When news broke in 2018 that data firm Cambridge Analytica had wrongfully acquired and misused Facebook user data, share prices of Facebook plummeted. In response, shareholders filed suit against the company, claiming that Facebook did not fully disclose risks to user data and framed such risks as hypothetical, rather than what it already knew of the data breach. However, "the district court dismissed the shareholders’ claims, concluding that they had failed to plead falsity, knowledge of wrongdoing, and loss causation under the elevated standard of Federal Rule of Civil Procedure 9(b), which requires that “a party must state with particularity the circumstances constituting fraud or mistake,” says SCOTUSblog.

But the shareholders appealed, and the US 9th Circuit Court agreed with them—in part—stating that they had plausible claim that Meta (Facebook's parent company) had indeed defrauded them in its presentation of risk factors. "The panel concluded that the shareholders adequately pleaded falsity as to the statements warning that misuse of Facebook users' data could harm Facebook's business, reputation, and competitive position, and the district court erred by dismissing the complaint," the 9th Circuit's panel wrote.

Now, Meta is appeal the 9th Circuit's ruling to the Supreme Court. "[Meta] contends that this case implicates divisions among the federal courts of appeals on two issues: the first on what kinds of risk disclosures public companies must make in their public reports; and the second on whether loss causation allegations are subject to heightened pleading standards under Rule 9(b), or whether ordinary notice pleading under Rule 8 suffices," explains SCOTUSblog.

If the shareholders' case goes to trial, Meta could face a $2 billion settlement, reports Bloomberg.

The Supreme Court will hear the case during it's next term, which begins in October.

Data Breach

Meta's handling of the Cambridge Analytica case isn't the only time it has faced public outcry over data misuse and breaches. In 2021, the personal data of 533 million Facebook users was leaked. As a result, Ireland's Data Protection Commission (DPC), acting under the EU's General Data Protection Regulation (GDPR) laws, fined Meta $276 million. As The Verge notes, the DPC fined Meta some $700 million in 2022 alone.

The Verdict

Sure, its nearly impossible for a company as large as Meta to tell shareholders about every possible risk its users face, but to sit on data misuse as jarring as the Cambridge Analytica case, might not have been the best move either. It will be interesting to see how SCOTUS interprets a firm's reporting responsibilities.