On May 30, 2019, Vice Chancellor Joseph R. Slights III of the Delaware Court of Chancery granted a stockholder demand to inspect Facebook’s books and records in connection with their Caremark claims arising from alleged data privacy breaches. In re Facebook, Inc. Section 220 Litig., C.A. No. 2018-0661-JRS (Del. Ch. May 30, 2019). The Court concluded that, as a matter of law, it would be improper to assess the merits of plaintiffs’ Caremark1 claims in the context of a books-and-records demand and ruled that plaintiffs met the minimum burden of proof under Section 220 of the Delaware General Corporation Law (“Section 220”), noting that this standard was more easily met where, as here, the underlying claims allege the failure to prevent corporate violations of law, rather than challenging routine business operations.
Plaintiffs demanded access to Facebook books and records so that plaintiffs could investigate whether the board and senior management knowingly implemented policies that placed user data at risk of misappropriation and failed to monitor Facebook’s compliance with a 2011 FTC Consent Decree related to user data. To support their allegations of misconduct, plaintiffs pointed to a parliamentary report, the 2011 consent decree, and various public reports concerning Facebook’s handling of user data and related investigations. The scope of plaintiffs’ demand changed repeatedly throughout the course of the litigation, ultimately encompassing hard copy documents, electronic records, and emails concerning ten different topics (including, among other things, the consent decree, internal and government investigations, third-party access to data, and policies and procedures). Facebook argued that plaintiffs had not stated a proper purpose because plaintiffs failed to adequately plead a Caremark claim—which claims are widely recognized in Delaware practice as difficult to prove—and, accordingly, had not established a credible basis to infer wrongdoing.
The Court agreed with plaintiffs, finding that they had met the minimum burden of Section 220’s “credible basis” standard, which requires only that a stockholder present “some evidence” to support an inference of wrongdoing that would justify their inspection demand. The Court declined to reach the merits of plaintiffs’ Caremark-based theory in the context of a 220 demand and noted that in any event, where violations of law or other affirmative obligations such as the consent decree are alleged, Caremark liability may be more easily proved. The Court limited the scope of plaintiffs’ request for access to those categories of documents that the Court deemed “necessary and essential” to plaintiffs’ claims, including: (i) hard-copy documents given to the board regarding government investigations, (ii) policies and procedures respecting data privacy and user data, (iii) internal audits of compliance with data privacy policies, (iv) directors’ disclosure questionnaires and other documents bearing on director independence, and (v) emails to/from Facebook directors concerning post-2011 data privacy practices and government investigation (to be collected from four directors). The Court also placed temporal limitations on the production that were more restrictive than the 2011-to-present period proposed by plaintiffs.