Resource Center / Resource Articles / US Data Privacy Litigation

US Data Privacy Litigation

Litigating accountability through shareholder action

This article, part of a series covering U.S. data privacy litigation, focuses on litigating accountability through shareholder action. The full series can be accessed here.

Published: April 2025

Contributors:

Cheryl Saniuk-Heinig

Navigate by Topic

After a privacy incident, companies are often criticized for any conduct or missteps that hindsight suggests may have allowed the incident to occur. For public companies, shareholders — the individuals who own stock in the company — have a powerful way to seek accountability for alleged misconduct or inaction.

What is a shareholder derivative action?

Under U.S. business law, a public company's leadership has specific duties defined in the documents that created the company. For most publicly owned for-profit companies, leadership like the C-suite or the board of directors have fiduciary duties of care and loyalty to shareholders, i.e., the owners of the company, above all else. However, there are many exceptions and specific procedures that must be followed, generally speaking, any shareholder who alleges a company's leadership — whether through negligence, bad decisions or outright misconduct — harmed the company, may file a derivative action against the leadership on behalf of the company to demand accountability if no other options have been or could be successfully pursued.

Shareholder derivative actions are based on the principle that a company's leaders must always act in the shareholders' best interest. However, these lawsuits are not easy. U.S. courts often give company leaders the benefit of the doubt, assuming they acted in good faith unless proven otherwise. To be successful, shareholders must bring forth strong evidence that the leaders acted irresponsibly or tortiously caused harm.

Even with these challenges, shareholder derivative actions can lead to significant changes. They can result in financial penalties for leaders, force companies to improve their policies or push them to strengthen their data protection practices.

Privacy, cybersecurity and digital governance remain enormous concerns for companies today. When privacy incidents occur, they don't just hurt customers. Shareholders stock value may drop, or their dividends or returns could be impacted by loss of assets and hefty regulatory fines. Shareholder derivative actions have become an avenue where shareholders attempt to ensure company leadership takes responsibility for failures to shareholders.

Derivative actions based on privacy incidents

Although several shareholder derivative actions have been brought based on leadership's alleged role and conduct prior to a company's privacy or cybersecurity incident, derivative actions rarely, if ever, obtain a successful trial judgment. However, by bringing actions and forcing companies to respond to the allegations, shareholders can highlight past conduct and action of leadership and perhaps impact future conduct.

The Equifax data breach

In 2017, Equifax, a company that collects credit information, suffered a massive data breach that exposed the personal details of 147 million people. Shareholders filed lawsuits claiming Equifax's board of directors failed to protect the company from cybersecurity threats. They argued the board knew about weaknesses in the company's data systems but did not take proper action to fix them. The lawsuit also highlighted how the breach damaged Equifax's reputation and financial stability.

The eventual settlement of the shareholder action exemplifies the impact of derivative suits. In addition to corporate governance reforms, enhanced cybersecurity measures and stricter board oversight on data security, Equifax was also required to appoint a new chief executive officer, chief information security officer, chief technology officer and other independent directors. Moving forward, the company agreed to allocate significant internal resources to prevent future breaches, mandate monitoring mechanisms, and hopefully prevent or mitigate such incidents in the future.

The Facebook-Cambridge Analytica scandal

Facebook faced enormous backlash in 2018 after it was revealed political consulting firm Cambridge Analytica improperly accessed data from millions of Facebook users. Shareholders sued Facebook's leadership, accusing them of failing to prevent this misuse of data and misleading the public about how user information was handled. This lawsuit did not just seek financial damages; it also pushed Facebook to change how it managed and protected user data.

A growing role

As technology evolves, so do privacy risks. Privacy and cybersecurity incidents are becoming more common, and shareholders are paying attention. Although these lawsuits are difficult to support and can be burdensome to bring, plaintiffs continue to bring these actions.

For shareholders, customers and companies alike, the message is clear: neglecting privacy is not just bad for business, it's a breach of trust. Shareholders will continue to utilize every tool in their arsenals to demand companies prioritize privacy and protect sensitive and personal information. When a company fails to protect data or make good decisions, these lawsuits remind leaders that their actions, or inactions, have consequences.

Additional resources