This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 1 minute read

A Twist on Privacy Exposure: Securities Litigation for Failure to Disclose Privacy Risks

Nielsen, the TV ratings company, and a group of investors are poised to settle a lengthy class action case in which the investors allege that they were harmed by a stock price slide caused by Nielsen's failure to disclose the effects of the EU privacy legislation on its business. As that rule came into effect, Nielsen was assuring investors that the relevant areas of its business were stable and that the new privacy regime would not have a material impact on the company.

The SEC has proposed new rules in the US that would require publicly traded companies to disclose material cyber incidents but has not addressed whether they should report the impact of privacy compliance. Such compliance efforts can be costly, and new laws increasingly seek to impose liability on companies that suffer a data breach of personal information.  

Why It Matters

Although the Nielsen case is on the verge of settlement, it points to an important lesson. Public companies may have to evaluate how they characterize material risks to their business, in light of new privacy requirements and risks. Private companies, which do not have to make such disclosures as part of normal public reporting, would be well served to evaluate the same issues: customer contracts, as well as investment and acquisition opportunities, could be affected by compliance failures, cyberattacks, or data breaches. The increasing scrutiny of companies at all levels means that even unregulated companies may find that disclosure, and planning, are in their best economic interest.  

The investors had alleged Nielsen stock prices plummeted after the company revealed it had known discretionary spending on Nielsen products and services was in decline and that hundreds of data providers, which Nielsen heavily relies on, had cut off access due to the GDPR — a European Union law that sets guidelines for the collection and processing of EU residents' personal data.


small business, hill_mitzi, insights, data security and privacy