In re Facebook, Inc. Section 220 Litigation
Annotate this Case
Download PDF
IN THE COURT OF CHANCERY OF THE STATE OF DELAWARE IN RE FACEBOOK, INC. SECTION 220 LITIGATION : : CONSOLIDATED C.A. No. 2018-0661-JRS MEMORANDUM OPINION Date Submitted: March 7, 2019 Date Decided: May 30, 2019 Revised: May 31, 2019 Samuel L. Closic, Esquire of Prickett, Jones & Elliott, P.A., Wilmington, Delaware and Frank R. Schirripa, Esquire and Daniel B. Rehns, Esquire of Hach Rose Schirripa & Cheverie LLP, New York, New York, Attorneys for Plaintiff Construction and General Building Laborers’ Local Union No. 79 General Fund and Co-Lead Counsel. Peter B. Andrews, Esquire, Craig J. Springer, Esquire and David M. Sborz, Esquire of Andrews & Springer, LLC, Wilmington, Delaware; Geoffrey M. Johnson, Esquire of Scott+Scott Attorneys At Law LLP, Cleveland Heights, Ohio; and Donald A. Broggi, Esquire, Scott R. Jacobsen, Esquire and Jing-Li Yu, Esquire of Scott+Scott Attorneys At Law LLP, New York, New York, Attorneys for Plaintiff City of Birmingham Relief and Retirement System and Additional Counsel for Plaintiffs. Ryan M. Ernst, Esquire of O’Kelly Ernst & Joyce, LLC, Wilmington, Delaware and Thomas J. McKenna, Esquire and Gregory M. Egleston, Esquire of Gainey McKenna & Egleston, New York, New York, Attorneys for Plaintiff Lidia Levy and Additional Counsel for Plaintiffs. David E. Ross, Esquire and R. Garrett Rice, Esquire of Ross Aronstam & Moritz LLP, Wilmington, Delaware; Orin Snyder, Esquire of Gibson, Dunn & Crutcher LLP, New York, New York; Kristin A. Linsley, Esquire and Brian M. Lutz, Esquire of Gibson, Dunn & Crutcher LLP, San Francisco, California; Paul J. Collins, Esquire of Gibson, Dunn & Crutcher LLP, Palo Alto, California; and Joshua S. Lipshutz, Esquire of Gibson, Dunn & Crutcher LLP, Washington, D.C., Attorneys for Defendant Facebook, Inc. SLIGHTS, Vice Chancellor In July 2018, Facebook, Inc. (“Facebook” or the “Company”) experienced one of the sharpest single-day market value declines in history when its stock price dropped 19%, wiping out approximately $120 billion of shareholder wealth. This unprecedented misfortune followed news reports that, in 2015, the private data of 50 million Facebook users had been poached by Cambridge Analytica, a British political consulting firm.1 Facebook did not disclose this security breach to its users upon discovery or at any time thereafter. Users first learned of the breach when they read or heard about it in the news. At the time of the Cambridge Analytica breach, Facebook was subject to a consent decree entered by the Federal Trade Commission (the “FTC”) in 2011 (the “Consent Decree”) after the FTC determined that the Company’s data privacy measures were not protecting users’ private information. Among other things, the Consent Decree required Facebook to implement more robust and verifiable data security protocols. Soon after news of the Cambridge Analytica breach broke, reports surfaced that Facebook’s business model included incentives to monetize its users’ data without their consent. These reports were followed by news that the FTC, Federal Bureau of Investigation (“FBI”), Securities and Exchange Commission (“SEC”), 1 The more current data indicates that the breach affected more than 87 million users. JX 52. 1 Department of Justice (“DOJ”), European Information Commissioner’s Office (“ICO”) and other European authorities had all opened investigations into Facebook’s data privacy practices. On April 11, 2018, Plaintiff, Construction and General Building Laborers’ Local No. 79 General Fund (“Local No. 79”), served a demand to inspect Facebook’s books and records (the “Demand”) under Section 220 of the Delaware General Corporation Law (“Section 220”).2 As required by statute,3 Local No. 79 stated that its purpose for inspection was to “investigate and assess the actual and potential wrongdoing, mismanagement, and breaches of fiduciary duties by the members of the Company's Board” in connection with the data privacy breaches and “to investigate the independence and disinterestedness” of the Company’s directors.4 In response, Facebook produced about 1,700 pages of significantly redacted books and records. 2 8 Del. C. § 220. As explained below, several other Facebook stockholders followed Local No. 79 in directing Section 220 demands to Facebook. By order dated October 11, 2018, the Court deemed Local No. 79’s Demand to be the operative demand. D.I. 17. 3 8 Del. C. § 220(b). 4 JX 54 (Local No. 79’s Demand to Inspect Books and Records) at 6. 2 When discussions between the parties regarding the scope of Facebook’s production broke down, Local No. 79 filed its Verified Complaint to Compel Inspection on September 6, 2018.5 In its answer to that Complaint, Facebook denied Plaintiff had stated a proper purpose for inspection and maintained that, even if a proper purpose had been stated, Plaintiff was not entitled to inspect any documents beyond those already produced.6 Specifically, Facebook asserted the Complaint failed to plead a credible basis to infer that Facebook’s directors breached their duty of oversight, or any other aspect of their fiduciary duties, because the Cambridge Analytica breach resulted from the unanticipated acts of third parties who had managed to compromise Facebook’s existing (and adequate) data privacy systems. The parties agreed to a “paper record” trial (i.e., without deposition or live testimony). After carefully reviewing the evidence and the arguments of counsel, I conclude in this post-trial decision that Plaintiffs have demonstrated, by a preponderance of the evidence, a credible basis from which the Court can infer that I cite to Local Union No. 79’s Verified Complaint (“Complaint”) as “Compl. ¶ __.” (D.I. 1). Plaintiffs, City of Birmingham Retirement and Relief System (“Birmingham”) and Lidia Levy (together with Local 79, “Plaintiffs”), also filed complaints seeking to enforce their inspection rights under Section 220. The Court has designated the Local Union No. 79 Complaint as the operative complaint for purposes of this consolidated action. See D.I. 17. I cite to the Pre-Trial Stipulation and Order (“PTO”) as “PTO ¶ __.” (D.I. 32). 5 Defendant’s Answer and Defenses to Plaintiff’s Verified Complaint Pursuant to 8 Del. C. § 220 (“Answer”) ¶¶ 3, 4. (D.I. 11). 6 3 wrongdoing occurred at the Board level in connection with the data privacy breaches that are the subject of this action. In so finding, I reject, as a matter of law, Facebook’s implicit suggestion that I must adjudicate the merits of Plaintiffs’ Caremark claim before allowing an otherwise proper demand for inspection to stand. This is not the time for a merits assessment of Plaintiffs’ potential claims against Facebook’s fiduciaries. The “credible basis” standard applicable in this Section 220 action imposes the lowest burden of proof known in our law and asks a fundamentally different question than would be asked at a trial on the merits: has the stockholder presented “some evidence” to support an inference of wrongdoing that would justify allowing the stockholder to inspect Facebook’s books and records?7 While this court consistently reminds stockholders that a Caremark claim “is possibly the most difficult theory upon which a plaintiff might hope to win a judgment,”8 that admonition does not license this court to alter the minimum burden of proof governing a stockholder’s qualified right to inspect books and records. Seinfeld v. Verizon Commc’ns, Inc., 909 A.2d 117, 118 (Del. 2006) (“We reaffirm the well-established law of Delaware that stockholders seeking inspection under Section 220 must present ‘some evidence’ to suggest a ‘credible basis’ from which a court can infer that mismanagement, waste or wrongdoing may have occurred.”). 7 8 In re Caremark Int’l Deriv. Litig., 698 A.2d 959, 967 (Del. Ch. 1996). 4 In the wake of the Consent Decree, Facebook was under a positive obligation to take specific steps to protect its users’ private data. That obligation was firmly in place at the time of the Cambridge Analytica breach. Delaware courts traditionally have viewed stockholder allegations that a board failed to oversee the company’s obligation to comply with positive law, or positive regulatory mandates, more favorably in the Caremark paradigm than allegations that a board failed to oversee the company’s efforts generally to avoid business risk. Plaintiffs have presented “some evidence” that the Board failed to oversee Facebook’s compliance with the Consent Decree resulting in unauthorized access to its users’ private data and attendant consequences to the Company. In other words, Plaintiffs have sustained their minimal burden to demonstrate a credible basis of wrongdoing justifying the inspection of certain of the Company’s books and records.9 Judgment is entered for Plaintiffs. Facebook shall produce for inspection the books and records designated herein as essential to Plaintiffs’ pursuit of their proper purpose. 9 At the risk of prolixity, I emphasize this Opinion stops well short of concluding that Facebook fiduciaries engaged in any wrongdoing in connection with any data privacy breaches that may have occurred at the Company. That merits-based determination awaits another day. 5 I. FACTUAL BACKGROUND The Court presided over a one-day trial on March 7, 2019. The following facts were proven by a preponderance of the evidence against the backdrop of the credible basis standard.10 A. The Parties Local No. 79 has continuously owned Facebook stock since June 17, 2015.11 Defendant, Facebook, is a Delaware corporation that operates the Facebook social At the outset of this recitation of facts, I acknowledge that Plaintiffs’ evidence, by necessity, is comprised of publically available information, including a heavy dose of newspaper and other news media reports. I am mindful that these reports are hearsay. Even so, in a Section 220 proceeding, “[h]earsay statements may be considered, provided they are sufficiently reliable.” Amalgamated Bank v. Yahoo! Inc., 132 A.3d 752, 778 (Del. Ch. 2016). See also, In re Plains All Am. Pipeline, L.P., 2017 WL 6066570, at *3–4 (Del. Ch. Aug. 8, 2017) (ORDER) (relying on Los Angeles Times article to find that stockholder had stated a credible basis to suspect wrongdoing for purposes of Section 220); Paul v. China MediaExpress Hldgs., Inc., 2012 WL 28818, at *4 (Del. Ch. Jan. 5, 2012) (finding plaintiff stated credible basis to suspect wrongdoing, in part, based on the plaintiff’s identification of “numerous third-party media reports alleging fraudulent conduct by the [company’s] officers and directors”); Leonard v. Texas, 137 S.Ct. 847, 848 (2017) (denying certiorari and relying on articles from the Washington Post and The New Yorker for factual propositions concerning civil forfeiture). For the most part, I have referred to the news reports as chronological markers of the events that have unfolded since the entry of the Consent Decree. Unless otherwise indicated, I have not viewed these reports as standalone evidence of wrongdoing at the Company. As discussed below, many of the reports either have been acknowledged by the Company or have been corroborated by other investigations. 10 11 JX 54 at 11. The other Plaintiffs also owned Facebook stock at the time they submitted their demands—Birmingham since June 22, 2012 (JX 56) and Levy since May 12, 2012 (JX 58). 6 media platform.12 Facebook’s principal executive offices are in Menlo Park, California.13 B. Facebook’s Business Mark Zuckerberg founded Facebook in 2004. He serves as the Company’s CEO and Chairman of its Board of Directors (the “Board”).14 Facebook is a social media platform that enables its more than 2.2 billion active users to stay in touch with friends and family, develop connections, learn about world events and circulate individual commentary.15 As part of its business model, Facebook allows independent third-party developers to place their applications or links to their websites (collectively, “apps”) on the Facebook platform.16 Once apps are placed on the platform, Facebook’s users can open the apps to interact with their Facebook “friends” through games or other app content.17 In turn, Facebook, by agreement, allows the third-party app providers to “whitelist,” or access, not only the data of a user who has opened the app but also 12 PTO ¶ 2. 13 Id. 14 Id. ¶ 3. 15 Answer ¶¶ 7, 8. JX 103 (the Parliamentary Committee’s report on “Disinformation and ‘Fake News’”) (the “Parliamentary Report”). 16 17 Id. 7 the data of that user’s Facebook “friends.”18 According to Plaintiffs, this practice of allowing its partners to whitelist Facebook user data has made Facebook much more vulnerable to data breaches. C. The FTC Consent Decree In November 2011, Facebook entered into the Consent Decree with the FTC as the culmination of the FTC’s investigation into Facebook’s allegedly inadequate data privacy practices.19 The Consent Decree mandates that Facebook develop and maintain a comprehensive privacy program subject to regular assessments by a thirdparty data security firm.20 The privacy program was required to (1) address privacy risks correlated with the development and management of new and existing products and services for consumers; and (2) protect the privacy and confidentiality of “covered information”––personal consumer information Facebook gathered from consumers’ interactions with the Facebook platform.21 See Tr. 18:9–12 (“[T]here’s a concept in Facebook, it’s a term of art . . . and it’s called whitelisting. And it essentially gives a third party access to the entire data profile of a user and in some instances can also give the third party access to data profiles of the user’s friends.”). See also, JX 12; JX 103. 18 19 Answer ¶ 8; JX 1. 20 JX 1; JX 37. 21 JX 1 at § IV. 8 To implement the Consent Decree’s broad mandate, Facebook was required to execute a plan to secure its user’s private data that was commensurate in scale with the size of the Company’s user base and the complexity of its platform.22 It also was required to track data protection outcomes in writing and to place specified employees in positions where they could execute privacy risk assessments and develop steps to protect the covered information as defined in the Consent Decree.23 The Company’s compliance with these mandates was to be subject to initial and biennial assessments by an independent, experienced privacy and data protection professional for a period of 20 years.24 During this prescribed monitoring period, Facebook was required to inform all current and future principals, officers, directors and managers of the specific content of the Consent Decree.25 The implementation of the Consent Decree was to be monitored at the Board level by Facebook’s Audit Committee.26 22 Under the privacy program, Facebook must undergo fixed internal privacy and security risk assessments, require employees to participate in privacy training programs, guarantee that its user and developer privacy policies and controls are crystal clear and easily accessed, and measure and strengthen its privacy program under the direction of its privacy governance team. See JX 37 at 7–14; JX 24 at 660. 23 JX 1 at § IV. 24 Id. at § V. 25 Id. at §§ VII, X. 26 JX 39 at 1468; JX 41 at 1593; JX 29 at 998; JX 13 at 401. 9 In the three bi-annual assessments completed after the entry of the Consent Decree, an independent data privacy firm attested that Facebook had invoked privacy controls “meet[ing] or exceed[ing] the protections required” under the Consent Decree.27 The independent firm additionally verified that Facebook’s privacy program “has built-in procedures to evaluate and adjust the Privacy Program in light of testing and monitoring results, as well as other relevant circumstances.”28 In 2017, Facebook’s privacy team detected 370,000 noncompliant apps and took corrective measures that varied from instituting constraints, to delivering cease-anddesist letters, to eliminating the apps from the platform.29 D. The Cambridge Analytica Breach In 2013, Aleksandr Kogan, a Cambridge University professor and data researcher, created a personality “quiz” app called “thisisyourdigitallife.”30 In 2014, the app went live on the Facebook platform, positioning itself as a “research app used by psychologists” and assuring users that the results of the quiz would be utilized only for academic purposes.31 About 270,000 users installed the app and 27 JX 37 at 19; JX 6; JX 27. 28 JX 37 at 14; see, e.g., JX 42 at 1627–29, 1637; JX 35 at 1352. 29 JX 67 at 9. 30 JX 44 at 2. 31 Id. 10 agreed to share their personal data, as well as aspects of their Facebook friends’ personal data.32 At the time, Facebook’s policies permitted this data sharing to varying degrees depending on the friends’ privacy and application settings.33 In December 2015, The Guardian published a story reporting that Kogan’s company, Global Science Research (“GSR”), sold the data of millions of Facebook users as collected on the “thisisyourdigitalife” app to Cambridge Analytica in violation of Facebook’s data use and platform policies.34 The article reported Cambridge Analytica used the data to develop psychological profiles of U.S. voters.35 Following the article’s release, the Company blocked Kogan and his app from Facebook and obtained written verifications from Kogan, GSR, Cambridge Analytica, a Cambridge Analytica employee and others that all Facebook user data in their possession had been destroyed.36 Cambridge Analytica’s CEO, Alexander Nix, then testified before the Parliament of the United Kingdom and later confirmed 32 Id. 33 JX 10; JX 30. 34 JX 30; JX 98; see JX 53 (At an April 10, 2018 combined hearing of the Senate Judiciary and Commerce, Science and Transportation Committees (the “April 10 Senate Hearing”), Senator Richard Blumenthal noted that the terms of service between Facebook and Kogan explicitly allowed Kogan to sell that data.). 35 JX 30. 36 JX 44 at 2; JX 50. 11 in writing to the House of Commons that Cambridge Analytica neither owned nor utilized Facebook user data.37 With that, Facebook believed the issue was resolved. On March 17, 2018, The New York Times and The Guardian reported that, in 2015, Cambridge Analytica had misappropriated Facebook user data via Kogan’s app––resurfacing the issue.38 This time, though, the articles went a step further, revealing Cambridge Analytica lied when it conveyed to Facebook in 2016 that it had deleted all the user data.39 Instead, according to the reports, Cambridge Analytica kept the data and deployed it in connection with the 2016 Presidential campaign.40 The New York Times also reported that, in response to multiple requests for information, Facebook “downplayed the scope of the leak and questioned whether any of the data still remained out of its control.”41 After these reports 37 JX 43; JX 46. 38 JX 45; JX 46. See also, JX 53 (Zuckerberg acknowledged at the April 10 Senate Hearing, “[w]hat we know now is that Cambridge Analytica improperly accessed some information about millions of Facebook members by buying it from an app developer.”). 39 JX 45; JX 46. See JX 53 (Zuckerberg further testified at the April 10 Senate hearing, “[w]hen we first contacted Cambridge Analytica, they told us that they had deleted the data. About a month ago, we heard new reports that suggested that wasn’t true.”). 40 JX 45; JX 46. See also, JX 53 at 17 (At the April 10 Senate Hearing, Senator Maria Cantwell stated, “Cambridge Analytica was providing support to the Trump campaign under Project Alamo[.]”); JX 103 at 42 (the Parliamentary Report describing the use of Cambridge Analytica’s data in the 2016 Presidential campaign). 41 JX 45 at 2. 12 surfaced, Facebook suspended Cambridge Analytica and its employees from the Facebook platform.42 On March 20, 2018, Bloomberg News provided further color by detailing the many investigations that had been launched into Facebook’s data security practices.43 Among the investigations mentioned, the article reported that the FTC had opened an investigation into whether Facebook violated the 2011 Consent Decree.44 According to the article, the FTC would soon deliver a notice to Facebook detailing its concerns that the Company was not complying with the Consent Decree and generally was not protecting its users’ private data.45 Six congressional committees likewise had opened investigations into how Cambridge Analytica managed to access the personal data of 50 million Facebook users.46 In response, Facebook reportedly led staff-level briefings to prepare for inquiries by the 42 JX 44; JX 50. 43 JX 47. Id. See JX 51 (the FTC’s March 26, 2018 press release confirming it was currently pursuing a non-public investigation into Facebook’s privacy practices and compliance with the Consent Decree). 44 45 JX 47. 46 Id. 13 Judiciary, Commerce and Intelligence Committees of both congressional Chambers.47 On the same day the Bloomberg News story was published, The New York Times reported that Alex Stamos, Facebook’s Chief Information Security Officer, had decided to leave the Company.48 According to this report, Stamos advocated for transparency regarding Russian agents’ use of Facebook to influence the 2016 Presidential election, but faced immutable “resistance” from the Company.49 On March 21, 2018, Bloomberg News reported a former Facebook operations manager, Sandy Parakilas, had advised British lawmakers that he warned senior executives at the Company about inadequate data protection guidelines but the warnings were ignored.50 Parakilas made clear he had mapped out the data security weaknesses within the platform, including a list of bad and potentially bad actors, how these actors might exploit user data and the risks to which the Company might 47 Id. at 2–3. 48 JX 48. See Tr. 44:10–14. 49 Id. JX 103 at 74 (The U.K. House of Commons Digital, Culture, Media and Sports Committee (the “Parliamentary Committee”) was “left with the impression that either Simon Milner [Policy Director for the U.K., Middle East and Africa, at Facebook] or Mike Schroepfer [Facebook’s Chief Technology Officer] deliberately misled the Committee or they were deliberately not briefed by senior executives at Facebook about the extent of Russian interference in foreign elections.”). 50 JX 49. See JX 53 at 35 (Senator Richard Blumenthal submitted a letter from Parakilas indicating “not only a lack of resources, but lack of attention to privacy [at the Company].”). 14 be exposed if a data breach occurred.51 Parakilas stated Facebook could have avoided the Cambridge Analytica breach, but instead permitted third parties to obtain users’ personally identifiable data in furtherance of its whitelist agenda.52 On March 26, 2018, the FTC issued a press release confirming it was pursuing a non-public investigation into Facebook’s privacy practices and compliance with the Consent Decree.53 In the press release, the FTC’s acting director, Thomas Pahl, explained that the FTC’s primary means for maintaining consumer privacy was to initiate enforcement actions when companies, like Facebook, failed to honor commitments they made to maintain their customers’ privacy.54 He then emphasized Facebook had an affirmative obligation to comply with the Consent Decree’s privacy and data security requirements.55 On April 4, 2018, The New York Times reported the number of Facebook users affected by the Cambridge Analytica data breach had grown from 50 million to 87 million.56 The article made a point to report that Facebook had not disclosed that 51 JX 49. 52 Id. 53 JX 51. 54 Id. 55 Id. 56 JX 52. 15 figure voluntarily, and then made the disturbing revelation that certain Facebook search and account recovery functions may have exposed “most” of its two billion users to outside parties’ information harvesting.57 The bad reports kept coming. On April 30, 2018, The New York Times reported that Jan Koum, the founder of Facebook subsidiary, WhatsApp, and a member of Facebook’s Board, had announced his plans to leave the Company amidst reports that he had “grown increasingly concerned about Facebook’s position on user data in recent years,” “was perturbed by the amount of information that Facebook collected on people” and “wanted stronger protections for that data.” 58 Mr. Koum reportedly “personally got along with Mark Zuckerberg, Facebook’s chief executive, [but] felt the company’s board simply paid lip service to the privacy and security concerns he raised.”59 Id. See also, JX 103 at 22 (the ICO “fined Facebook because it allowed applications and application developers to harvest the personal information of its customers who had not given their informed consent—think of friends, and friends of friends— and then Facebook failed to keep the information safe.”). 57 58 JX 57. 59 Id. 16 E. Zuckerberg Testifies Before Congress On March 21, 2018, USA Today reported that Zuckerberg, for the first time, had spoken on behalf of Facebook about the Cambridge Analytica breach.60 Zuckerberg characterized the controversy as “a breach of trust between Facebook and the people who share their data with us and expect us to protect it.”61 In response to his remarks, analysts observed, “Facebook exhibits signs of systemic mismanagement, [] a new concern [] not contemplated until recently.”62 Within weeks of the USA Today article, Zuckerberg testified at the April 10 Senate Hearing, where he acknowledged that Facebook discovered the Cambridge Analytica data breach in 2015, but elected not to conduct an audit concerning the scope of that breach.63 After Facebook told Cambridge Analytica to erase and discontinue using the collected data, the Company “considered it a closed case,” particularly when Cambridge Analytica represented it had erased the user data.64 60 JX 104. 61 Id. 62 Id. 63 JX 53 at 11. 64 Id. 17 Having determined that the case was “closed,” Facebook did not notify the FTC or any other outside party of the massive intrusion into its users’ private data.65 During the April 10 Senate hearing, Senator Richard Blumenthal opined that Facebook was on notice that it was in violation of the Consent Decree, as evidenced in part by the terms of service it had agreed to with Aleksandr Kogan and others like him.66 These agreements, according to Senator Blumenthal, revealed Facebook’s “willful blindness” to the fact that third parties would sell user data in violation of the Consent Decree.67 In response, Zuckerberg stated, “[Facebook] should have been aware that this app developer submitted a term that was in conflict with the rules of the platform.”68 F. The Regulators Investigate On June 5, 2018, The New York Times reported Facebook persisted in maintaining data-sharing partnerships with a minimum of four Chinese electronics companies––including Huawei Technologies Co., Inc., a manufacturing company that maintained a close relationship with the Chinese government and was identified 65 Id. 66 JX 53 at 35. 67 Id. 68 Id. 18 by American intelligence officials as a national security threat.69 Agreements providing access to private user data had been in place since at least 2010 and continued in effect through the date of the reporting.70 The New York Times also revealed Facebook permitted access to private user data to many other large manufacturers as well––including Amazon.com, Inc., Apple Inc., BlackBerry Ltd. and Samsung Electronics Co., Ltd.71 On July 2, 2018, The Washington Post reported the FBI, SEC and DOJ had teamed up with the FTC in its investigation of Facebook’s data security practices.72 The federal investigations widened in scope to address the extent to which Facebook 69 JX 62. See also, JX 53 at 87 (Senator Jon Tester stated at the April 10 Senate hearing, “Facebook allowed a foreign company to steal private information. They allowed a foreign company to steal private information from tens of millions of Americans, largely without any knowledge of their own.”). JX 62. See also, JX 103 at 25 (The FTC’s 2011 complaint revealed “from May 2007 to July 2010, [Facebook] allowed external app developers unrestricted access to information about Facebook users’ personal profile and related information[.]”). 70 71 JX 62. JX 68. The Parliamentary Report revealed the specifics of the FBI’s criminal complaint, including: 72 the work of ‘Project Lakhta’, in which individuals have allegedly ‘engaged in political and electoral interference operations targeting populations within the Russian Federation and in various other countries, including, but not limited to, the United States, members of the European Union, and Ukraine[.]’ Since at least May 2014, Project Lakhta’s stated goal in the United States was to spread distrust towards candidates for political office and the political system in general. JX 103 at 78. 19 knew that its users’ data had been misappropriated and disseminated in 2015 and the reasons the Company failed to inform its users or investors of the breaches in real time.73 Investigators reportedly also concentrated on inconsistencies in more recent accounts from Facebook executives, including Zuckerberg’s testimony before Congress.74 On November 12, 2018, The New York Times obtained an internal Facebook document detailing agreements Facebook entered into with device manufacturers whereby the Company provided the personal data of hundreds of millions of its users.75 The Company reportedly failed to monitor the behavior of these third parties after allowing them to access user data, a failure discovered in 2013 by Facebook’s FTC-approved privacy monitor.76 Once again, Facebook never told its users of these agreements with device manufacturers even though the vast majority of users had not given the Company permission to distribute their information.77 73 JX 68. 74 Id. 75 JX 80. 76 Id. 77 Id. 20 The joint investigations discovered that, in 2013, in furtherance of its commitments to the FTC, Facebook engaged PricewaterhouseCoopers (“PwC”) to conduct an assessment of its partnerships with Microsoft and Research in Motion, the makers of Blackberry.78 PwC discovered only “limited evidence” that Facebook oversaw or assessed its partners’ compliance with its data use policies.79 An unredacted version of a letter from PwC uncovered by a Senate aide suggested that PwC found “no evidence that Facebook had ever addressed the original problem.”80 G. Facebook’s Data Protection Problems Continue On September 28, 2018, The New York Times reported that an attack on Facebook’s computer network had exposed the private data of 50 million users.81 The breach allowed the hackers to gain access to user accounts and potentially take control of them.82 Then, on October 31, 2018, Business Insider reported on the ineffectiveness of Facebook’s ad transparency tools as evidenced by the fact that 78 Id. 79 JX 80 at 2. 80 Id. 81 JX 77. 82 Id. 21 reporters had been permitted to run advertisements “paid for” by Cambridge Analytica.83 On November 14, 2018, The New York Times reported that Alex Stamos, then Facebook’s Chief Security Officer, told the Board on September 6, 2017, that the Company had not eliminated suspicious Russian activity on its platform.84 In response, Board member, Sheryl Sandberg, allegedly yelled at Stamos, “[y]ou threw us under the bus!”85 This exchange occurred after Zuckerberg and Sandberg asked Stamos and other Facebook executives to update Facebook’s Audit Committee on data privacy issues and after Stamos had been rebuked by Zuckerberg and Sandberg for providing too much information.86 The article further revealed that Zuckerberg and Sandberg intended publicly to disclose the Cambridge Analytica breach the same day as the Company’s quarterly Board meeting in September 2017.87 Stamos wrote the proposed report of Facebook’s findings to 83 JX 79. JX 82. See also, JX 103 at 74 (The Parliamentary Report noted, “[i]n September 2017, Alex Stamos, the then Chief Security Officer, told the members of Facebook’s Executive Board that that Russian activity was still not under control.”). 84 85 JX 82 at 1. 86 Id. at 9–10. 87 Id. at 9. 22 assist Sandberg in her public comments.88 Sandberg, however, sent the report back to Stamos because she wanted it to be less specific.89 On December 5, 2018, the Parliamentary Committee released internal Facebook documents, including executive emails and internal presentations.90 These internal documents revealed Facebook’s business plan, first conceived in 2013, was to monetize its platform by “privatizing” user data through agreements with certain preferred partners to “whitelist” apps and services integrated into the platform so that Facebook and its partners could reciprocally share user data.91 Facebook entered into whitelisting agreements with companies in varied industries, like the Royal Bank of Canada and Walgreens Co.92 In September 2013, Facebook executed a business strategy to “review access” to user data by documenting the business partners it would allow to have paid access to user data through the 88 Id. 89 Id. 90 JX 3–5, 7–9, 12, 21–22, 26. JX 12 at 3–4, 30. As noted, “whitelisting” a third party at Facebook means to provide that third party with complete access to user data and the data of that users’ friends, irrespective of whether the users’ friends use the third-party app. JX 103 at 29. 91 92 JX 8, 22, 26. 23 “whitelist” and those who would be denied access because they were deemed to be a competitive threat to the Company.93 According to the documents released by the Parliamentary Committee, Zuckerberg was the first to conceive of the plan to monetize user data within the Facebook platform and he emailed the idea and the implementing steps to Sandberg and the Vice Presidents of the Company.94 Zuckerberg hoped to engage in “reciprocity” in the sharing of user data if the information generated by a Facebook business partner was valuable to the Company.95 The documents also revealed Facebook accessed users’ Android phone data without permission and designed the Facebook platform so that it could readily retrieve that data.96 The Facebook application installed on Android phones read users’ call log histories and messaging histories without permission, and was specifically engineered to “upgrade” users to this level of access without clearly alerting them that the “upgrade” was occurring.97 Facebook’s executives believed 93 JX 7 at 1–3. 94 JX 3, 4, 5. JX 5 at 1 (Sandberg wrote by email, “I think the observation that we are trying to maximize sharing of Facebook, not just sharing in the world, is a critical one. I like full reciprocity and this is the heart of why.”). 95 96 JX 21. 97 Id. at 1. 24 this effort to avoid obtaining Android’s user permissions was “a pretty high risk thing to do.”98 Nevertheless, the plan was approved at the highest levels of Facebook.99 On December 18, 2018, The New York Times published the latest in its series of articles on Facebook, this time providing additional reporting regarding the Company’s failure to disclose that it had allowed its business partners broad access to users’ personal data.100 The New York Times interviewed former employees of the FTC consumer protection division who were involved in the investigation leading to the Consent Decree, and each stated that Facebook’s ongoing data sharing partnerships likely violated the agreement.101 The New York Times also interviewed Facebook employees, who revealed that many of these partnerships were not captured by the Company’s privacy compliance program because they were deemed business contracts outside of Facebook’s data policies.102 The Facebook privacy 98 Id. 99 JX 21 at 2. JX 90. JX 103 at 30 (“Apps were able to circumvent users’ privacy of platform settings and access friends’ information, even when the user disabled the Platform.”). 100 101 JX 90 at 3. 102 Id. at 11–12. 25 team allegedly had no means to review or propose modifications to the data-sharing agreements that the Company’s senior officials negotiated.103 H. The Fallout Multiple lawsuits have been filed—some as direct consumer class actions, some as government enforcement actions and some as derivative actions against Facebook fiduciaries—alleging that Facebook’s implementation of a business model that exposed private user data to unauthorized third-party access has caused harm to consumers and harm to the Company.104 Indeed, according to Fortune magazine, Facebook is facing “dozens” of “data lawsuits.”105 On February 14, 2019, The Washington Post reported Facebook was currently negotiating with the FTC over a “multi-billion dollar fine” for Facebook’s 103 Id. 104 See, e.g., Sbriglio v. Zuckerberg, C.A. No. 2018-0307-JRS (derivative action in Delaware); Leagre v. Zuckerberg, C.A. No. 2018-0675-JRS (same); In re Facebook, Inc., Consumer Privacy User Profile Litig., C.A. No. 3:18-md02843 (a multidistrict privacy litigation in the U.S. District Court in the Northern District of California); Yuan v. Facebook, Inc. et al., C.A. No. 3:18-cv-01725 (a federal securities action pending in the U.S. District Court in the Northern District of California); District of Columbia v. Facebook, Inc., C.A. No. 2018-CA-008715 (a consumer class action brought by the United States Government pending in the District of Columbia); State of Illinois ex rel. Foxx v. Facebook Inc., et al., Case No. 2018-CH-03868 (Cook Cty. Cir. Ct.) (a consumer action brought by the Cook County State’s Attorney in Illinois). 105 Jeff John Roberts, FACEBOOK HAS BEEN HIT BY DOZENS OF DATA LAWSUITS. AND THIS COULD BE JUST THE BEGINNING (2018), http://fortune.com/2018/04/30/facebookdata-lawsuits/ (last visited May 30, 2019). 26 mishandling of user data and violation of the Consent Decree.106 On that same day, the Parliamentary Committee published the Parliamentary Report, revealing emails from Zuckerberg and Sandberg that the Parliamentary Committee read as confirming Facebook “intentionally and knowingly” violated both data privacy and competition laws.107 The Parliamentary Report further determined that the “Cambridge Analytica Scandal was facilitated by Facebook’s policies,” observing that the “incident displays the fundamental weakness of Facebook in managing its responsibilities to the people whose data is used for its own Commercial purposes.”108 I. Procedural History After The Guardian and The New York Times published articles on the Cambridge Analytica breach in March 2018,109 the Company received inspection demands from multiple Facebook stockholders under Section 220, including each of the three plaintiffs in this consolidated action. On April 11, 2018, Plaintiff Local No. 79 sent its Demand to Facebook’s Board. The Demand focused on Facebook’s failure to secure its users’ private data and specified three purposes for inspection of 106 JX 102. 107 JX 103. 108 Id. 109 JX 45; JX 46. 27 Facebook’s books and records: (1) to “investigate and assess the actual and potential wrongdoing, mismanagement, and breaches of fiduciary duty by members of the Company’s Board[;]” (2) to “assess the ability of the Company’s Board to impartially consider a demand for action (including for the filing of a derivative lawsuit on the Company’s behalf[;]” and (3) to “take appropriate action in the event the members of the Company’s Board did not discharge their fiduciary duties, including the preparation and filing of a shareholder derivative lawsuit, if appropriate.”110 The Demand sought eight categories of “Board Materials” that, by definition, encompassed both Board and committee materials, to include “all presentations, board packages, recordings, agenda, summaries, memoranda, charts, transcripts, notes, minutes of meetings, drafts of minutes of meetings, exhibits distributed at meetings, summaries of meetings, or resolutions.”111 As for timeframe, the Demand sought “all books, records, and documents within the Company’s possession, custody, or control for and/or relating to the period February 3, 2017 to present.”112 110 Compl. Ex. A at 6 ¶ 47. 111 Compl. Ex. A at 5–6, n. 5. 112 Id. at 6. 28 In its May 1, 2018 response to the Demand (the “Demand Response”), Facebook asserted that the Demand failed to meet the requirements of Section 220 by failing to “provide a credible basis to support a finding of actionable mismanagement,” primarily because the news articles identified in the Demand did not directly implicate Facebook’s directors.113 Further, Facebook stated that if Local No. 79 sought to investigate a Caremark claim, the Demand failed to provide any evidence that Facebook “‘utterly failed to implement a reporting system or ignored red flags.’”114 Facebook also maintained that the stockholder’s eight inspection requests were overbroad because the requests were “akin to civil litigation discovery requests, seeking broad categories of documents relating to the Company’s privacy policies, risk management and compliance issues, and Board issues.”115 While maintaining its objections to the Demand and subject to the parties entering into an appropriate confidentiality agreement, Facebook agreed to produce certain Board minutes and related materials apparently in hopes of avoiding litigation.116 On June 12 and 18, 2018, Facebook produced 1,694 pages of its books 113 JX 60 at 3. 114 Id. at 4 (quoting Beatrice Corwin Living Irrevocable Tr. v. Pfizer, Inc., 2016 WL 4548101, at *5 (Del. Ch. Sept. 1, 2016)). 115 Id. at 5–6. 116 Compl. Ex. B; see Compl. ¶ 54. See also, JX 59; JX 60. 29 and records.117 Of that total, 1,612 pages were redacted completely and marked as “non-responsive,” containing no information, or produced with only a title or other information identifying the document.118 Ignoring the date parameters stated in the Demand, the production included documents dated between January 2014 and December 2017.119 Rather than identify the category of documents identified in the Demand to which the produced documents were responsive, the Demand Response created its own category, “all documents relating to unauthorized access of thirdparty user data.”120 On September 6, 2018, Local No. 79 filed its Complaint in which it repeated the allegations of wrongdoing stated in its Demand but omitted certain of the specific categories of documents it had originally sought in the Demand.121 On September 28, 2018, Facebook answered the Complaint and raised the same defenses it had stated in its Demand Response, including that Plaintiffs lack a proper purpose for the Demand and seek an overbroad production of books and records 117 PX 1–22. 118 Id. 119 Id. 120 JX 97 at 6. 121 D.I. at 1. 30 given the stated purposes for inspection.122 On October 11, 2018, the Court entered a Stipulation and Order consolidating this action with two related Section 220 actions—the Birmingham action and the Levy action.123 Under the consolidation order, the Local No. 79 Complaint became the operative complaint, and the Demand became the operative demand.124 The trial occurred on March 7, 2019. In a commendable effort to clarify the issues for trial, the parties met on September 12, 2018, to discuss the scope of documents Plaintiffs sought to inspect. The following day, Plaintiffs provided a revised (and broader) list of requested books and records, identified custodians from whom documents should be collected and clarified that the Company should collect documents generated from January 1, 2011 through the present.125 The documents requested were: Board and Committee Meeting Materials o Minutes, presentations, agendas, and resolutions for the Board and Board Committees of Facebook; o Any notes taken or other written materials generated by the Board members in connection with any meeting of the Board of Facebook or any committee of the Board; and o Unredacted versions of relevant non-privileged documents produced in response to Shareholder’s Demand for Books and Records. 122 D.I. at 11. 123 D.I. at 17. 124 PTO ¶ 15. 125 JX 76. 31 Senior Management Material o Relevant written materials generated by or provided to Mark Zuckerberg including emails, reports, presentations, and business plans; o Relevant written materials generated by or provided to Facebook’s internet security, regulatory affairs or other relevant departments; and o Non-privileged relevant written materials generated by or provided to Facebook’s legal department. Relevant policies or procedures of Facebook; Documents produced to the government in connection with the 2011 consent decree and Cambridge Analytica and the resulting investigations; Board independence materials—any board questionnaires for each board member; Organizational charts for Facebook’s relevant departments; All documents produced to other stockholders in response to Section 220 demands or otherwise; Privilege log as set forth in paragraph four of the June 2018 Confidentiality Stipulation; and Electronic communications by and between the board, executives and senior management relating to the subject matter in the Demand and Complaint. 126 Needless to say, the revised list sought a substantially expanded scope of documents than Plaintiffs requested in the Demand. On January 2, 2019, the parties met again to discuss the scope of production and Facebook ultimately asked Plaintiffs to prepare a form of order they would ask the Court to enter if the parties litigated the matter through trial.127 Plaintiffs agreed 126 Id. 127 JX 92. 32 and, on January 16, 2019, provided their proposed form of order that defined the categories of documents to be produced as follows: (1) the 2011 Consent Decree and related correspondence with the FTC; (2) the investigations conducted by the Department of Justice, Securities and Exchange Commission, and Federal Bureau of Investigation regarding Defendant’s sharing of personal information and related correspondence with each of those agencies; (3) third party access to and handling of Facebook user data, including but not limited to agreements with other companies regarding the same; (4) how the Facebook platform shares user data, including but not limited to design decisions regarding the Facebook application programming interface (“API”) and third party access to the Facebook platform; (5) Defendant’s general compliance policies and procedures respecting data privacy and access to user data; (6) Defendant’s internal investigation policies, procedures and protocols; (7) the Atlas (SOC1 & SOC 2/3), Custom Audience (SOC 2/3) and Workplace (SOC 2/3) audits performed by or on behalf of Defendant, and any other internal investigations or audits performed regarding topics 1–6; (8) any other regulatory, criminal, and civil investigations and civil lawsuits regarding topics 1–6; and (9) documents relating to the independence of Defendant’s directors and committees of the Board.128 Plaintiffs provided their proposed list of custodians a week later, including (1) all members of Facebook’s Audit Committee since 2011; (2) any person who presented to the Audit Committee since 2011; (3) a list of seven Facebook officers, 128 JX 94. 33 including its general counsel; and (4) Facebook officers/directors Zuckerberg and Sandberg.129 Ultimately, this exercise did not lead to an agreement. In the Pre-Trial Order, the categories of books and records and the custodians from whom Plaintiffs sought records changed again. There, Plaintiffs sought: [H]ard-copy and electronic documents from the period of January 1, 2011 through December 31, 2018, received or authored by any member of Facebook’s Board relating to the following topics are necessary and essential to the purposes stated in the Local No. 79 Section 220 Demand: (1) the Consent Decree that Facebook entered into with the United States Federal Trade Commission in November 2011 and related correspondence with the [FTC]; (2) the investigations conducted by the United States Department of Justice, Securities and Exchange Commission, and Federal Bureau of Investigation regarding Facebook’s sharing of personal information and related correspondence with each of those agencies; (3) compliance with the European Union’s General Data Privacy Regulation and related correspondence with European regulators; (4) third party access to and handling of Facebook user data, including but not limited to agreements with other companies regarding the same; (5) how the Facebook platform shares user data, including but not limited to design decisions regarding the Facebook application programming interface (“API”) and third party access to the Facebook platform; (6) Facebook’s general compliance policies and procedures respecting data privacy and access to user data; (7) Facebook’s internal investigation policies, procedures and protocols; (8) the Atlas (SOC1 & SOC 2/3), Custom Audience (SOC 2/3) and Workplace (SOC 2/3) audits performed by or on behalf of 129 JX 95. 34 Facebook, and any other internal investigations or audits performed regarding topics 1–7; (9) any other regulatory, criminal, and civil investigations and civil lawsuits regarding topics 1–7; and (10) documents relating to the independence of Facebook’s directors and committees of the Board (collectively, “Plaintiffs’ Responsive Topics”).130 Plaintiffs also requested electronic communications, including emails, concerning these topics from the following custodians: Erskine B. Bowles, Sam Lessin, Sheryl Sandberg, Alex Stamos, Colin Stretch and Mark Zuckerberg.131 Defendants addressed this version of Plaintiffs’ demand for inspection in their Pre-Trial Brief and at trial. Plaintiffs’ demand took on yet another form in Plaintiffs’ Pre-Trial Brief, where the categories were stated to include: (1) The 2011 FTC Consent Order and related correspondence with the FTC; (2) Investigations conducted by the [DOJ], [SEC], [FBI] and [ICO] regarding Facebook’s sharing of personal information and related correspondence with each of those agencies; (3) Third party access to and handling of Facebook user data, including but not limited to, design decisions regarding the Facebook application programming interface (“API”) and third-party access to the Facebook platform; (4) Facebook’s general compliance policies and procedures respecting data privacy and access to user data; (5) Facebook’s internal investigation policies, procedures and protocols; (6) Facebook’s Atlas (SOC1 & SOC 2/3), Custom Audience (SOC 2/3) and Workplace (SOC 2/3) audits performed on behalf of the Company, and 130 PTO ¶ 18. 131 Id. at ¶ 19. 35 any other internal investigations or audits performed regarding the topics identified in items 2–6 above; and (7) The independence of Facebook’s directors and committees of the Board.132 The temporal range remained from January 1, 2011 to the present.133 And Plaintiffs again requested electronic communications, including emails, concerning the designated topics from Erskine B. Bowles, Sam Lessin, Sheryl Sandberg, Alex Stamos, Colin Stretch and Mark Zuckerberg.134 This latest iteration formed the basis of Plaintiffs’ arguments at trial.135 II. ANALYSIS Plaintiffs argue the evidence presented at trial provides a credible basis from which the court can infer that mismanagement, waste or wrongdoing may have occurred. Specifically, they contend they have presented some evidence that members of the Board and Facebook senior management knowingly implemented policies that placed user data at risk of misappropriation and failed to monitor Facebook’s compliance with the Consent Decree and, more generally, its efforts to protect its users’ private information. The books and records identified in the 132 Pls.’ Pre-Trial Br. 33–38. 133 Id. at 39. 134 Id. at 40–42. 135 Tr. at 41:2–43:23. 36 Demand, say Plaintiffs, are necessary and proper to investigate this potential wrongdoing. Facebook responds that Plaintiffs have failed to demonstrate a credible basis to infer Facebook’s directors breached their Caremark obligations. Even if a credible basis to infer wrongdoing has been demonstrated, Facebook argues Plaintiffs’ inspection requests are not “circumscribed with [requisite] precision [because they are not] limited to those documents that are necessary, essential and sufficient to the stockholder’s purpose.”136 There is no dispute that Plaintiffs have satisfied Section 220’s so-called “form and manner” requirements.137 Accordingly, I begin my substantive analysis by addressing whether Plaintiffs have stated a proper purpose for inspection. After concluding that they have, I turn to the dispute regarding the scope of the documents to be produced. A. Section 220’s Minimal Burden of Proof The standard for evaluating a demand for books and records under Section 220 is well settled. A stockholder of a Delaware corporation may inspect the corporation’s books and records for any “proper purpose” rationally related to Marathon P’rs, L.P. v. M&F Worldwide Corp., 2004 WL 1728604, at *4 (Del. Ch. July 30, 2004). 136 See Amalgamated Bank v. Yahoo!, 132 A.3d at 775–76 (discussing “form and manner” requirements). 137 37 the stockholder’s “interest as a stockholder.”138 An intent to investigate mismanagement or wrongdoing is a proper purpose if supported by the requisite evidentiary showing.139 To demonstrate that an investigative purpose is proper, the stockholder must prove, by a preponderance of the evidence, “a credible basis from which the court can infer that mismanagement, waste or wrongdoing may have occurred.”140 The “credible basis” standard is the lowest burden of proof known in our law; it requires merely that the plaintiff put forward “some evidence” of wrongdoing.141 After demonstrating a proper purpose, “[a] plaintiff seeking inspection must [next] demonstrate that ‘each category of books and records requested is essential and sufficient to [its] stated purpose.’”142 8 Del. C. § 220(b) (“A proper purpose shall mean a purpose reasonably related to such person’s interest as a stockholder.”). 138 Seinfeld, 909 A.2d at 121 (“It is well established that a stockholder’s desire to investigate wrongdoing or mismanagement is a ‘proper purpose.’”). 139 140 Id. at 118 (internal quotation marks omitted). 141 Id. at 118 (explaining that to satisfy the credible basis standard the stockholder must present “some evidence” of wrongdoing); Id. at 123 (“Although the threshold for a stockholder in a section 220 proceeding is not insubstantial, the ‘credible basis’ standard sets the lowest possible burden of proof.”). 142 Henry v. Phixios Hldgs., Inc., 2017 WL 2928034, at *11 (Del. Ch. July 10, 2017) (quoting Thomas & Betts Corp. v. Leviton Mfg. Co., 681 A.2d 1026, 1035 (Del. 1996)). See also, Sec. First Corp. v. U.S. Die Casting and Dev. Co., 687 A.2d 563, 569 (Del. 1997) (When making a Section 220 demand, the plaintiff must show by a preponderance of the evidence “that each category of books and records is essential to the accomplishment of the stockholder’s articulated purpose for the inspection.”). 38 B. Plaintiffs Have Demonstrated Proper Purposes for Inspection The preponderance of the evidence presented at trial provides a credible basis to infer the Board and Facebook senior executives failed to oversee Facebook’s compliance with the Consent Decree and its broader efforts to protect the private data of its users. I summarize that evidence below. First, Plaintiffs presented the Parliamentary Report where, after summarizing emails, meeting minutes, witness interviews and other evidence, the Parliamentary Committee concluded the “Cambridge Analytica Scandal was facilitated by Facebook’s policies and the incident displays the fundamental weakness of Facebook in managing its responsibilities to the people whose data is used for its own Commercial purposes.”143 According to the Parliamentary Report, “[i]f [Facebook] had fully complied with the [Consent Decree], [the Cambridge Analatica scandal] . . . would not have happened.”144 The Parliamentary Report went on to summarize evidence that Facebook had implemented a business plan to JX 103 at 24–25, 92; JX 3–5, 7–9, 12, 21–22, 26. “In total, the Committee held 23 oral evidence sessions, reviewed over 170 written submissions, heard evidence from 73 witnesses, asked 4,350 questions of these witnesses, and had many exchanges of public and private correspondence with individuals and organizations.” JX 103 at 10. See In re UnitedHealth Gp., Inc. Section 220 Litigation, 2018 WL 1110849, at *7 (Del. Ch. Feb. 28, 2018) (finding credible basis to suspect wrongdoing was evidenced by a complaint brought on behalf of the Department of Justice, which included “references to, and quotations from, the Company’s internal emails, letters, audit reports, charts, attestations, policies, presentation materials, and memoranda”). 143 144 JX 103 at 90. 39 “override its users’ privacy settings in order to transfer data to some app developers” and “to charge high prices . . . for the exchange of that data.”145 And, importantly, the Parliamentary Report concluded that the Board was aware of data privacy breaches but attempted “to deflect attention” from these breaches to avoid scrutiny.146 Second, the Consent Decree demonstrates that an enforceable regulatory order mandated that the Company’s management and its Board implement and monitor Facebook’s compliance with specifically identified and detailed data privacy procedures.147 Lest there be any doubt about whether the Board was aware of the specific requirements of the Consent Decree, the document itself makes clear that it is to be “deliver[ed] . . . to . . . all current and future principals, officers, directors, and managers[.]”148 While there is certainly room to defend the claim, there is some evidence the Board knew of the Company’s obligations to implement data security 145 Id. 146 JX 103 at 72. JX 1. The Consent Decree explicitly requires Facebook “and its representatives” to “disclose to [Facebook’s] users . . . the categories of nonpublic user information that will be disclosed to such third parties[,]” “the identity or specific categories of such third parties” and “obtain the user’s affirmative express consent.” Id. Facebook “and its representatives” must also “implement procedures reasonably designed to ensure that covered information cannot be accessed by any third party from servers under [Facebook’s control[.]” Id. And Facebook must “establish and implement, and thereafter maintain, a comprehensive privacy program[.]” Id. at § II. 147 148 JX 1 at § VII. 40 measures, knew the Company had not implemented or maintained those measures as required by the Consent Decree and, nevertheless, condoned the Company’s monetization of its users’ private data in violation of the Consent Decree.149 The Consent Decree was an affirmative obligation imposed on the Company much like positive law. The legal academy has observed that Delaware courts are more inclined to find Caremark oversight liability at the board level when the company operates in the midst of obligations imposed upon it by positive law yet fails to implement compliance systems, or fails to monitor existing compliance systems, such that a violation of law and resulting liability occurs.150 Professor The Parliamentary Report concluded, “[t]he Cambridge Analytica scandal was facilitated by Facebook’s policies. If it had fully complied with the FTC settlement, it would not have happened.” JX 103 at 28. 149 150 In other words, it is more difficult to plead and prove Caremark liability based on a failure to monitor and prevent harm flowing from risks that confront the business in the ordinary course of its operations. Failure to monitor compliance with positive law, including regulatory mandates, on the other hand, is more likely to give rise to oversight liability. See James D. Cox & Randall S. Thomas, Corporate Darwinism: Disciplining Managers in a World with Weak Shareholder Litigation, 95 N.C. L. Rev. 19, 55–56 (2016) (“Indeed, the division between [In re Massey Energy Co.] and [In re Citigroup Inc. S’holder Deriv. Litig.] may be that Citigroup involved a challenge to legitimate business practices, whereas Massey is riveted, as was Caremark, on the directors’ conscious disregard of the corporation’s adherence with the law when implementing business strategies . . . . [T]he facts required to satisfy even Massey reflect such an abandonment of the directors’ monitoring role as to suggest outright complicity in the lawless acts rather than a want of oversight.”); Donald C. Langevoort, Caremark and Compliance: A TwentyYear Lookback, 90 Temp. L. Rev. 727, 735 (2018) (“[T]he moment the board is brought into the compliance risk discussion, liability exposure increases to at least a small extent, and Caremark itself no longer sets the applicable standard.”). See also, In re Citigroup Inc. S’holder Deriv. Litig., 964 A.2d 106, 131 (Del. Ch. 2009) (“There are significant 41 Elizabeth Pollman aptly describes this as a circumstance where the board acts with “disobedience.”151 Our law does not countenance board level disobedience. Stated differently, Delaware law does not charter law breakers. Delaware law allows corporations to pursue diverse means to make a profit, subject to a critical statutory floor, which is the requirement that Delaware corporations only pursue “lawful business” by “lawful acts.” As a result, a fiduciary of a Delaware corporation cannot be loyal to a Delaware corporation by knowingly causing it to seek profit by violating the law . . . . Telling your parents that all the kids are getting caught shoplifting, cheating, or imbibing illegal substances is not, fortunately, a good excuse. For fiduciaries of Delaware corporations, there is no room to flout the law governing the corporation’s affairs. If the fiduciaries of a Delaware corporation do not like the applicable law, they can lobby to get it changed. But until it is changed, they must differences between failing to oversee employee fraudulent or criminal conduct and failing to recognize the extent of a Company’s business risk.”); In re Goldman Sachs Gp., Inc. S’holder Litig., 2011 WL 4826104, at *21 (Del. Ch. Oct. 12, 2011) (“As a preliminary matter, this Court has not definitively stated whether a board’s Caremark duties include a duty to monitor business risk.”); Asbestos Workers Local 42 Pension Fund v. Bammann, 2015 WL 2455469, at *14 (Del. Ch. May 22, 2015) (“It is not entirely clear under what circumstances a stockholder derivative plaintiff can prevail against the directors on a theory of oversight liability for failure to monitor business risk under Delaware law; the Plaintiff cites no examples where such an action has successfully been maintained.”) (emphasis in original); Reiter on Behalf of Capital One Fin. Corp. v. Fairbank, 2016 WL 6081823, at *8 (Del. Ch. Oct. 18, 2016) (“In applying the Caremark theory of liability, even in the face of alleged red flags, this Court has been careful to distinguish between failing to fulfill one’s oversight obligations with respect to fraudulent or criminal conduct as opposed to monitoring the business risk of the enterprise.”); Okla. Firefighters Pension & Ret. Sys. v. Corbat, No. 12151, 2017 WL 6452240, at *18 (Del. Ch. Dec. 18, 2017) (“Banamex made a risky business decision that turned out poorly for the company. That suggests a failure to monitor or properly limit business risk, a theory of director liability that this Court has never definitively accepted. Indeed, evaluation of risk is a core function of the exercise of business judgment.”). 151 Elizabeth Pollman, Corporate Disobedience, 68 Duke L.J. 709, 756 (2019). 42 act in good faith to ensure that the corporation tries to comply with its legal duties.152 Plaintiffs have presented a credible basis to infer that the Board acted with disobedience by allowing Facebook to violate the Consent Decree. They are entitled to inspect books and records to investigate that potential wrongdoing. Third, Plaintiffs point to information released to the public sphere since they initiated their Demand indicating that a key component of Facebook’s business plan was to monetize access to user data through agreements with partners based on “reciprocity,” even after entering into the Consent Decree.153 Facebook’s long-term business model was to “go with full reciprocity and access to app friends,” permitting business partners to obtain full information from users, including users’ Facebook friends.154 There is some evidence Facebook whitelisted these business partners, giving them unauthorized access to the Facebook platform and Facebook’s user data for a substantial fee.155 All the while, its users were left in the dark.156 152 In re Massey Energy Co., 2011 WL 2176479, at *20–21 (Del. Ch. May 31, 2011) (internal footnote omitted) (Strine, V.C.). 153 JX 103 at 26–28. 154 Id. at 35–36. 155 JX 3–5, 7–9, 12, 21–22, 26; JX 103 at 29–31. 156 JX 103 at 30. 43 Fourth, Plaintiffs presented a credible basis to infer the Board knew the Company was allowing unauthorized third-party access to user data. The New York Times reported Erskine Bowles, chairman of the Audit Committee, received a report from Stamos, then Chief Information Security Officer, and Colin Stretch, Facebook’s General Counsel, about Russian interference with the Facebook platform and potential data privacy violations.157 On the same day, Bowles questioned Zuckerberg and Sandberg at a full Board meeting regarding the extent to which they, and other Facebook senior management, had been transparent with the Board regarding data privacy issues.158 At that meeting, Stamos expressed concerns that the Company had not monitored the protection of user data carefully, prompting Sandberg, as noted above, to accuse Stamos of “throw[ing] us under the bus!”159 According to The New York Times, the Company’s failure adequately to address data privacy ultimately led Whatsapp co-founder, Jan Koum, to resign from the Board.160 157 JX 82 at 9–10. The Board also received a presentation on the results of an audit regarding privacy and data use. PX 16 at 34; PX 22 at 21–23. 158 JX 82 at 9–10. 159 Id. 160 JX 57. See In re Plains All Am. Pipeline, L.P., 2017 WL 6066570, at *3–4 (Del. Ch. Aug. 8, 2017) (ORDER) (newspaper article deemed reliable evidence to support stockholder’s showing of a credible basis to suspect wrongdoing for purposes of Section 220); Paul v. China MediaExpress Hldgs., Inc., 2012 WL 28818, at *4 (Del. Ch. Jan. 5, 2012) (same). 44 Fifth, Plaintiffs have provided evidence that multiple regulatory authorities have opened investigations into Facebook’s data privacy lapses.161 Perhaps most troubling, following the Cambridge Analytica breach, the FTC opened an investigation to determine the extent to which Facebook violated the Consent Decree.162 News outlets have recently reported the investigation could result in a multibillion dollar fine against Facebook––the largest fine ever imposed by the FTC.163 After the Cambridge Analytica scandal, the ICO fined Facebook the maximum fine permitted under British law, £500,000, for permitting third party developers to access user information without sufficient consent.164 In addition, the Parliamentary Report revealed the ICO concluded that Facebook’s “business 161 As noted, the FBI, DOJ and SEC have all opened independent investigations into the Company stemming from its data privacy violations. JX 68. See Freund v. Lucent Tech., 2003 WL 139766, at *3 (Del. Ch. Jan. 9, 2003) (finding that a Securities and Exchange Commission investigation, financial restatements and pending civil suits comprised a “record [that] adequately supplies ‘some credible basis’ to support an inference of waste or mismanagement[.]”) (citing Sec. First Corp. v. U.S. Die Casting & Dev. Co., 687 A.2d 563, 567 (Del. 1997)). 162 JX 51, 52. 163 JX 102. 164 JX 78. 45 practices and the way applications interact with data on the platform have contravened data protections law.”165 Finally, Facebook is subject to numerous lawsuits based on the same underlying misconduct.166 These complaints further support Plaintiffs’ credible basis to infer wrongdoing.167 In light of the low Section 220 evidentiary threshold, I am satisfied Plaintiffs have proven “legitimate issues of wrongdoing.”168 Stated differently, Plaintiffs have presented some evidence that Facebook’s directors and officers may have breached their Caremark duties, particularly in light of the Consent Decree in place at the time of most of the data privacy breaches alleged in this action.169 Accordingly, they have 165 JX 103 at 23. 166 Supra note 104 and accompanying text. 167 See Elow v. Express Scripts Hldg. Co., 2017 WL 2352151, at *6 (Del. Ch. May 31, 2017) (“[P]leadings in [a private suit against defendant], coupled with the statements made by [defendant’s] management, are enough to meet the ‘lowest burden of proof’ set by Delaware law.”) (citing Seinfeld, 909 A.2d at 123); UnitedHealth, 2018 WL 1110849, at *7 (finding credible basis to suspect wrongdoing was evidenced by the contents of a complaint against the company brought on behalf of the Department of Justice). Sec. First Corp., 687 A.2d at 568 (“[T]he threshold may be satisfied by a credible showing, through documents, logic, testimony or otherwise, that there are legitimate issues of wrongdoing.”). 168 169 Given my finding that Plaintiffs have presented some evidence of Board level knowledge of Facebook’s failure to implement data protection measures, and of the Board’s failure to monitor what measures were in place, I decline to address Plaintiffs’ argument that the “core operations doctrine” should be applied to infer Board level knowledge and involvement. See In re Fitbit, Inc. S’holder Deriv. Litig., 2018 WL 6587159, at *15 (Del. Ch. Dec. 14, 2018), appeal refused, 2019 WL 190933 (Del. Ch. 46 demonstrated a proper purpose to inspect certain documents related to this potential wrongdoing.170 Having demonstrated a credible basis to investigate wrongdoing in connection with Facebook’s protection of data privacy, Plaintiffs have also supported their Demand to inspect books and records relating to director independence. Should stockholders elect to pursue claims against Facebook fiduciaries arising from the data privacy breaches, those claims most likely would be derivative claims asserted on behalf of the Company. It is well settled that the desire to investigate director independence is a proper purpose, particularly in instances where the stockholder seeks to investigate whether demand upon the board to pursue claims on behalf of the company would be futile.171 Jan. 14, 2019) (denying a motion to dismiss based on the core operations doctrine and “well-pled facts” that the Board and management would have been aware of problems encountered in the development of a new product that was responsible for a substantial portion of the company’s revenue). Facebook cites Marathon P’rs, L.P. v. M&F Worldwide Corp. to argue that Plaintiffs have presented only “speculation of mismanagement.” 2004 WL 1728604, at *7 (Del. Ch. July 30, 2004). Marathon is distinguishable on its facts, as the plaintiff there suspected the directors breached their Revlon duties when they rebuffed a single overture by a potential acquirer outside of any bidding process. Id. Unlike Marathon, this case involves a company that was under a positive obligation to implement certain data privacy protections and some evidence that the levers of control within the Company may have failed to oversee compliance with those obligations in a manner that has caused harm to the Company. 170 171 Our courts regularly find that a stockholder states a proper purpose when he seeks to investigate director independence and disinterestedness as he investigates possible derivative claims. See, e.g., Amalgamated Bank v. Yahoo!, 132 A.3d at 784–85 (“[T]he Delaware Supreme Court has indicated that a plaintiff could obtain ‘a file of the 47 C. The Effect of Plaintiffs’ Ever-Changing Demand Plaintiffs’ have reshaped their requests to inspect books and records from their initial Demand, through the parties’ meet and confer sessions, the pre-trial stipulation, Plaintiffs’ pre-trial brief and, finally, trial. This metamorphosis has confounded the Court’s analysis and justifiably frustrated the Company. 172 A stockholder’s right to inspect books and records must be balanced against the corporation’s right to be apprised of what the stockholder is asking for and why.173 In Fuchs Family Trust v. Parker Drilling Co., the court denied the plaintiff’s demand for inspection, partly because its late-term modification of the demand was prejudicial to the defendants.174 There, the plaintiff’s initial demand letter sought eight categories of documents and described its purpose as the investigation of possible mismanagement and violation of law by the company. 175 In its complaint, disclosure questionnaires for the board’ or similar materials that could ‘provide more detail about the thickness of the relationship[s]’ in the boardroom.”) (citing Del. Cty. Empls.’ Ret. Fund v. Sanchez, 124 A.3d 1017, 1024 (Del. 2015)). 172 I say metamorphosis rather than evolution because there has been no linear progression in Plaintiffs’ requests for books and records; they have expanded and contracted with no apparent pattern. 173 Thomas & Betts Corp. v. Leviton Mfg. Co., 681 A.2d 1026, 1031 (Del. 1996) (“Undergirding this discretion [to determine the scope of inspection] is a recognition that the interests of the corporation must be harmonized with those of the inspecting stockholder.”). 174 Fuchs Family Tr. v. Parker Drilling Co., 2015 WL 1036106 (Del. Ch. Mar. 4, 2015). 175 Id. at *3. 48 the plaintiff modified its purpose and narrowed the scope of its demand.176 The demand changed again eight days before trial and after both parties had filed pretrial briefs, when the plaintiff “updated” the demand by substantially broadening the scope of the documents requested.177 The court refused to enforce the eleventh-hour update upon finding the defendant had been prejudiced by the moving targets set by the plaintiff: Given the circumstances, [the plaintiff’s] late attempt to expand its inspection must be rejected. ‘Strict adherence to the section 220 procedural requirements for making an inspection demand protects the right of the corporation to receive and consider a demand in proper form before litigation is initiated.’ [The defendant’s] right to consider [the plaintiff’s] demand properly would be substantially impaired by forcing it to adapt its response and defense to [the plaintiff’s] evolving requests.178 The court then rejected the plaintiff’s effort to enforce its demand after finding the books and records the plaintiff sought were not “necessary and essential” to fulfill its stated purpose.179 Other decisions of this court are in accord.180 176 Id. at *3–4. 177 Id. at *4 (emphasis in original). Id. (“Even beyond concerns related to Section 220’s requirements, forcing [the defendant] to defend against issues raised only a week before trial would be at odds with fundamental fairness.”). 178 179 Id. at *7. 180 See, e.g., Beatrice Corwin Living Irrevocable Tr., 2016 WL 4548101, at *7 (denying plaintiffs’ Section 220 demand because it “was not clearly made until after trial” and refusing plaintiffs’ attempts to expand the scope of their demand by adding participants in the alleged mismanagement and a new theory because the attempted expansions came too 49 While Plaintiffs’ lack of precision in formulating its Demand, particularly with respect to the scope of documents requested, has provoked justified frustration and has prompted questions regarding possible abuse of the Section 220 process, I am satisfied there has been no such abuse here. Plaintiffs’ stated purposes for inspection have remained constant throughout the various iterations of their Demand. And their lack of focus regarding the documents they seek, while unfortunate, does not evidence a lack of good faith. In my view, the proper approach here is to hold Plaintiffs to the request for documents as stated in the Pre-Trial Order, a request that was refined by the parties’ several meet and confer sessions.181 This is the version of the Demand that Defendants addressed in their pre-trial brief and at late); Highland Select Equity Fund, L.P. v. Motient Corp., 906 A.2d 156, 167 (Del. Ch. 2006) (holding the plaintiff’s multiple amendments to its demand reflected a lack of precision that, in turn, suggested the plaintiff had not articulated a proper purpose in the first place). But see Apogee Invs., Inc. v. Summit Equities LLC, 2017 WL 4269013, at *4 (Del. Ch. Sept. 22, 2017) (granting plaintiff’s motion for leave to amend its demand—after plaintiff had already modified the scope of its demand on several occasions—and rejecting the defendant’s argument that the amendment reflected a “creeping expansion” of claims on the eve of trial, and would have the same prejudicial effect on the defendant as identified in Fuchs Family). In Apogee, the court explained that, unlike in Fuchs Family, where the plaintiff broadened its demand after both parties had filed opening pre-trial briefs, and eight days before trial, the “trial in this case is weeks away, pretrial briefing has not yet taken place, and [the defendant] has been aware of the mismanagement and party loan purposes since at least December 2016.” Id. 181 PTO ¶ 18, 19. See Apogee, 2017 WL 4269013, at *4 (enforcing post-litigation demand upon finding that the Company had been given an adequate opportunity to respond to it). 50 trial. The scope of documents requested in that version, therefore, has been properly joined for decision. D. Scope of Production Plaintiffs seek to inspect seven categories of books and records they claim “address the crux” of their stated purposes.182 Some of these materials are “necessary and essential”; others are not.183 Specifically, I am satisfied that the following categories of non-privileged documents184 relating to the following topics (the “Ordered Documents”) are “necessary and essential” to pursue Plaintiffs’ proper purposes and should be produced: (1) Hard-copy documents provided to, or generated by, the Board relating to investigations conducted by the FTC, DOJ, SEC, FBI and ICO regarding Facebook’s data privacy practices (“Investigation Documents”); Pls.’ Pre-Trial Br. 27 (quoting Wal-Mart Stores, Inc. v. Ind. Elec. Works Pension Tr. Fund IBEW, 95 A.3d 1264, 1271 (Del. 2014)). 182 183 Wal-Mart Stores, 95 A.3d at 1278 (discussing the “necessary and essential” standard). 184 Plaintiffs have invoked the so-called Garner exception to the attorney-client privilege as a basis to defeat the Company’s assertion of privilege. See Garner v. Wolfinbarger, 430 F.2d 1093, 1104 (5th Cir. 1970) (listing “good-cause” factors that would justify an exception to the privilege asserted by a fiduciary in response to a stockholder’s request for documents). This exception is “narrow, exacting, and intended to be very difficult to satisfy.” Wal-Mart Stores, 95 A.3d at 1278. Plaintiffs have not met their heavy burden under Garner because, on this record, they have not demonstrated that the privileged information they seek “is both necessary to prosecute the action and unavailable from other sources.” Buttonwood Tree Value P’rs, L.P. v. R.L. Polk & Co., 2018 WL 346036, at *4 (Del. Ch. Jan. 10, 2018). This is “the most important of the Garner factors. See id. at *3, *5 n.24 (declining to apply Garner where necessity/unavailability factor not met even though the other two principal factors were satisfied); Elow v. Express Scripts Hldg. Co., 2018 WL 2110946, at *2 (Del. Ch. Apr. 27, 2018) (same). 51 (2) Facebook’s formally adopted policies and procedures respecting data privacy and access to user data, including those promulgated following the entry of the Consent Decree (“Policies and Procedures”); (3) Facebook’s Atlas (SOC1 & SOC 2/3), Custom Audience (SOC 2/3) and Workplace (SOC 2/3) audits performed on behalf of the Company, and any other formal internal audits performed regarding compliance with Facebook formal data privacy policies and procedures or with the Consent Decree (“Audit Documents”); (4) documents concerning the independence of Facebook’s directors and committees of the Board, particularly the Board disclosure questionnaires (“Independence Documents”); and (5) electronic communications, if coming from, directed to or copied to a member of the Board, concerning Facebook’s post-Consent Decree whitelist practices, post-Consent Decree government investigations into Facebook’s data privacy practices and compliance with the Consent Decree, to be collected from the following custodians: Erskine B. Bowles, Sheryl Sandberg, Alex Stamos, and Mark Zuckerberg (“Communication Documents”).185 185 Plaintiffs have presented evidence that Board members were not saving their communications regarding data privacy issues for the boardroom. See JX 103 at 24, 30– 36 (Parliamentary Report found emails from Zuckerberg, Sandberg and other senior management relating to the extent to which Facebook was complying with data privacy laws and relating to the scope of its whitelisting agreements); JX 3, 4, 5 (emails among executives and Board members discussing Zuckerberg’s plan to monetize user data within the Facebook platform). See Yahoo!, 132 A.3d at 791–94 (ordering the production of electronic documents and emails because they were “corporate records” that would “show what [key players] knew and when”); KT4 P’rs, 203 A.3d at 754–55 (reversing trial court for not ordering production of emails upon finding the plaintiff had presented evidence that board members were communicating by email regarding the subjects of the stockholder’s investigation and defendant had “not buttressed its claims [that emails were not necessary] with any evidence that other materials would be sufficient to accomplish [the stockholder’s] purpose.”). Here, Plaintiffs’ Demand sought Board level documents concerning Facebook’s compliance with the Consent Decree and response to government investigations into Facebook’s data privacy practices. In response, Facebook produced a compilation of highly redacted Board minutes that contain essentially no information regarding the relevant subjects. See, e.g., PX 1–22. When considered against the backdrop of the evidence of Board level email communications Plaintiffs have introduced in this 52 Because many of Plaintiffs’ document demands landed with the precision of buckshot,186 I have tailored the inspection award to the purposes articulated in their inspection Demand. Thus, I have denied Plaintiffs’ request for correspondence with the FTC at or near the time the Consent Decree was entered because those documents are far removed from what Plaintiffs seek to investigate now. I have similarly denied Plaintiffs’ request for documents relating to “third party access to and handling of Facebook user data, including agreements with other companies regarding the same” beyond any such documents that might be within the Ordered Documents. The full breadth of the third-party documents Plaintiffs seek extends far beyond what is necessary and essential.187 Also, except for the Policies and Procedures and Audit Documents, I have limited the scope of production to Board-level documents (and communications) because management-level communications are not, on this record, necessary and essential to Plaintiffs’ investigation of their Caremark-based claims. Finally, I have limited the custodians from whom the Company must collect record, the Company’s production of redacted Board minutes hardly “buttresses” its claim that these books and records are sufficient “to accomplish [Plaintiffs’] purpose.” KT4 P’rs, 203 A.3d at 754–55. Id. at 776 (“The production order ‘must be carefully tailored.’ Framed metaphorically, it should be ‘circumscribed with rifled precision’ to target the plaintiff’s proper purpose.”) (quoting Sec. First, 687 A.2d at 565, 570). 186 187 Cook v. Hewlett-Packard Co., 2014 WL 311111, at *5 (Del. Ch. Jan. 30, 2014) (holding that Section 220 demands should not amount to “fishing expeditions”). 53 electronic communications to comport with the evidence in the record, or lack of evidence, regarding the role of specific Facebook executives in the Company’s postConsent Decree data privacy compliance.188 While the temporal scope of discovery should a derivative claim be brought may well be broader, I am satisfied that Plaintiffs’ demand for documents dating back to 2011 is too broad for a Section 220 inspection.189 Claims relating to conduct in 2011, or conduct giving rise to the Consent Decree, likely would be time-barred.190 Moreover, the Cambridge Analytica events primarily took place in 2014 and 2015.191 And, importantly, the original Demand sought documents for a “period February 3, 2017 to present.”192 With these facts in mind, I am satisfied the scope of production I have also removed Facebook’s General Counsel, Colin Stretch, as a custodian both because Plaintiffs have failed to demonstrate that his documents are essential to accomplish their purpose and also to minimize the extent of post judgment privilege disputes. See Sec. First Corp., 687 A.2d at 569 (holding that Section 220 plaintiff must show by a preponderance of the evidence “that each category of books and records is essential to the accomplishment of the stockholder’s articulated purpose for the inspection.”). 188 189 See, e.g., Okla. Firefighters Pension & Ret. Sys. v. Citigroup Inc., 2015 WL 1884453, at *7 & n.61 (Del. Ch. Apr. 24, 2015) (“substantially narrow[ing]” the starting date for defendant to produce documents to 2011, where plaintiffs requested materials from 2008); UnitedHealth, 2018 WL 1110849, at *10 (holding that Section 220 demand seeking documents over an eight year span too broad.). 190 See Graulich, 2011 WL 1843813, at *1, *6 (finding derivative claims resulting from Section 220 action investigating possible corporate mismanagement from 6–8 years prior to the demand would likely be time-barred). 191 See JX 45; JX 46. 192 Compl. Ex. A at 6. 54 of Communication Documents, for reasons of burden and expense, and Investigation Documents, for reasons of temporal relevance and burden, should be limited to the time specified in the original Demand—February 3, 2017 to present. As for the Audit Documents, the scope of production shall be from January 2013 to present, in order to capture a time just prior to the Cambridge Analytica breach and far enough removed from the Consent Decree that the Company’s compliance with the privacy program and third-party audit requirements of that mandate should have been evident. As for the Policies and Procedures, the scope of production shall be from January 2013 to present, not only to capture the time prior to the Cambridge Analytica breach but also to reveal the Company and the Board’s response to the Consent Decree. Finally, as for the Independence Documents, the scope of production will be limited to the most recent Board questionnaires given that the Board’s independence for demand futility purposes will be measured as of the time the complaint alleging demand futility is filed.193 See Rales v. Blasband, 634 A.2d 927, 934 (Del. 1993) (“[A] court must determine whether or not the particularized factual allegations of a derivative stockholder complaint create a reasonable doubt that, as of the time the complaint is filed, the board of directors could have properly exercised its independent and disinterested business judgment in responding to a demand.”) (emphasis supplied). 193 55 III. CONCLUSION For the foregoing reasons, a judgment shall be entered in favor of Plaintiffs that directs Facebook to allow inspection of the books and records designated in this Memorandum Opinion. The parties shall confer and submit a joint proposed implementing order and final judgment within fifteen (15) days. 56
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
