initiate enforcement actions when companies, like Facebook, failed to honor commitments they made to maintain their customers' privacy.[54] He then emphasized Facebook had an affirmative obligation to comply with the Consent Decree's privacy and data security requirements.[55]

         On April 4, 2018, The New York Times reported the number of Facebook users affected by the Cambridge Analytica data breach had grown from 50 million to 87 million.[56] The article made a point to report that Facebook had not disclosed that figure voluntarily, and then made the disturbing revelation that certain Facebook search and account recovery functions may have exposed "most" of its 2 billion users to outside parties' information harvesting.[57]

         The bad reports kept coming. On April 30, 2018, The New York Times reported that Jan Koum, the founder of Facebook subsidiary, WhatsApp, and a member of Facebook's Board, had announced his plans to leave the Company amidst reports that he had "grown increasingly concerned about Facebook's position on user data in recent years," "was perturbed by the amount of information that Facebook collected on people" and "wanted stronger protections for that data." [58]Mr. Koum reportedly "personally got along with Mark Zuckerberg, Facebook's chief executive, [but] felt the company's board simply paid lip service to the privacy and security concerns he raised."[59]

         E. Zuckerberg Testifies Before Congress

         On March 21, 2018, USA Today reported that Zuckerberg, for the first time, had spoken on behalf of Facebook about the Cambridge Analytica breach.[60] Zuckerberg characterized the controversy as "a breach of trust between Facebook and the people who share their data with us and expect us to protect it."[61] In response to his remarks, analysts observed, "Facebook exhibits signs of systemic mismanagement, [] a new concern [] not contemplated until recently."[62]

         Within weeks of the USA Today article, Zuckerberg testified at the April 10 Senate Hearing, where he acknowledged that Facebook discovered the Cambridge Analytica data breach in 2015, but elected not to conduct an audit concerning the scope of that breach.[63] After Facebook told Cambridge Analytica to erase and discontinue using the collected data, the Company "considered it a closed case," particularly when Cambridge Analytica represented it had erased the user data.[64] Having determined that the case was "closed," Facebook did not notify the FTC or any other outside party of the massive intrusion into its users' private data.[65]

         During the April 10 Senate hearing, Senator Richard Blumenthal opined that Facebook was on notice that it was in violation of the Consent Decree, as evidenced in part by the terms of service it had agreed to with Aleksandr Kogan and others like him.[66] These agreements, according to Senator Blumenthal, revealed Facebook's "willful blindness" to the fact that third parties would sell user data in violation of the Consent Decree.[67] In response, Zuckerberg stated, "[Facebook] should have been aware that this app developer submitted a term that was in conflict with the rules of the platform."[68]

         F. The Regulators Investigate

         On June 5, 2018, The New York Times reported Facebook persisted in maintaining data-sharing partnerships with a minimum of four Chinese electronics companies--including Huawei Technologies Co., Inc., a manufacturing company that maintained a close relationship with the Chinese government and was identified by American intelligence officials as a national security threat.[69] Agreements providing access to private user data had been in place since at least 2010 and continued in effect through the date of the reporting.[70] The New York Times also revealed Facebook permitted access to private user data to many other large manufacturers as well--including Amazon.com, Inc., Apple Inc., BlackBerry Ltd. and Samsung Electronics Co., Ltd.[71]

         On July 2, 2018, The Washington Post reported the FBI, SEC and DOJ had teamed up with the FTC in its investigation of Facebook's data security practices.[72]The federal investigations widened in scope to address the extent to which Facebook knew that its users' data had been misappropriated and disseminated in 2015 and the reasons the Company failed to inform its users or investors of the breaches in real time.[73] Investigators reportedly also concentrated on inconsistencies in more recent accounts from Facebook executives, including Zuckerberg's testimony before Congress.[74]

         On November 12, 2018, The New York Times obtained an internal Facebook document detailing agreements Facebook entered into with device manufacturers whereby the Company provided the personal data of hundreds of millions of its users.[75] The Company reportedly failed to monitor the behavior of these third parties after allowing them to access user data, a failure discovered in 2013 by Facebook's FTC-approved privacy monitor.[76] Once again, Facebook never told its users of these agreements with device manufacturers even though the vast majority of users had not given the Company permission to distribute their information.[77]

         The joint investigations discovered that, in 2013, in furtherance of its commitments to the FTC, Facebook engaged PricewaterhouseCoopers ("PwC") to conduct an assessment of its partnerships with Microsoft and Research in Motion, the makers of Blackberry.[78] PwC discovered only "limited evidence" that Facebook oversaw or assessed its partners' compliance with its data use policies.[79]An unredacted version of a letter from PwC uncovered by a Senate aide suggested that PwC found "no evidence that Facebook had ever addressed the original problem."[80]

         G. Facebook's Data Protection Problems Continue

         On September 28, 2018, The New York Times reported that an attack on Facebook's computer network had exposed the private data of 50 million users.[81]The breach allowed the hackers to gain access to user accounts and potentially take control of them.[82] Then, on October 31, 2018, Business Insider reported on the ineffectiveness of Facebook's ad transparency tools as evidenced by the fact that reporters had been permitted to run advertisements "paid for" by Cambridge Analytica.[83]

         On November 14, 2018, The New York Times reported that Alex Stamos, then Facebook's Chief Security Officer, told the Board on September 6, 2017, that the Company had not eliminated suspicious Russian activity on its platform.[84]In response, Board member, Sheryl Sandberg, allegedly yelled at Stamos, "[y]ou threw us under the bus!"[85] This exchange occurred after Zuckerberg and Sandberg asked Stamos and other Facebook executives to update Facebook's Audit Committee on data privacy issues and after Stamos had been rebuked by Zuckerberg and Sandberg for providing too much information.[86] The article further revealed that Zuckerberg and Sandberg intended publicly to disclose the Cambridge Analytica breach the same day as the Company's quarterly Board meeting in September 2017.[87] Stamos wrote the proposed report of Facebook's findings to assist Sandberg in her public comments.[88] Sandberg, however, sent the report back to Stamos because she wanted it to be less specific.[89]

         On December 5, 2018, the Parliamentary Committee released internal Facebook documents, including executive emails and internal presentations.[90]These internal documents revealed Facebook's business plan, first conceived in 2013, was to monetize its platform by "privatizing" user data through agreements with certain preferred partners to "whitelist" apps and services integrated into the platform so that Facebook and its partners could reciprocally share user data.[91]Facebook entered into whitelisting agreements with companies in varied industries, like the Royal Bank of Canada and Walgreens Co.[92] In September 2013, Facebook executed a business strategy to "review access" to user data by documenting the business partners it would allow to have paid access to user data through the "whitelist" and those who would be denied access because they were deemed to be a competitive threat to the Company.[93]

         According to the documents released by the Parliamentary Committee, Zuckerberg was the first to conceive of the plan to monetize user data within the Facebook platform and he emailed the idea and the implementing steps to Sandberg and the Vice Presidents of the Company.[94] Zuckerberg hoped to engage in "reciprocity" in the sharing of user data if the information generated by a Facebook business partner was valuable to the Company.[95]

         The documents also revealed Facebook accessed users' Android phone data without permission and designed the Facebook platform so that it could readily retrieve that data.[96] The Facebook application installed on Android phones read users' call log histories and messaging histories without permission, and was specifically engineered to "upgrade" users to this level of access without clearly alerting them that the "upgrade" was occurring.[97] Facebook's executives believed this effort to avoid obtaining Android's user permissions was "a pretty high risk thing to do."[98] Nevertheless, the plan was approved at the highest levels of Facebook.[99]

         On December 18, 2018, The New York Times published the latest in its series of articles on Facebook, this time providing additional reporting regarding the Company's failure to disclose that it had allowed its business partners broad access to users' personal data.[100] The New York Times interviewed former employees of the FTC consumer protection division who were involved in the investigation leading to the Consent Decree, and each stated that Facebook's ongoing data sharing partnerships likely violated the agreement.[101] The New York Times also interviewed Facebook employees, who revealed that many of these partnerships were not captured by the Company's privacy compliance program because they were deemed business contracts outside of Facebook's data policies.[102] The Facebook privacy team allegedly had no means to review or propose modifications to the data-sharing agreements that the Company's senior officials negotiated.[103]

         H. The Fallout

         Multiple lawsuits have been filed-some as direct consumer class actions, some as government enforcement actions and some as derivative actions against Facebook fiduciaries-alleging that Facebook's implementation of a business model that exposed private user data to unauthorized third-party access has caused harm to consumers and harm to the Company.[104] Indeed, according to Fortune magazine, Facebook is facing "dozens" of "data lawsuits."[105]

         On February 14, 2019, The Washington Post reported Facebook was currently negotiating with the FTC over a "multi-billion dollar fine" for Facebook's mishandling of user data and violation of the Consent Decree.[106] On that same day, the Parliamentary Committee published the Parliamentary Report, revealing emails from Zuckerberg and Sandberg that the Parliamentary Committee read as confirming Facebook "intentionally and knowingly" violated both data privacy and competition laws.[107] The Parliamentary Report further determined that the "Cambridge Analytica Scandal was facilitated by Facebook's policies," observing that the "incident displays the fundamental weakness of Facebook in managing its responsibilities to the people whose data is used for its own Commercial purposes."[108]

         I. Procedural History

         After The Guardian and The New York Times published articles on the Cambridge Analytica breach in March 2018, [109] the Company received inspection demands from multiple Facebook stockholders under Section 220, including each of the three plaintiffs in this consolidated action. On April 11, 2018, Plaintiff Local No. 79 sent its Demand to Facebook's Board. The Demand focused on Facebook's failure to secure its users' private data and specified three purposes for inspection of Facebook's books and records: (1) to "investigate and assess the actual and potential wrongdoing, mismanagement, and breaches of fiduciary duty by members of the Company's Board[;]" (2) to "assess the ability of the Company's Board to impartially consider a demand for action (including for the filing of a derivative lawsuit on the Company's behalf[;]" and (3) to "take appropriate action in the event the members of the Company's Board did not discharge their fiduciary duties, including the preparation and filing of a shareholder derivative lawsuit, if appropriate."[110]

         The Demand sought eight categories of "Board Materials" that, by definition, encompassed both Board and committee materials, to include "all presentations, board packages, recordings, agenda, summaries, memoranda, charts, transcripts, notes, minutes of meetings, drafts of minutes of meetings, exhibits distributed at meetings, summaries of meetings, or resolutions."[111] As for timeframe, the Demand sought "all books, records, and documents within the Company's possession, custody, or control for and/or relating to the period February 3, 2017 to present."[112]

         In its May 1, 2018 response to the Demand (the "Demand Response"), Facebook asserted that the Demand failed to meet the requirements of Section 220 by failing to "provide a credible basis to support a finding of actionable mismanagement," primarily because the news articles identified in the Demand did not directly implicate Facebook's directors.[113] Further, Facebook stated that if Local No. 79 sought to investigate a Caremark claim, the Demand failed to provide any evidence that Facebook "'utterly failed to implement a reporting system or ignored red flags.'"[114] Facebook also maintained that the stockholder's eight inspection requests were overbroad because the requests were "akin to civil litigation discovery requests, seeking broad categories of documents relating to the Company's privacy policies, risk management and compliance issues, and Board issues."[115]

         While maintaining its objections to the Demand and subject to the parties entering into an appropriate confidentiality agreement, Facebook agreed to produce certain Board minutes and related materials apparently in hopes of avoiding litigation.[116] On June 12 and 18, 2018, Facebook produced 1, 694 pages of its books and records.[117] Of that total, 1, 612 pages were redacted completely and marked as "non-responsive," containing no information, or produced with only a title or other information identifying the document.[118] Ignoring the date parameters stated in the Demand, the production included documents dated between January 2014 and December 2017.[119] Rather than identify the category of documents identified in the Demand to which the produced documents were responsive, the Demand Response created its own category, "all documents relating to unauthorized access of third-party user data."[120]

         On September 6, 2018, Local No. 79 filed its Complaint in which it repeated the allegations of wrongdoing stated in its Demand but omitted certain of the specific categories of documents it had originally sought in the Demand.[121]On September 28, 2018, Facebook answered the Complaint and raised the same defenses it had stated in its Demand Response, including that Plaintiffs lack a proper purpose for the Demand and seek an overbroad production of books and records given the stated purposes for inspection.[122] On October 11, 2018, the Court entered a Stipulation and Order consolidating this action with two related Section 220 actions-the Birmingham action and the Levy action.[123] Under the consolidation order, the Local No. 79 Complaint became the operative complaint, and the Demand became the operative demand.[124] The trial occurred on March 7, 2019.

         In a commendable effort to clarify the issues for trial, the parties met on September 12, 2018, to discuss the scope of documents Plaintiffs sought to inspect. The following day, Plaintiffs provided a revised (and broader) list of requested books and records, identified custodians from whom documents should be collected and clarified that the Company should collect documents generated from January 1, 2011 through the present.[125] The documents requested were:

• Board and Committee Meeting Materials
o Minutes, presentations, agendas, and resolutions for the Board and Board Committees of Facebook;
o Any notes taken or other written materials generated by the Board members in connection with any meeting of the Board of Facebook or any committee of the Board; and
o Unredacted versions of relevant non-privileged documents produced in response to Shareholder's Demand for Books and Records.
• Senior Management Material
o Relevant written materials generated by or provided to Mark Zuckerberg including emails, reports, presentations, and business plans;
o Relevant written materials generated by or provided to Facebook's internet security, regulatory affairs or other relevant departments; and
o Non-privileged relevant written materials generated by or provided to Facebook's legal department.
• Relevant policies or procedures of Facebook;
• Documents produced to the government in connection with the 2011 consent decree and Cambridge Analytica and the resulting investigations;
• Board independence materials-any board questionnaires for each board member;
• Organizational charts for Facebook's relevant departments;
• All documents produced to other stockholders in response to Section 220 demands or otherwise;
• Privilege log as set forth in paragraph four of the June 2018 Confidentiality Stipulation; and
• Electronic communications by and between the board, executives and senior management relating to the subject matter in the Demand and Complaint.[126]

         Needless to say, the revised list sought a substantially expanded scope of documents than Plaintiffs requested in the Demand.

         On January 2, 2019, the parties met again to discuss the scope of production and Facebook ultimately asked Plaintiffs to prepare a form of order they would ask the Court to enter if the parties litigated the matter through trial.[127] Plaintiffs agreed and, on January 16, 2019, provided their proposed form of order that defined the categories of documents to be produced as follows:

(1) the 2011 Consent Decree and related correspondence with the FTC;
(2) the investigations conducted by the Department of Justice, Securities and Exchange Commission, and Federal Bureau of Investigation regarding Defendant's sharing of personal information and related correspondence with each of those agencies;
(3) third party access to and handling of Facebook user data, including but not limited to agreements with other companies regarding the same;
(4) how the Facebook platform shares user data, including but not limited to design decisions regarding the Facebook application programming interface ("API") and third party access to the Facebook platform;
(5) Defendant's general compliance policies and procedures respecting data privacy and access to user data;
(6) Defendant's internal investigation policies, procedures and protocols;
(7) the Atlas (SOC1 & SOC 2/3), Custom Audience (SOC 2/3) and Workplace (SOC 2/3) audits performed by or on behalf of Defendant, and any other internal investigations or audits performed regarding topics 1-6;
(8) any other regulatory, criminal, and civil investigations and civil lawsuits regarding topics 1-6; and
(9) documents relating to the independence of Defendant's directors and committees of the Board.[128]

         Plaintiffs provided their proposed list of custodians a week later, including (1) all members of Facebook's Audit Committee since 2011; (2) any person who presented to the Audit Committee since 2011; (3) a list of seven Facebook officers, including its general counsel; and (4) Facebook officers/directors Zuckerberg and Sandberg.[129] Ultimately, this exercise did not lead to an agreement.

         In the Pre-Trial Order, the categories of books and records and the custodians from whom Plaintiffs sought records changed again. There, Plaintiffs sought:

[H]ard-copy and electronic documents from the period of January 1, 2011 through December 31, 2018, received or authored by any member of Facebook's Board relating to the following topics are necessary and essential to the purposes stated in the Local No. 79 Section 220 Demand:
(1) the Consent Decree that Facebook entered into with the United States Federal Trade Commission in November 2011 and related correspondence with the [FTC];
(2) the investigations conducted by the United States Department of Justice, Securities and Exchange Commission, and Federal Bureau of Investigation regarding Facebook's sharing of personal information and related correspondence with each of those agencies;
(3) compliance with the European Union's General Data Privacy Regulation and related correspondence with European regulators;
(4) third party access to and handling of Facebook user data, including but not limited to agreements with other companies regarding the same;
(5) how the Facebook platform shares user data, including but not limited to design decisions regarding the Facebook application programming interface ("API") and third party access to the Facebook platform;
(6) Facebook's general compliance policies and procedures respecting data privacy and access to user data;
(7) Facebook's internal investigation policies, procedures and protocols;
(8) the Atlas (SOC1 & SOC 2/3), Custom Audience (SOC 2/3) and Workplace (SOC 2/3) audits performed by or on behalf of Facebook, and any other internal investigations or audits performed regarding topics 1-7;
(9) any other regulatory, criminal, and civil investigations and civil lawsuits regarding topics 1-7; and
(10) documents relating to the independence of Facebook's directors and committees of the Board (collectively, "Plaintiffs' Responsive Topics").[130]

         Plaintiffs also requested electronic communications, including emails, concerning these topics from the following custodians: Erskine B. Bowles, Sam Lessin, Sheryl Sandberg, Alex Stamos, Colin Stretch and Mark Zuckerberg.[131] Defendants addressed this version of Plaintiffs' demand for inspection in their Pre-Trial Brief and at trial.

         Plaintiffs' demand took on yet another form in Plaintiffs' Pre-Trial Brief, where ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.