Meta Platforms Inc., the owner of Facebook, Instagram and WhatsApp, recently settled a privacy lawsuit that spared some key executives and its board of directors from testifying in open court. Although settling a lawsuit is rarely a desirable action for a board of directors, it is generally preferable to having board members testify in open court, where confidential information about the company's operations may be discussed. Board members at other companies may want to identify the actions (or inactions) that led Meta shareholders to sue the tech giants and prevent their companies from doing the same. This is particularly important as evolving privacy issues around the world were at the heart of this shareholder lawsuit.
Shareholders filed the lawsuit in 2018, charging CEO Mark Zuckerberg, director Marc Andreessen, former chief operating officer Sheryl Sandberg, and other executives of the company, then called Facebook. It paid a $5 billion settlement to the Federal Trade Commission after board members accused it of failing to protect user data, which they said was intended to absolve Mr. Zuckerberg of personal liability in the Cambridge Analytica scandal. The $190 million settlement covers improper access to information on millions of Facebook users by British data company Cambridge Analytica.
While we can honestly say that most companies do not expect to deal with remote operations like the Cambridge Analytica scandal, handling customers' personal data appropriately will continue to be a major challenge for companies. Because customers' personal data is used to generate sales, privacy laws are evolving to provide better protection from spam calls, emails, and other types of unsolicited offers. Board members should expect an increased focus on regulatory efforts around privacy issues and cybersecurity in the coming months. Privacy and confidentiality laws impact each company differently. Here are some things the board might consider for 2026:
Stay informed about changes to privacy laws. There are a number of new privacy laws coming into effect in 2025 that boards may need to consider to ensure they are followed. In the United States, Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee all enacted new privacy laws this year. Internationally, the European Union, Australia, China, Malaysia, Peru, and India have all changed their data protection laws or introduced new rules regarding cross-border data transfers. Businesses operating in these jurisdictions should consider appropriate privacy regulations and ensure they comply.
Renew your D&O insurance. Meta is reported to be paying $190 million in shareholder lawsuit settlements from D&O Insurance. Businesses should review their D&O insurance coverage annually, as new threats may emerge on a regular basis. Meta's board had insurance to cover the $190 million settlement, but can your D&O insurance do the same? Depending on your board, you may need to extend or expand your current coverage. Increasing your insurance to cover data breaches may also be a wise move.
See how customer data is currently being used. Ensure that your use of AI does not violate privacy or confidentiality regulations. Be aware that the way your company used customer data last year may be in violation of new regulations and may require adjustments. Also note that as companies begin to expand their use of artificial intelligence, they will often need to inform consumers when they may interact with the AI and when the AI will make automated decisions. Customers should also be given the right to opt out of having their personal data used to train AI. Further scrutiny of these areas is expected in the future.
