Nielsen, the TV ratings company, and a group of investors are poised to settle a lengthy class action case in which the investors allege that they were harmed by a stock price slide caused by Nielsen's failure to disclose the effects of the EU privacy legislation on its business. As that rule came into effect, Nielsen was assuring investors that the relevant areas of its business were stable and that the new privacy regime would not have a material impact on the company.
The SEC has proposed new rules in the US that would require publicly traded companies to disclose material cyber incidents but has not addressed whether they should report the impact of privacy compliance. Such compliance efforts can be costly, and new laws increasingly seek to impose liability on companies that suffer a data breach of personal information.
Why It Matters
Although the Nielsen case is on the verge of settlement, it points to an important lesson. Public companies may have to evaluate how they characterize material risks to their business, in light of new privacy requirements and risks. Private companies, which do not have to make such disclosures as part of normal public reporting, would be well served to evaluate the same issues: customer contracts, as well as investment and acquisition opportunities, could be affected by compliance failures, cyberattacks, or data breaches. The increasing scrutiny of companies at all levels means that even unregulated companies may find that disclosure, and planning, are in their best economic interest.