   IN THE COURT OF CHANCERY OF THE STATE OF DELAWARE

IN RE FACEBOOK, INC.                       :    CONSOLIDATED
SECTION 220 LITIGATION                     :    C.A. No. 2018-0661-JRS

                         MEMORANDUM OPINION

                         Date Submitted: March 7, 2019
                          Date Decided: May 30, 2019


Samuel L. Closic, Esquire of Prickett, Jones & Elliott, P.A., Wilmington, Delaware
and Frank R. Schirripa, Esquire and Daniel B. Rehns, Esquire of Hach Rose
Schirripa & Cheverie LLP, New York, New York, Attorneys for Plaintiff
Construction and General Building Laborers’ Local Union No. 79 General Fund and
Co-Lead Counsel.

Peter B. Andrews, Esquire, Craig J. Springer, Esquire and David M. Sborz, Esquire
of Andrews & Springer, LLC, Wilmington, Delaware; Geoffrey M. Johnson,
Esquire of Scott+Scott Attorneys At Law LLP, Cleveland Heights, Ohio; and
Donald A. Broggi, Esquire, Scott R. Jacobsen, Esquire and Jing-Li Yu, Esquire of
Scott+Scott Attorneys At Law LLP, New York, New York, Attorneys for Plaintiff
City of Birmingham Relief and Retirement System and Additional Counsel for
Plaintiffs.

Ryan M. Ernst, Esquire of O’Kelly Ernst & Joyce, LLC, Wilmington, Delaware and
Thomas J. McKenna, Esquire and Gregory M. Egleston, Esquire of Gainey
McKenna & Egleston, New York, New York, Attorneys for Plaintiff Lidia Levy and
Additional Counsel for Plaintiffs.

David E. Ross, Esquire and R. Garrett Rice, Esquire of Ross Aronstam &
Moritz LLP, Wilmington, Delaware; Orin Snyder, Esquire of Gibson, Dunn &
Crutcher LLP, New York, New York; Kristin A. Linsley, Esquire and Brian M. Lutz,
Esquire of Gibson, Dunn & Crutcher LLP, San Francisco, California; Paul J. Collins,
Esquire of Gibson, Dunn & Crutcher LLP, Palo Alto, California; and Joshua S.
Lipshutz, Esquire of Gibson, Dunn & Crutcher LLP, Washington, D.C., Attorneys
for Defendant Facebook, Inc.


SLIGHTS, Vice Chancellor
      In July 2018, Facebook, Inc. (“Facebook” or the “Company”) experienced one

of the sharpest single-day market value declines in history when its stock price

dropped 19%, wiping out approximately $120 billion of shareholder wealth. This

unprecedented misfortune followed news reports that, in 2015, the private data of

50 million Facebook users had been poached by Cambridge Analytica, a British

political consulting firm.1 Facebook did not disclose this security breach to its users

upon discovery or at any time thereafter. Users first learned of the breach when they

read or heard about it in the news.

      At the time of the Cambridge Analytica breach, Facebook was subject to a

consent decree entered by the Federal Trade Commission (the “FTC”) in 2011

(the “Consent Decree”) after the FTC determined that the Company’s data privacy

measures were not protecting users’ private information. Among other things, the

Consent Decree required Facebook to implement more robust and verifiable data

security protocols.

      Soon after news of the Cambridge Analytica breach broke, reports surfaced

that Facebook’s business model included incentives to monetize its users’ data

without their consent. These reports were followed by news that the FTC, Federal

Bureau of Investigation (“FBI”), Securities and Exchange Commission (“SEC”),


1
 The more current data indicates that the breach affected more than 87 million users.
JX 52.

                                          1
Department of Justice (“DOJ”), European Information Commissioner’s Office

(“ICO”) and other European authorities had all opened investigations into

Facebook’s data privacy practices.

         On April 11, 2018, Plaintiff, Construction and General Building Laborers’

Local No. 79 General Fund (“Local No. 79”), served a demand to inspect Facebook’s

books and records (the “Demand”) under Section 220 of the Delaware General

Corporation Law (“Section 220”).2 As required by statute,3 Local No. 79 stated that

its purpose for inspection was to “investigate and assess the actual and potential

wrongdoing, mismanagement, and breaches of fiduciary duties by the members of

the Company's Board” in connection with the data privacy breaches and “to

investigate the independence and disinterestedness” of the Company’s directors.4 In

response, Facebook produced about 1,700 pages of significantly redacted books and

records.




2
  8 Del. C. § 220. As explained below, several other Facebook stockholders followed Local
No. 79 in directing Section 220 demands to Facebook. By order dated October 11, 2018,
the Court deemed Local No. 79’s Demand to be the operative demand. D.I. 17.
3
    8 Del. C. § 220(b).
4
    JX 54 (Local No. 79’s Demand to Inspect Books and Records) at 6.

                                            2
      When discussions between the parties regarding the scope of Facebook’s

production broke down, Local No. 79 filed its Verified Complaint to Compel

Inspection on September 6, 2018.5 In its answer to that Complaint, Facebook denied

Plaintiff had stated a proper purpose for inspection and maintained that, even if a

proper purpose had been stated, Plaintiff was not entitled to inspect any documents

beyond those already produced.6 Specifically, Facebook asserted the Complaint

failed to plead a credible basis to infer that Facebook’s directors breached their duty

of oversight, or any other aspect of their fiduciary duties, because the Cambridge

Analytica breach resulted from the unanticipated acts of third parties who had

managed to compromise Facebook’s existing (and adequate) data privacy systems.

      The parties agreed to a “paper record” trial (i.e., without deposition or live

testimony). After carefully reviewing the evidence and the arguments of counsel,

I conclude in this post-trial decision that Plaintiffs have demonstrated, by a

preponderance of the evidence, a credible basis from which the Court can infer that



5
  I cite to Local Union No. 79’s Verified Complaint (“Complaint”) as “Compl. ¶ __.”
(D.I. 1). Plaintiffs, City of Birmingham Retirement and Relief System (“Birmingham”)
and Lidia Levy (together with Local 79, “Plaintiffs”), also filed complaints seeking to
enforce their inspection rights under Section 220. The Court has designated the Local
Union No. 79 Complaint as the operative complaint for purposes of this consolidated
action. See D.I. 17. I cite to the Pre-Trial Stipulation and Order (“PTO”) as “PTO ¶ __.”
(D.I. 32).
6
 Defendant’s Answer and Defenses to Plaintiff’s Verified Complaint Pursuant to 8 Del. C.
§ 220 (“Answer”) ¶¶ 3, 4. (D.I. 11).

                                           3
wrongdoing occurred at the Board level in connection with the data privacy breaches

that are the subject of this action. In so finding, I reject, as a matter of law,

Facebook’s implicit suggestion that I must adjudicate the merits of Plaintiffs’

Caremark claim before allowing an otherwise proper demand for inspection to stand.

This is not the time for a merits assessment of Plaintiffs’ potential claims against

Facebook’s fiduciaries. The “credible basis” standard applicable in this Section 220

action imposes the lowest burden of proof known in our law and asks a

fundamentally different question than would be asked at a trial on the merits: has the

stockholder presented “some evidence” to support an inference of wrongdoing that

would justify allowing the stockholder to inspect Facebook’s books and records?7

While this court consistently reminds stockholders that a Caremark claim

“is possibly the most difficult theory upon which a plaintiff might hope to win a

judgment,”8 that admonition does not license this court to alter the minimum burden

of proof governing a stockholder’s qualified right to inspect books and records.




7
  Seinfeld v. Verizon Commc’ns, Inc., 909 A.2d 117, 118 (Del. 2006) (“We reaffirm the
well-established law of Delaware that stockholders seeking inspection under Section 220
must present ‘some evidence’ to suggest a ‘credible basis’ from which a court can infer
that mismanagement, waste or wrongdoing may have occurred.”).
8
    In re Caremark Int’l Deriv. Litig., 698 A.2d 959, 967 (Del. Ch. 1996).

                                              4
      In the wake of the Consent Decree, Facebook was under a positive obligation

to take specific steps to protect its users’ private data. That obligation was firmly in

place at the time of the Cambridge Analytica breach. Delaware courts traditionally

have viewed stockholder allegations that a board failed to oversee the company’s

obligation to comply with positive law, or positive regulatory mandates, more

favorably in the Caremark paradigm than allegations that a board failed to oversee

the company’s efforts generally to avoid business risk. Plaintiffs have presented

“some evidence” that the Board failed to oversee Facebook’s compliance with the

Consent Decree resulting in unauthorized access to its users’ private data and

attendant consequences to the Company. In other words, Plaintiffs have sustained

their minimal burden to demonstrate a credible basis of wrongdoing justifying the

inspection of certain of the Company’s books and records.9

      Judgment is entered for Plaintiffs. Facebook shall produce for inspection the

books and records designated herein as essential to Plaintiffs’ pursuit of their proper

purpose.




9
  At the risk of prolixity, I emphasize this Opinion stops well short of concluding that
Facebook fiduciaries engaged in any wrongdoing in connection with any data privacy
breaches that may have occurred at the Company. That merits-based determination awaits
another day.

                                           5
                             I. FACTUAL BACKGROUND

       The Court presided over a one-day trial on March 7, 2019. The following

facts were proven by a preponderance of the evidence against the backdrop of the

credible basis standard.10

     A. The Parties

       Local No. 79 has continuously owned Facebook stock since June 17, 2015.11

Defendant, Facebook, is a Delaware corporation that operates the Facebook social




10
   At the outset of this recitation of facts, I acknowledge that Plaintiffs’ evidence, by
necessity, is comprised of publically available information, including a heavy dose of
newspaper and other news media reports. I am mindful that these reports are hearsay.
Even so, in a Section 220 proceeding, “[h]earsay statements may be considered, provided
they are sufficiently reliable.” Amalgamated Bank v. Yahoo! Inc., 132 A.3d 752, 778 (Del.
Ch. 2016). See also, In re Plains All Am. Pipeline, L.P., 2017 WL 6066570, at *3–4
(Del. Ch. Aug. 8, 2017) (ORDER) (relying on Los Angeles Times article to find that
stockholder had stated a credible basis to suspect wrongdoing for purposes of Section 220);
Paul v. China MediaExpress Hldgs., Inc., 2012 WL 28818, at *4 (Del. Ch. Jan. 5, 2012)
(finding plaintiff stated credible basis to suspect wrongdoing, in part, based on the
plaintiff’s identification of “numerous third-party media reports alleging fraudulent
conduct by the [company’s] officers and directors”); Leonard v. Texas, 137 S.Ct. 847, 848
(2017) (denying certiorari and relying on articles from the Washington Post and The New
Yorker for factual propositions concerning civil forfeiture). For the most part, I have
referred to the news reports as chronological markers of the events that have unfolded since
the entry of the Consent Decree. Unless otherwise indicated, I have not viewed these
reports as standalone evidence of wrongdoing at the Company. As discussed below, many
of the reports either have been acknowledged by the Company or have been corroborated
by other investigations.
11
  JX 54 at 11. The other Plaintiffs also owned Facebook stock at the time they submitted
their demands—Birmingham since June 22, 2012 (JX 56) and Levy since May 12, 2012
(JX 58).

                                             6
media platform.12       Facebook’s principal executive offices are in Menlo Park,

California.13

      B. Facebook’s Business

           Mark Zuckerberg founded Facebook in 2004. He serves as the Company’s

CEO and Chairman of its Board of Directors (the “Board”).14 Facebook is a social

media platform that enables its more than 2.2 billion active users to stay in touch

with friends and family, develop connections, learn about world events and circulate

individual commentary.15

           As part of its business model, Facebook allows independent third-party

developers to place their applications or links to their websites (collectively, “apps”)

on the Facebook platform.16 Once apps are placed on the platform, Facebook’s users

can open the apps to interact with their Facebook “friends” through games or other

app content.17 In turn, Facebook, by agreement, allows the third-party app providers

to “whitelist,” or access, not only the data of a user that has opened the app but also


12
     PTO ¶ 2.
13
     Id.
14
     Id. ¶ 3.
15
     Answer ¶¶ 7, 8.
16
   JX 103 (the Parliamentary Committee’s report on “Disinformation and ‘Fake News’”)
(the “Parliamentary Report”).
17
     Id.

                                           7
the data of that user’s Facebook “friends.”18 According to Plaintiffs, this practice of

allowing its partners to whitelist Facebook user data has made Facebook much more

vulnerable to data breaches.

      C. The FTC Consent Decree

         In November 2011, Facebook entered into the Consent Decree with the FTC

as the culmination of the FTC’s investigation into Facebook’s allegedly inadequate

data privacy practices.19 The Consent Decree mandates that Facebook develop and

maintain a comprehensive privacy program subject to regular assessments by a third-

party data security firm.20 The privacy program was required to (1) address privacy

risks correlated with the development and management of new and existing products

and services for consumers; and (2) protect the privacy and confidentiality of

“covered information”––personal consumer information Facebook gathered from

consumers’ interactions with the Facebook platform.21




18
   See Tr. 18:9–12 (“[T]here’s a concept in Facebook, it’s a term of art . . . and it’s called
whitelisting. And it essentially gives a third party access to the entire data profile of a user
and in some instances can also give the third party access to data profiles of the user’s
friends.”). See also, JX 12; JX 103.
19
     Answer ¶ 8; JX 1.
20
     JX 1; JX 37.
21
     JX 1 at § IV.

                                               8
         To implement the Consent Decree’s broad mandate, Facebook was required

to execute a plan to secure its user’s private data that was commensurate in scale

with the size of the Company’s user base and the complexity of its platform.22 It also

was required to track data protection outcomes in writing and to place specified

employees in positions where they could execute privacy risk assessments and

develop steps to protect the covered information as defined in the Consent Decree.23

The Company’s compliance with these mandates was to be subject to initial and

biennial assessments by an independent, experienced privacy and data protection

professional for a period of 20 years.24 During this prescribed monitoring period,

Facebook was required to inform all current and future principals, officers, directors

and managers of the specific content of the Consent Decree.25 The implementation

of the Consent Decree was to be monitored at the Board level by Facebook’s Audit

Committee.26



22
   Under the privacy program, Facebook must undergo fixed internal privacy and security
risk assessments, require employees to participate in privacy training programs, guarantee
that its user and developer privacy policies and controls are crystal clear and easily
accessed, and measure and strengthen its privacy program under the direction of its privacy
governance team. See JX 37 at 7–14; JX 24 at 660.
23
     JX 1 at § IV.
24
     JX 1 at § V.
25
     Id. at §§ VII, X.
26
     JX 39 at 1468; JX 41 at 1593; JX 29 at 998; JX 13 at 401.

                                              9
           In the three bi-annual assessments completed after the entry of the Consent

Decree, an independent data privacy firm attested that Facebook had invoked

privacy controls “meet[ing] or exceed[ing] the protections required” under the

Consent Decree.27 The independent firm additionally verified that Facebook’s

privacy program “has built-in procedures to evaluate and adjust the Privacy Program

in light of testing and monitoring results, as well as other relevant circumstances.”28

In 2017, Facebook’s privacy team detected 370,000 noncompliant apps and took

corrective measures that varied from instituting constraints, to delivering cease-and-

desist letters, to eliminating the apps from the Platform.29

      D. The Cambridge Analytica Breach

           In 2013, Aleksandr Kogan, a Cambridge University professor and data

researcher, created a personality “quiz” app called “thisisyourdigitallife.”30 In 2014,

the app went live on the Facebook Platform, positioning itself as a “research app

used by psychologists” and assuring users that the results of the quiz would be

utilized only for academic purposes.31 About 270,000 users installed the app and



27
     JX 37 at 19; JX 6; JX 27.
28
     JX 37 at 14; see, e.g., JX 42 at 1627–29, 1637; JX 35 at 1352.
29
     JX 67 at 9.
30
     JX 44 at 2.
31
     Id.

                                              10
agreed to share their personal data, as well as aspects of their Facebook friends’

personal data.32 At the time, Facebook’s policies permitted this data sharing to

varying degrees depending on the friends’ privacy and application settings.33

           In December 2015, The Guardian published a story reporting that Kogan’s

company, Global Science Research (“GSR”), sold the data of millions of Facebook

users as collected on the “thisisyourdigitalife” app to Cambridge Analytica in

violation of Facebook’s data use and platform policies.34 The article reported

Cambridge Analytica used the data to develop psychological profiles of U.S.

voters.35 Following the article’s release, the Company blocked Kogan and his app

from Facebook and obtained written verifications from Kogan, GSR, Cambridge

Analytica, a Cambridge Analytica employee and others that all Facebook user data

in their possession had been destroyed.36 Cambridge Analytica’s CEO, Alexander

Nix, then testified before the Parliament of the United Kingdom and later confirmed




32
     Id.
33
     JX 10; JX 30.
34
  JX 30; JX 98; see JX 53 (At an April 10, 2018 combined hearing of the Senate Judiciary
and Commerce, Science and Transportation Committees (the “April 10 Senate Hearing”),
Senator Richard Blumenthal noted that the terms of service between Facebook and Kogan
explicitly allowed Kogan to sell that data.).
35
     JX 30.
36
     JX 44 at 2; JX 50.

                                          11
in writing to the House of Commons that Cambridge Analytica neither owned nor

utilized Facebook user data.37 With that, Facebook believed the issue was resolved.

         On March 17, 2018, The New York Times and The Guardian reported that, in

2015, Cambridge Analytica had misappropriated Facebook user data via Kogan’s

app––resurfacing the issue.38 This time, though, the articles went a step further,

revealing Cambridge Analytica lied when it conveyed to Facebook in 2016 that it

had deleted all the user data.39     Instead, according to the reports, Cambridge

Analytica kept the data and deployed it in connection with the 2016 Presidential

campaign.40 The New York Times also reported that, in response to multiple requests

for information, Facebook “downplayed the scope of the leak and questioned

whether any of the data still remained out of its control.”41 After these reports




37
     JX 43; JX 46.
38
  JX 45; JX 46. See also, JX 53 (Zuckerberg acknowledged at the April 10 Senate Hearing,
“[w]hat we know now is that Cambridge Analytica improperly accessed some information
about millions of Facebook members by buying it from an app developer.”).
39
  JX 45; JX 46. See JX 53 (Zuckerberg further testified at the April 10 Senate hearing,
“[w]hen we first contacted Cambridge Analytica, they told us that they had deleted the
data. About a month ago, we heard new reports that suggested that wasn’t true.”).
40
  JX 45; JX 46. See also, JX 53 at 17 (At the April 10 Senate Hearing, Senator Maria
Cantwell stated, “Cambridge Analytica was providing support to the Trump campaign
under Project Alamo[.]”); JX 103 at 42 (the Parliamentary Report describing the use of
Cambridge Analytica’s data in the 2016 Presidential campaign).
41
     JX 45 at 2.

                                          12
surfaced, Facebook suspended Cambridge Analytica and its employees from the

Facebook platform.42

           On March 20, 2018, Bloomberg News provided further color by detailing the

many investigations that had been launched into Facebook’s data security

practices.43 Among the investigations mentioned, the article reported that the FTC

had opened an investigation into whether Facebook violated the 2011 Consent

Decree.44 According to the article, the FTC would soon deliver a notice to Facebook

detailing its concerns that the Company was not complying with the Consent Decree

and generally was not protecting its users’ private data.45          Six congressional

committees likewise had opened investigations into how Cambridge Analytica

managed to access the personal data of 50 million Facebook users.46 In response,

Facebook reportedly led staff-level briefings to prepare for inquiries by the




42
     JX 44; JX 50.
43
     JX 47.
44
   Id. See JX 51 (the FTC’s March 26, 2018 press release confirming it was currently
pursuing a non-public investigation into Facebook’s privacy practices and compliance with
the Consent Decree).
45
     JX 47.
46
     Id.

                                           13
Judiciary, Commerce and Intelligence Committees of both congressional

Chambers.47

          On the same day the Bloomberg News story was published, The New York

Times reported that Alex Stamos, Facebook’s Chief Information Security Officer,

had decided to leave the Company.48 According to this report, Stamos advocated

for transparency regarding Russian agents’ use of Facebook to influence the 2016

Presidential election, but faced immutable “resistance” from the Company.49

          On March 21, 2018, Bloomberg News reported a former Facebook operations

manager, Sandy Parakilas, had advised British lawmakers that he warned senior

executives at the Company about inadequate data protection guidelines but the

warnings were ignored.50 Parakilas made clear he had mapped out the data security

weaknesses within the platform, including a list of bad and potentially bad actors,

how these actors might exploit user data and the risks to which the Company might


47
     Id. at 2–3.
48
     JX 48. See Tr. 44:10–14.
49
   Id. JX 103 at 74 (The U.K. House of Commons Digital, Culture, Media and Sports
Committee (the “Parliamentary Committee”) was “left with the impression that either
Simon Milner [Policy Director for the U.K., Middle East and Africa, at Facebook] or Mike
Schroepfer [Facebook’s Chief Technology Officer] deliberately misled the Committee or
they were deliberately not briefed by senior executives at Facebook about the extent of
Russian interference in foreign elections.”).
50
  JX 49. See JX 53 at 35 (Senator Richard Blumenthal submitted a letter from Parakilas
indicating “not only a lack of resources, but lack of attention to privacy [at the
Company].”).

                                          14
be exposed if a data breach occurred.51 Parakilas stated Facebook could have

avoided the Cambridge Analytica breach, but instead permitted third parties to

obtain users’ personally identifiable data in furtherance of its whitelist agenda.52

           On March 26, 2018, the FTC issued a press release confirming it was pursuing

a non-public investigation into Facebook’s privacy practices and compliance with

the Consent Decree.53 In the press release, the FTC’s acting director, Thomas Pahl,

explained that the FTC’s primary means for maintaining consumer privacy was to

initiate enforcement actions when companies, like Facebook, failed to honor

commitments they made to maintain their customers’ privacy.54 He then emphasized

Facebook had an affirmative obligation to comply with the Consent Decree’s

privacy and data security requirements.55

           On April 4, 2018, The New York Times reported the number of Facebook users

affected by the Cambridge Analytica data breach had grown from 50 million to

87 million.56 The article made a point to report that Facebook had not disclosed that



51
     JX 49.
52
     Id.
53
     JX 51.
54
     Id.
55
     Id.
56
     JX 52.

                                            15
figure voluntarily, and then made the disturbing revelation that certain Facebook

search and account recovery functions may have exposed “most” of its 2 billion

users to outside parties’ information harvesting.57

           The bad reports kept coming. On April 30, 2018, The New York Times

reported that Jan Koum, the founder of Facebook subsidiary, WhatsApp, and a

member of Facebook’s Board, had announced his plans to leave the Company amidst

reports that he had “grown increasingly concerned about Facebook’s position on

user data in recent years,” “was perturbed by the amount of information that

Facebook collected on people” and “wanted stronger protections for that data.” 58

Mr. Koum reportedly “personally got along with Mark Zuckerberg, Facebook’s

chief executive, [but] felt the company’s board simply paid lip service to the privacy

and security concerns he raised.”59




57
  Id. See also, JX 103 at 22 (the ICO “fined Facebook because it allowed applications and
application developers to harvest the personal information of its customers who had not
given their informed consent—think of friends, and friends of friends— and then Facebook
failed to keep the information safe.”).
58
     JX 57.
59
     Id.

                                           16
      E. Zuckerberg Testifies Before Congress

           On March 21, 2018, USA Today reported that Zuckerberg, for the first time,

had spoken on behalf of Facebook about the Cambridge Analytica breach.60

Zuckerberg characterized the controversy as “a breach of trust between Facebook

and the people who share their data with us and expect us to protect it.”61 In response

to his remarks, analysts observed, “Facebook exhibits signs of systemic

mismanagement, [] a new concern [] not contemplated until recently.”62

           Within weeks of the USA Today article, Zuckerberg testified at the April 10

Senate Hearing, where he acknowledged that Facebook discovered the Cambridge

Analytica data breach in 2015, but elected not to conduct an audit concerning the

scope of that breach.63 After Facebook told Cambridge Analytica to erase and

discontinue using the collected data, the Company “considered it a closed case,”

particularly when Cambridge Analytica represented it had erased the user data.64




60
     JX 104.
61
     Id.
62
     Id.
63
     JX 53 at 11.
64
     Id.

                                            17
Having determined that the case was “closed,” Facebook did not notify the FTC or

any other outside party of the massive intrusion into its users’ private data.65

           During the April 10 Senate hearing, Senator Richard Blumenthal opined that

Facebook was on notice that it was in violation of the Consent Decree, as evidenced

in part by the terms of service it had agreed to with Aleksandr Kogan and others like

him.66 These agreements, according to Senator Blumenthal, revealed Facebook’s

“willful blindness” to the fact that third parties would sell user data in violation of

the Consent Decree.67 In response, Zuckerberg stated, “[Facebook] should have

been aware that this app developer submitted a term that was in conflict with the

rules of the platform.”68

      F. The Regulators Investigate

           On June 5, 2018, The New York Times reported Facebook persisted in

maintaining data-sharing partnerships with a minimum of four Chinese electronics

companies––including Huawei Technologies Co., Inc., a manufacturing company

that maintained a close relationship with the Chinese government and was identified




65
     Id.
66
     JX 53 at 35.
67
     Id.
68
     Id.

                                           18
by American intelligence officials as a national security threat.69 Agreements

providing access to private user data had been in place since at least 2010 and

continued in effect through the date of the reporting.70 The New York Times also

revealed Facebook permitted access to private user data to many other large

manufacturers as well––including Amazon.com, Inc., Apple Inc., BlackBerry Ltd.

and Samsung Electronics Co., Ltd.71

         On July 2, 2018, The Washington Post reported the FBI, SEC and DOJ had

teamed up with the FTC in its investigation of Facebook’s data security practices.72

The federal investigations widened in scope to address the extent to which Facebook


69
  JX 62. See also, JX 53 at 87 (Senator Jon Tester stated at the April 10 Senate hearing,
“Facebook allowed a foreign company to steal private information. They allowed a foreign
company to steal private information from tens of millions of Americans, largely without
any knowledge of their own.”).
70
  JX 62. See also, JX 103 at 25 (The FTC’s 2011 complaint revealed “from May 2007 to
July 2010, [Facebook] allowed external app developers unrestricted access to information
about Facebook users’ personal profile and related information[.]”).
71
     JX 62.
72
  JX 68. The Parliamentary Report revealed the specifics of the FBI’s criminal complaint,
including:

         the work of ‘Project Lakhta’, in which individuals have allegedly ‘engaged
         in political and electoral interference operations targeting populations within
         the Russian Federation and in various other countries, including, but not
         limited to, the United States, members of the European Union, and
         Ukraine[.]’ Since at least May 2014, Project Lakhta’s stated goal in the
         United States was to spread distrust towards candidates for political office
         and the political system in general.

JX 103 at 78.

                                               19
knew that its users’ data had been misappropriated and disseminated in 2015 and the

reasons the Company failed to inform its users or investors of the breaches in real

time.73 Investigators reportedly also concentrated on inconsistencies in more recent

accounts from Facebook executives, including Zuckerberg’s testimony before

Congress.74

           On November 12, 2018, The New York Times obtained an internal Facebook

document detailing agreements Facebook entered into with device manufacturers

whereby the Company provided the personal data of hundreds of millions of its

users.75 The Company reportedly failed to monitor the behavior of these third parties

after allowing them to access user data, a failure discovered in 2013 by Facebook’s

FTC-approved privacy monitor.76 Once again, Facebook never told its users of these

agreements with device manufacturers even though the vast majority of users had

not given the Company permission to distribute their information.77




73
     JX 68.
74
     Id.
75
     JX 80.
76
     Id.
77
     Id.

                                          20
           The joint investigations discovered that, in 2013, in furtherance of its

commitments to the FTC, Facebook engaged PricewaterhouseCoopers (“PwC”) to

conduct an assessment of its partnerships with Microsoft and Research in Motion,

the makers of Blackberry.78 PwC discovered only “limited evidence” that Facebook

oversaw or assessed its partners’ compliance with its data use policies.79

An unredacted version of a letter from PwC uncovered by a Senate aide suggested

that PwC found “no evidence that Facebook had ever addressed the original

problem.”80

      G. Facebook’s Data Protection Problems Continue

           On September 28, 2018, The New York Times reported that an attack on

Facebook’s computer network had exposed the private data of 50 million users.81

The breach allowed the hackers to gain access to user accounts and potentially take

control of them.82 Then, on October 31, 2018, Business Insider reported on the

ineffectiveness of Facebook’s ad transparency tools as evidenced by the fact that




78
     Id.
79
     JX 80 at 2.
80
     Id.
81
     JX 77.
82
     Id.

                                           21
reporters had been permitted to run advertisements “paid for” by Cambridge

Analytica.83

         On November 14, 2018, The New York Times reported that Alex Stamos, then

Facebook’s Chief Security Officer, told the Board on September 6, 2017, that the

Company had not eliminated suspicious Russian activity on its platform.84

In response, Board member, Sheryl Sandberg, allegedly yelled at Stamos, “[y]ou

threw us under the bus!”85 This exchange occurred after Zuckerberg and Sandberg

asked Stamos and other Facebook executives to update Facebook’s Audit

Committee on data privacy issues and after Stamos had been rebuked by Zuckerberg

and Sandberg for providing too much information.86 The article further revealed

that Zuckerberg and Sandberg intended publicly to disclose the Cambridge

Analytica breach the same day as the Company’s quarterly Board meeting in

September 2017.87 Stamos wrote the proposed report of Facebook’s findings to




83
     JX 79.
84
  JX 82. See also, JX 103 at 74 (The Parliamentary Report noted, “[i]n September 2017,
Alex Stamos, the then Chief Security Officer, told the members of Facebook’s Executive
Board that that Russian activity was still not under control.”).
85
     JX 82 at 1.
86
     JX 82 at 9–10.
87
     JX 82 at 9.

                                         22
assist Sandberg in her public comments.88 Sandberg, however, sent the report back

to Stamos because she wanted it to be less specific.89

           On December 5, 2018, the Parliamentary Committee released internal

Facebook documents, including executive emails and internal presentations.90

These internal documents revealed Facebook’s business plan, first conceived in

2013, was to monetize its platform by “privatizing” user data through agreements

with certain preferred partners to “whitelist” apps and services integrated into the

platform so that Facebook and its partners could reciprocally share user data.91

Facebook entered into whitelisting agreements with companies in varied industries,

like the Royal Bank of Canada and Walgreens Co.92 In September 2013, Facebook

executed a business strategy to “review access” to user data by documenting the

business partners it would allow to have paid access to user data through the




88
     Id.
89
     Id.
90
     JX 3–5, 7–9, 12, 21–22, 26.
91
   JX 12 at 3–4, 30. As noted, “whitelisting” a third party at Facebook means to provide
that third party with complete access to user data and the data of that users’ friends,
irrespective of whether the users’ friends use the third-party app. JX 103 at 29.
92
     JX 8, 22, 26.

                                          23
“whitelist” and those who would be denied access because they were deemed to be

a competitive threat to the Company.93

          According to the documents released by the Parliamentary Committee,

Zuckerberg was the first to conceive of the plan to monetize user data within the

Facebook platform and he emailed the idea and the implementing steps to Sandberg

and the Vice Presidents of the Company.94             Zuckerberg hoped to engage in

“reciprocity” in the sharing of user data if the information generated by a Facebook

business partner was valuable to the Company.95

          The documents also revealed Facebook accessed users’ Android phone data

without permission and designed the Facebook platform so that it could readily

retrieve that data.96 The Facebook application installed on Android phones read

users’ call log histories and messaging histories without permission, and was

specifically engineered to “upgrade” users to this level of access without clearly

alerting them that the “upgrade” was occurring.97 Facebook’s executives believed



93
     JX 7 at 1–3.
94
     JX 3, 4, 5.
95
   JX 5 at 1 (Sandberg wrote by email, “I think the observation that we are trying to
maximize sharing of Facebook, not just sharing in the world, is a critical one. I like full
reciprocity and this is the heart of why.”).
96
     JX 21.
97
     Id. at 1.

                                            24
this effort to avoid obtaining Android’s user permissions was “a pretty high risk

thing to do.”98       Nevertheless, the plan was approved at the highest levels of

Facebook.99

           On December 18, 2018, The New York Times published the latest in its series

of articles on Facebook, this time providing additional reporting regarding the

Company’s failure to disclose that it had allowed its business partners broad access

to users’ personal data.100 The New York Times interviewed former employees of

the FTC consumer protection division who were involved in the investigation

leading to the Consent Decree, and each stated that Facebook’s ongoing data sharing

partnerships likely violated the agreement.101 The New York Times also interviewed

Facebook employees, who revealed that many of these partnerships were not

captured by the Company’s privacy compliance program because they were deemed

business contracts outside of Facebook’s data policies.102 The Facebook privacy




98
     Id.
99
     JX 21 at 2.
100
   JX 90. JX 103 at 30 (“Apps were able to circumvent users’ privacy of platform settings
and access friends’ information, even when the user disabled the Platform.”).
101
      JX 90 at 3.
102
      Id. at 11–12.

                                            25
team allegedly had no means to review or propose modifications to the data-sharing

agreements that the Company’s senior officials negotiated.103

      H. The Fallout

            Multiple lawsuits have been filed—some as direct consumer class actions,

some as government enforcement actions and some as derivative actions against

Facebook fiduciaries—alleging that Facebook’s implementation of a business model

that exposed private user data to unauthorized third-party access has caused harm to

consumers and harm to the Company.104 Indeed, according to Fortune magazine,

Facebook is facing “dozens” of “data lawsuits.”105

            On February 14, 2019, The Washington Post reported Facebook was currently

negotiating with the FTC over a “multi-billion dollar fine” for Facebook’s




103
      Id.
104
     See, e.g., Sbriglio v. Zuckerberg, C.A. No. 2018-0307-JRS (derivative action in
Delaware); Leagre v. Zuckerberg, C.A. No. 2018-0675-JRS (same); In re Facebook, Inc.,
Consumer Privacy User Profile Litig., C.A. No. 3:18-md02843 (a multidistrict privacy
litigation in the U.S. District Court in the Northern District of California); Yuan v.
Facebook, Inc. et al., C.A. No. 3:18-cv-01725 (a federal securities action pending in the
U.S. District Court in the Northern District of California); District of Columbia v.
Facebook, Inc., C.A. No. 2018-CA-008715 (a consumer class action brought by the United
States Government pending in the District of Columbia); State of Illinois ex rel. Foxx v.
Facebook Inc., et al., Case No. 2018-CH-03868 (Cook Cty. Cir. Ct.) (a consumer action
brought by the Cook County State’s Attorney in Illinois).
105
   Jeff John Roberts, FACEBOOK HAS BEEN HIT BY DOZENS OF DATA LAWSUITS. AND
THIS COULD BE JUST THE BEGINNING (2018), http://fortune.com/2018/04/30/facebook-
data-lawsuits/ (last visited May 30, 2019).

                                            26
mishandling of user data and violation of the Consent Decree.106 On that same day,

the Parliamentary Committee published the Parliamentary Report, revealing emails

from Zuckerberg and Sandberg that the Parliamentary Committee read as confirming

Facebook “intentionally and knowingly” violated both data privacy and competition

laws.107        The Parliamentary Report further determined that the “Cambridge

Analytica Scandal was facilitated by Facebook’s policies,” observing that the

“incident displays the fundamental weakness of Facebook in managing its

responsibilities to the people whose data is used for its own Commercial

purposes.”108

      I. Procedural History

            After The Guardian and The New York Times published articles on the

Cambridge Analytica breach in March 2018,109 the Company received inspection

demands from multiple Facebook stockholders under Section 220, including each of

the three plaintiffs in this consolidated action. On April 11, 2018, Plaintiff Local

No. 79 sent its Demand to Facebook’s Board. The Demand focused on Facebook’s

failure to secure its users’ private data and specified three purposes for inspection of


106
      JX 102.
107
      JX 103.
108
      Id.
109
      JX 45; JX 46.

                                          27
Facebook’s books and records: (1) to “investigate and assess the actual and potential

wrongdoing, mismanagement, and breaches of fiduciary duty by members of the

Company’s Board[;]” (2) to “assess the ability of the Company’s Board to

impartially consider a demand for action (including for the filing of a derivative

lawsuit on the Company’s behalf[;]” and (3) to “take appropriate action in the event

the members of the Company’s Board did not discharge their fiduciary duties,

including the preparation and filing of a shareholder derivative lawsuit, if

appropriate.”110

          The Demand sought eight categories of “Board Materials” that, by definition,

encompassed both Board and committee materials, to include “all presentations,

board packages, recordings, agenda, summaries, memoranda, charts, transcripts,

notes, minutes of meetings, drafts of minutes of meetings, exhibits distributed at

meetings, summaries of meetings, or resolutions.”111 As for timeframe, the Demand

sought “all books, records, and documents within the Company’s possession,

custody, or control for and/or relating to the period February 3, 2017 to present.”112




110
      Compl. Ex. A at 6 ¶ 47.
111
      Compl. Ex. A at 5–6, n. 5.
112
      Id. at 6.

                                           28
          In its May 1, 2018 response to the Demand (the “Demand Response”),

Facebook asserted that the Demand failed to meet the requirements of Section 220

by failing to “provide a credible basis to support a finding of actionable

mismanagement,” primarily because the news articles identified in the Demand did

not directly implicate Facebook’s directors.113 Further, Facebook stated that if Local

No. 79 sought to investigate a Caremark claim, the Demand failed to provide any

evidence that Facebook “‘utterly failed to implement a reporting system or ignored

red flags.’”114 Facebook also maintained that the stockholder’s eight inspection

requests were overbroad because the requests were “akin to civil litigation discovery

requests, seeking broad categories of documents relating to the Company’s privacy

policies, risk management and compliance issues, and Board issues.”115

          While maintaining its objections to the Demand and subject to the parties

entering into an appropriate confidentiality agreement, Facebook agreed to produce

certain Board minutes and related materials apparently in hopes of avoiding

litigation.116 On June 12 and 18, 2018, Facebook produced 1,694 pages of its books



113
      JX 60 at 3.
114
  Id. at 4 (quoting Beatrice Corwin Living Irrevocable Tr. v. Pfizer, Inc., 2016
WL 4548101, at *5 (Del. Ch. Sept. 1, 2016)).
115
      Id. at 5–6.
116
      Compl. Ex. B; see Compl. ¶ 54. See also, JX 59; JX 60.

                                             29
and records.117 Of that total, 1,612 pages were redacted completely and marked as

“non-responsive,” containing no information, or produced with only a title or other

information identifying the document.118 Ignoring the date parameters stated in the

Demand, the production included documents dated between January 2014 and

December 2017.119 Rather than identify the category of documents identified in the

Demand to which the produced documents were responsive, the Demand Response

created its own category, “all documents relating to unauthorized access of third-

party user data.”120

            On September 6, 2018, Local No. 79 filed its Complaint in which it repeated

the allegations of wrongdoing stated in its Demand but omitted certain of the specific

categories         of documents    it   had   originally sought   in   the Demand.121

On September 28, 2018, Facebook answered the Complaint and raised the same

defenses it had stated in its Demand Response, including that Plaintiffs lack a proper

purpose for the Demand and seek an overbroad production of books and records




117
      PX 1–22.
118
      Id.
119
      Id.
120
      JX 97 at 6.
121
      D.I. at 1.

                                              30
given the stated purposes for inspection.122 On October 11, 2018, the Court entered

a Stipulation and Order consolidating this action with two related Section 220

actions—the Birmingham action and the Levy action.123 Under the consolidation

order, the Local No. 79 Complaint became the operative complaint, and the Demand

became the operative demand.124 The trial occurred on March 7, 2019.

          In a commendable effort to clarify the issues for trial, the parties met on

September 12, 2018, to discuss the scope of documents Plaintiffs sought to inspect.

The following day, Plaintiffs provided a revised (and broader) list of requested books

and records, identified custodians from whom documents should be collected and

clarified that the Company should collect documents generated from January 1, 2011

through the present.125 The documents requested were:

       Board and Committee Meeting Materials
          o Minutes, presentations, agendas, and resolutions for the Board
             and Board Committees of Facebook;
          o Any notes taken or other written materials generated by the
             Board members in connection with any meeting of the Board of
             Facebook or any committee of the Board; and
          o Unredacted versions of relevant non-privileged documents
             produced in response to Shareholder’s Demand for Books and
             Records.


122
      D.I. at 11.
123
      D.I. at 17.
124
      PTO ¶ 15.
125
      JX 76.

                                           31
       Senior Management Material
           o Relevant written materials generated by or provided to Mark
               Zuckerberg including emails, reports, presentations, and
               business plans;
           o Relevant written materials generated by or provided to
               Facebook’s internet security, regulatory affairs or other relevant
               departments; and
           o Non-privileged relevant written materials generated by or
               provided to Facebook’s legal department.
       Relevant policies or procedures of Facebook;
       Documents produced to the government in connection with the 2011 consent
        decree and Cambridge Analytica and the resulting investigations;
       Board independence materials—any board questionnaires for each board
        member;
       Organizational charts for Facebook’s relevant departments;
       All documents produced to other stockholders in response to Section 220
        demands or otherwise;
       Privilege log as set forth in paragraph four of the June 2018 Confidentiality
        Stipulation; and
       Electronic communications by and between the board, executives and senior
        management relating to the subject matter in the Demand and Complaint.126

Needless to say, the revised list sought a substantially expanded scope of documents

than Plaintiffs requested in the Demand.

            On January 2, 2019, the parties met again to discuss the scope of production

and Facebook ultimately asked Plaintiffs to prepare a form of order they would ask

the Court to enter if the parties litigated the matter through trial.127 Plaintiffs agreed




126
      Id.
127
      JX 92.

                                             32
and, on January 16, 2019, provided their proposed form of order that defined the

categories of documents to be produced as follows:

         (1) the 2011 Consent Decree and related correspondence with the FTC;
         (2) the investigations conducted by the Department of Justice,
             Securities and Exchange Commission, and Federal Bureau of
             Investigation regarding Defendant’s sharing of personal
             information and related correspondence with each of those
             agencies;
         (3) third party access to and handling of Facebook user data, including
             but not limited to agreements with other companies regarding the
             same;
         (4) how the Facebook platform shares user data, including but not
             limited to design decisions regarding the Facebook application
             programming interface (“API”) and third party access to the
             Facebook platform;
         (5) Defendant’s general compliance policies and procedures respecting
             data privacy and access to user data;
         (6) Defendant’s internal investigation policies, procedures and
             protocols;
         (7) the Atlas (SOC1 & SOC 2/3), Custom Audience (SOC 2/3) and
             Workplace (SOC 2/3) audits performed by or on behalf of
             Defendant, and any other internal investigations or audits
             performed regarding topics 1–6;
         (8) any other regulatory, criminal, and civil investigations and civil
             lawsuits regarding topics 1–6; and
         (9) documents relating to the independence of Defendant’s directors
             and committees of the Board.128

         Plaintiffs provided their proposed list of custodians a week later, including

(1) all members of Facebook’s Audit Committee since 2011; (2) any person who

presented to the Audit Committee since 2011; (3) a list of seven Facebook officers,



128
      JX 94.

                                           33
including its general counsel; and (4) Facebook officers/directors Zuckerberg and

Sandberg.129 Ultimately, this exercise did not lead to an agreement.

         In the Pre-Trial Order, the categories of books and records and the custodians

from whom Plaintiffs sought records changed again. There, Plaintiffs sought:

         [H]ard-copy and electronic documents from the period of January 1,
         2011 through December 31, 2018, received or authored by any member
         of Facebook’s Board relating to the following topics are necessary and
         essential to the purposes stated in the Local No. 79 Section 220
         Demand:
         (1) the Consent Decree that Facebook entered into with the United
             States Federal Trade Commission in November 2011 and related
             correspondence with the [FTC];
         (2) the investigations conducted by the United States Department of
             Justice, Securities and Exchange Commission, and Federal Bureau
             of Investigation regarding Facebook’s sharing of personal
             information and related correspondence with each of those
             agencies;
         (3) compliance with the European Union’s General Data Privacy
             Regulation and related correspondence with European regulators;
         (4) third party access to and handling of Facebook user data, including
             but not limited to agreements with other companies regarding the
             same;
         (5) how the Facebook platform shares user data, including but not
             limited to design decisions regarding the Facebook application
             programming interface (“API”) and third party access to the
             Facebook platform;
         (6) Facebook’s general compliance policies and procedures respecting
             data privacy and access to user data;
         (7) Facebook’s internal investigation policies, procedures and
             protocols;
         (8) the Atlas (SOC1 & SOC 2/3), Custom Audience (SOC 2/3) and
             Workplace (SOC 2/3) audits performed by or on behalf of


129
      JX 95.

                                           34
             Facebook, and any other internal investigations or audits performed
             regarding topics 1–7;
         (9) any other regulatory, criminal, and civil investigations and civil
             lawsuits regarding topics 1–7; and
        (10) documents relating to the independence of Facebook’s directors
             and committees of the Board (collectively, “Plaintiffs’ Responsive
             Topics”).130

Plaintiffs also requested electronic communications, including emails, concerning

these topics from the following custodians: Erskine B. Bowles, Sam Lessin, Sheryl

Sandberg, Alex Stamos, Colin Stretch and Mark Zuckerberg.131 Defendants

addressed this version of Plaintiffs’ demand for inspection in their Pre-Trial Brief

and at trial.

          Plaintiffs’ demand took on yet another form in Plaintiffs’ Pre-Trial Brief,

where the categories were stated to include:

          (1) The 2011 FTC Consent Order and related correspondence with the FTC;
          (2) Investigations conducted by the [DOJ], [SEC], [FBI] and [ICO] regarding
              Facebook’s sharing of personal information and related correspondence
              with each of those agencies;
          (3) Third party access to and handling of Facebook user data, including but
              not limited to, design decisions regarding the Facebook application
              programming interface (“API”) and third-party access to the Facebook
              platform;
          (4) Facebook’s general compliance policies and procedures respecting data
              privacy and access to user data;
          (5) Facebook’s internal investigation policies, procedures and protocols;
          (6) Facebook’s Atlas (SOC1 & SOC 2/3), Custom Audience (SOC 2/3) and
              Workplace (SOC 2/3) audits performed on behalf of the Company, and

130
      PTO ¶ 18.
131
      Id. at ¶ 19.

                                           35
              any other internal investigations or audits performed regarding the topics
              identified in items 2–6 above; and
          (7) The independence of Facebook’s directors and committees of the
              Board.132
The temporal range remained from January 1, 2011 to the present.133 And Plaintiffs

again requested electronic communications, including emails, concerning the

designated topics from Erskine B. Bowles, Sam Lessin, Sheryl Sandberg, Alex

Stamos, Colin Stretch and Mark Zuckerberg.134 This latest iteration formed the basis

of Plaintiffs’ arguments at trial.135

                                        II. ANALYSIS

          Plaintiffs argue the evidence presented at trial provides a credible basis from

which the court can infer that mismanagement, waste or wrongdoing may have

occurred.          Specifically, they contend they have presented some evidence that

members of the Board and Facebook senior management knowingly implemented

policies that placed user data at risk of misappropriation and failed to monitor

Facebook’s compliance with the Consent Decree and, more generally, its efforts to

protect its users’ private information. The books and records identified in the




132
      Pls.’ Pre-Trial Br. 33–38.
133
      Id. at 39.
134
      Id. at 40–42.
135
      Tr. at 41:2–43:23.

                                             36
Demand, say Plaintiffs, are necessary and proper to investigate this potential

wrongdoing.

        Facebook responds that Plaintiffs have failed to demonstrate a credible basis

to infer Facebook’s directors breached their Caremark obligations. Even if a

credible basis to infer wrongdoing has been demonstrated, Facebook argues

Plaintiffs’ inspection requests are not “circumscribed with [requisite] precision

[because they are not] limited to those documents that are necessary, essential and

sufficient to the stockholder’s purpose.”136

        There is no dispute that Plaintiffs have satisfied Section 220’s so-called “form

and manner” requirements.137 Accordingly, I begin my substantive analysis by

addressing whether Plaintiffs have stated a proper purpose for inspection. After

concluding that they have, I turn to the dispute regarding the scope of the documents

to be produced.

      A. Section 220’s Minimal Burden of Proof

        The standard for evaluating a demand for books and records under

Section 220 is well settled. A stockholder of a Delaware corporation may inspect

the corporation’s books and records for any “proper purpose” rationally related to


136
   Marathon P’rs, L.P. v. M&F Worldwide Corp., 2004 WL 1728604, at *4 (Del. Ch.
July 30, 2004).
137
   See Amalgamated Bank v. Yahoo!, 132 A.3d at 775–76 (discussing “form and manner”
requirements).

                                           37
the stockholder’s “interest as a stockholder.”138            An intent to investigate

mismanagement or wrongdoing is a proper purpose if supported by the requisite

evidentiary showing.139 To demonstrate that an investigative purpose is proper, the

stockholder must prove, by a preponderance of the evidence, “a credible basis from

which the court can infer that mismanagement, waste or wrongdoing may have

occurred.”140 The “credible basis” standard is the lowest burden of proof known in

our law; it requires merely that the plaintiff put forward “some evidence” of

wrongdoing.141        After demonstrating a proper purpose, “[a] plaintiff seeking

inspection must [next] demonstrate that ‘each category of books and records

requested is essential and sufficient to [its] stated purpose.’”142



138
   8 Del. C. § 220(b) (“A proper purpose shall mean a purpose reasonably related to such
person’s interest as a stockholder.”).
139
    Seinfeld, 909 A.2d at 121 (“It is well established that a stockholder’s desire to
investigate wrongdoing or mismanagement is a ‘proper purpose.’”).
140
      Id. at 118 (internal quotation marks omitted).
141
    Id. at 118 (explaining that to satisfy the credible basis standard the stockholder must
present “some evidence” of wrongdoing); Id. at 123 (“Although the threshold for a
stockholder in a section 220 proceeding is not insubstantial, the ‘credible basis’ standard
sets the lowest possible burden of proof.”).
142
    Henry v. Phixios Hldgs., Inc., 2017 WL 2928034, at *11 (Del. Ch. July 10, 2017)
(quoting Thomas & Betts Corp. v. Leviton Mfg. Co., 681 A.2d 1026, 1035 (Del. 1996)).
See also, Sec. First Corp. v. U.S. Die Casting and Dev. Co., 687 A.2d 563, 569 (Del. 1997)
(When making a Section 220 demand, the plaintiff must show by a preponderance of the
evidence “that each category of books and records is essential to the accomplishment of
the stockholder’s articulated purpose for the inspection.”).

                                               38
      B. Plaintiffs Have Demonstrated Proper Purposes for Inspection

         The preponderance of the evidence presented at trial provides a credible basis

to infer the Board and Facebook senior executives failed to oversee Facebook’s

compliance with the Consent Decree and its broader efforts to protect the private

data of its users. I summarize that evidence below.

         First, Plaintiffs presented the Parliamentary Report where, after summarizing

emails, meeting minutes, witness interviews and other evidence, the Parliamentary

Committee concluded the “Cambridge Analytica Scandal was facilitated by

Facebook’s policies and the incident displays the fundamental weakness of

Facebook in managing its responsibilities to the people whose data is used for its

own Commercial purposes.”143              According to the Parliamentary Report,

“[i]f [Facebook] had fully complied with the [Consent Decree], [the Cambridge

Analatica scandal] . . . would not have happened.”144 The Parliamentary Report went

on to summarize evidence that Facebook had implemented a business plan to


143
   JX 103 at 24–25, 92; JX 3–5, 7–9, 12, 21–22, 26. “In total, the Committee held 23 oral
evidence sessions, reviewed over 170 written submissions, heard evidence from
73 witnesses, asked 4,350 questions of these witnesses, and had many exchanges of public
and private correspondence with individuals and organizations.” JX 103 at 10.
See In re UnitedHealth Gp., Inc. Section 220 Litigation, 2018 WL 1110849, at *7 (Del. Ch.
Feb. 28, 2018) (finding credible basis to suspect wrongdoing was evidenced by a complaint
brought on behalf of the Department of Justice, which included “references to, and
quotations from, the Company’s internal emails, letters, audit reports, charts, attestations,
policies, presentation materials, and memoranda”).
144
      JX 103 at 90.

                                             39
“override its users’ privacy settings in order to transfer data to some app developers”

and “to charge high prices . . . for the exchange of that data.”145 And, importantly,

the Parliamentary Report concluded that the Board was aware of data privacy

breaches but attempted “to deflect attention” from these breaches to avoid

scrutiny.146

            Second, the Consent Decree demonstrates that an enforceable regulatory order

mandated that Company management and the Board implement and monitor

Facebook’s compliance with specifically identified and detailed data privacy

procedures.147 Lest there be any doubt about whether the Board was aware of the

specific requirements of the Consent Decree, the document itself makes clear that it

is to be “deliver[ed] . . . to . . . all current and future principals, officers, directors,

and managers[.]”148 While there is certainly room to defend the claim, there is some

evidence the Board knew of the Company’s obligations to implement data security


145
      Id.
146
      JX 103 at 72.
147
   JX 1. The Consent Decree explicitly requires Facebook “and its representatives” to
“disclose to [Facebook’s] users . . . the categories of nonpublic user information that will
be disclosed to such third parties[,]” “the identity or specific categories of such third
parties” and “obtain the user’s affirmative express consent.” Id. Facebook “and its
representatives” must also “implement procedures reasonably designed to ensure that
covered information cannot be accessed by any third party from servers under [Facebook’s
control[.]” Id. And Facebook must “establish and implement, and thereafter maintain, a
comprehensive privacy program[.]” Id. at § II.
148
      JX 1 at § VII.

                                             40
measures, knew the Company had not implemented or maintained those measures

as required by the Consent Decree and, nevertheless, condoned the Company’s

monetization of its users’ private data in violation of the Consent Decree.149

       The Consent Decree was an affirmative obligation imposed on the Company

much like positive law. The legal academy has observed that Delaware courts are

more inclined to find Caremark oversight liability at the board level when the

company operates in the midst of obligations imposed upon it by positive law yet

fails to implement compliance systems, or fails to monitor existing compliance

systems, such that a violation of law and resulting liability occurs.150 Professor


149
    The Parliamentary Report concluded, “[t]he Cambridge Analytica scandal was
facilitated by Facebook’s policies. If it had fully complied with the FTC settlement, it
would not have happened.” JX 103 at 28.
150
    In other words, it is more difficult to plead and prove Caremark liability based on a
failure to monitor and prevent harm flowing from risks that confront the business in the
ordinary course of its operations. Failure to monitor compliance with positive law,
including regulatory mandates, on the other hand, is more likely to give rise to oversight
liability. See James D. Cox & Randall S. Thomas, Corporate Darwinism: Disciplining
Managers in a World with Weak Shareholder Litigation, 95 N.C. L. Rev. 19, 55–56 (2016)
(“Indeed, the division between [In re Massey Energy Co.] and [In re Citigroup Inc.
S’holder Deriv. Litig.] may be that Citigroup involved a challenge to legitimate business
practices, whereas Massey is riveted, as was Caremark, on the directors’ conscious
disregard of the corporation’s adherence with the law when implementing business
strategies . . . . [T]he facts required to satisfy even Massey reflect such an abandonment of
the directors’ monitoring role as to suggest outright complicity in the lawless acts rather
than a want of oversight.”); Donald C. Langevoort, Caremark and Compliance: A Twenty-
Year Lookback, 90 Temp. L. Rev. 727, 735 (2018) (“[T]he moment the board is brought
into the compliance risk discussion, liability exposure increases to at least a small extent,
and Caremark itself no longer sets the applicable standard.”). See also, In re Citigroup
Inc. S’holder Deriv. Litig., 964 A.2d 106, 131 (Del. Ch. 2009) (“There are significant
                                             41
Elizabeth Pollman aptly describes this as a circumstance where the board acts with

“disobedience.”151      Our law does not countenance board level disobedience.

Stated differently,

         Delaware law does not charter law breakers. Delaware law allows
         corporations to pursue diverse means to make a profit, subject to a
         critical statutory floor, which is the requirement that Delaware
         corporations only pursue “lawful business” by “lawful acts.” As a
         result, a fiduciary of a Delaware corporation cannot be loyal to a
         Delaware corporation by knowingly causing it to seek profit by
         violating the law . . . . Telling your parents that all the kids are getting
         caught shoplifting, cheating, or imbibing illegal substances is not,
         fortunately, a good excuse. For fiduciaries of Delaware corporations,
         there is no room to flout the law governing the corporation’s affairs.
         If the fiduciaries of a Delaware corporation do not like the applicable
         law, they can lobby to get it changed. But until it is changed, they must

differences between failing to oversee employee fraudulent or criminal conduct and failing
to recognize the extent of a Company’s business risk.”); In re Goldman Sachs Gp., Inc.
S’holder Litig., 2011 WL 4826104, at *21 (Del. Ch. Oct. 12, 2011) (“As a preliminary
matter, this Court has not definitively stated whether a board’s Caremark duties include a
duty to monitor business risk.”); Asbestos Workers Local 42 Pension Fund v. Bammann,
2015 WL 2455469, at *14 (Del. Ch. May 22, 2015) (“It is not entirely clear under what
circumstances a stockholder derivative plaintiff can prevail against the directors on a theory
of oversight liability for failure to monitor business risk under Delaware law; the Plaintiff
cites no examples where such an action has successfully been maintained.”) (emphasis in
original); Reiter on Behalf of Capital One Fin. Corp. v. Fairbank, 2016 WL 6081823, at
*8 (Del. Ch. Oct. 18, 2016) (“In applying the Caremark theory of liability, even in the face
of alleged red flags, this Court has been careful to distinguish between failing to fulfill
one’s oversight obligations with respect to fraudulent or criminal conduct as opposed to
monitoring the business risk of the enterprise.”); Okla. Firefighters Pension & Ret. Sys. v.
Corbat, No. 12151, 2017 WL 6452240, at *18 (Del. Ch. Dec. 18, 2017) (“Banamex made
a risky business decision that turned out poorly for the company. That suggests a failure
to monitor or properly limit business risk, a theory of director liability that this Court has
never definitively accepted. Indeed, evaluation of risk is a core function of the exercise of
business judgment.”).
151
      Elizabeth Pollman, Corporate Disobedience, 68 Duke L.J. 709, 756 (2019).

                                             42
         act in good faith to ensure that the corporation tries to comply with its
         legal duties.152

         Plaintiffs have presented a credible basis to infer that the Board acted with

disobedience by allowing Facebook to violate the Consent Decree. They are entitled

to inspect books and records to investigate that potential wrongdoing.

         Third, Plaintiffs point to information released to the public sphere since they

initiated their Demand indicating that a key component of Facebook’s business plan

was to monetize access to user data through agreements with partners based on

“reciprocity,” even after entering into the Consent Decree.153 Facebook’s long-term

business model was to “go with full reciprocity and access to app friends,”

permitting business partners to obtain full information from users, including the

user’s Facebook friends.154 There is some evidence Facebook whitelisted these

business partners, giving them unauthorized access to the Facebook platform and

Facebook’s user data for a substantial fee.155 All the while, its users were left in the

dark.156


152
    In re Massey Energy Co., 2011 WL 2176479, at *20–21 (Del. Ch. May 31, 2011)
(internal footnote omitted) (Strine, V.C.).
153
      JX 103 at 26–28.
154
      Id. at 35–36.
155
      JX 3–5, 7–9, 12, 21–22, 26; JX 103 at 29–31.
156
   JX 103 at 30 (“Apps were able to circumvent users’ privacy of platform settings and
access friends’ information, even when the user disabled the Platform.”).

                                             43
            Fourth, Plaintiffs presented a credible basis to infer the Board knew the

Company was allowing unauthorized third-party access to user data. The New York

Times reported Erskine Bowles, chairman of the Audit Committee, received a report

from Stamos, then Chief Information Security Officer, and Colin Stretch,

Facebook’s General Counsel, about Russian interference with the Facebook

platform and potential data privacy violations.157        On the same day, Bowles

questioned Zuckerberg and Sandberg at a full Board meeting regarding the extent to

which they, and other Facebook senior management, had been transparent with the

Board regarding data privacy issues.158 At that meeting, Stamos expressed concerns

that the Company had not monitored the protection of user data carefully, prompting

Sandberg, as noted above, to accuse Stamos of “throw[ing] us under the bus!”159

According to The New York Times, the Company’s failure adequately to address data

privacy ultimately led Whatsapp co-founder, Jan Koum, to resign from the Board.160




157
   JX 82 at 9–10. The Board also received a presentation on the results of an audit
regarding privacy and data use. PX 16 at 34; PX 22 at 21–23.
158
      JX 82 at 9–10.
159
      Id.
160
   JX 57. See In re Plains All Am. Pipeline, L.P., 2017 WL 6066570, at *3–4 (Del. Ch.
Aug. 8, 2017) (ORDER) (newspaper article deemed reliable evidence to support
stockholder’s showing of a credible basis to suspect wrongdoing for purposes of Section
220); Paul v. China MediaExpress Hldgs., Inc., 2012 WL 28818, at *4 (Del. Ch. Jan. 5,
2012) (same).

                                            44
         Fifth, Plaintiffs have provided evidence that multiple regulatory authorities

have opened investigations into Facebook’s data privacy lapses.161 Perhaps most

troubling, following the Cambridge Analytica breach, the FTC opened an

investigation to determine the extent to which Facebook violated the Consent

Decree.162 News outlets have recently reported the investigation could result in a

multibillion dollar fine against Facebook––the largest fine ever imposed by the

FTC.163

         After the Cambridge Analytica scandal, the ICO fined Facebook the

maximum fine permitted under British law, £500,000, for permitting third party

developers to access user information without sufficient consent.164 In addition, the

Parliamentary Report revealed the ICO concluded that Facebook’s “business




161
   As noted, the FBI, DOJ and SEC have all opened independent investigations into the
Company stemming from its data privacy violations. JX 68. See Freund v. Lucent Tech.,
2003 WL 139766, at *3 (Del. Ch. Jan. 9, 2003) (finding that a Securities and Exchange
Commission investigation, financial restatements and pending civil suits comprised a
“record [that] adequately supplies ‘some credible basis’ to support an inference of waste
or mismanagement[.]”) (citing Sec. First Corp. v. U.S. Die Casting & Dev. Co., 687 A.2d
563, 567 (Del. 1997)).
162
      JX 51, 52.
163
      JX 102.
164
      JX 78.

                                           45
practices and the way applications interact with data on the platform have

contravened data protections law.”165

         Finally, Facebook is subject to numerous lawsuits based on the same

underlying misconduct.166 These complaints further support Plaintiffs’ credible

basis to infer wrongdoing.167

         In light of the low Section 220 evidentiary threshold, I am satisfied Plaintiffs

have proven “legitimate issues of wrongdoing.”168 Stated differently, Plaintiffs have

presented some evidence that Facebook’s directors and officers may have breached

their Caremark duties, particularly in light of the Consent Decree in place at the time

of most of the data privacy breaches alleged in this action.169 Accordingly, they have


165
      JX 103 at 23.
166
      Supra note 104 and accompanying text.
167
    See Elow v. Express Scripts Hldg. Co., 2017 WL 2352151, at *6 (Del. Ch. May 31,
2017) (“[P]leadings in [a private suit against defendant], coupled with the statements made
by [defendant’s] management, are enough to meet the ‘lowest burden of proof’ set by
Delaware law.”) (citing Seinfeld, 909 A.2d at 123); UnitedHealth, 2018 WL 1110849, at *7
(finding credible basis to suspect wrongdoing was evidenced by the contents of a complaint
against the company brought on behalf of the Department of Justice).
168
   Sec. First Corp., 687 A.2d at 568 (“[T]he threshold may be satisfied by a credible
showing, through documents, logic, testimony or otherwise, that there are legitimate issues
of wrongdoing.”).
169
    Given my finding that Plaintiffs have presented some evidence of Board level
knowledge of Facebook’s failure to implement data protection measures, and of the
Board’s failure to monitor what measures were in place, I decline to address Plaintiffs’
argument that the “core operations doctrine” should be applied to infer Board level
knowledge and involvement. See In re Fitbit, Inc. S’holder Deriv. Litig., 2018
WL 6587159, at *15 (Del. Ch. Dec. 14, 2018), appeal refused, 2019 WL 190933 (Del. Ch.
                                              46
demonstrated a proper purpose to inspect certain documents related to this potential

wrongdoing.170

       Having demonstrated a credible basis to investigate wrongdoing in connection

with Facebook’s protection of data privacy, Plaintiffs have also supported their

Demand to inspect books and records relating to director independence. Should

stockholders elect to pursue claims against Facebook fiduciaries arising from the

data privacy breaches, those claims most likely would be derivative claims asserted

on behalf of the Company. It is well settled that the desire to investigate director

independence is a proper purpose, particularly in instances where the stockholder

seeks to investigate whether demand upon the board to pursue claims on behalf of

the company would be futile.171


Jan. 14, 2019) (denying a motion to dismiss based on the core operations doctrine and
“well-pled facts” that the Board and management would have been aware of problems
encountered in the development of a new product that was responsible for a substantial
portion of the company’s revenue).
170
   Facebook cites Marathon P’rs, L.P. v. M&F Worldwide Corp. to argue that Plaintiffs
have presented only “speculation of mismanagement.” 2004 WL 1728604, at *7 (Del. Ch.
July 30, 2004). Marathon is distinguishable on its facts, as the plaintiff there suspected the
directors breached their Revlon duties when they rebuffed a single overture by a potential
acquirer outside of any bidding process. Id. Unlike Marathon, this case involves a
company that was under a positive obligation to implement certain data privacy protections
and some evidence that the levers of control within the Company may have failed to
oversee compliance with those obligations in a manner that has caused harm to the
Company.
171
   Our courts regularly find that a stockholder states a proper purpose when he seeks to
investigate director independence and disinterestedness as he investigates possible
derivative claims. See, e.g., Amalgamated Bank v. Yahoo!, 132 A.3d at 784–85
(“[T]he Delaware Supreme Court has indicated that a plaintiff could obtain ‘a file of the
                                             47
      C. The Effect of Plaintiffs’ Ever-Changing Demand

          Plaintiffs’ have reshaped their requests to inspect books and records from their

initial Demand, through the parties’ meet and confer sessions, the pre-trial

stipulation, Plaintiffs’ pre-trial brief and, finally, trial. This metamorphosis has

confounded the Court’s analysis and justifiably frustrated the Company. 172

A stockholder’s right to inspect books and records must be balanced against the

corporation’s right to be apprised of what the stockholder is asking for and why.173

          In Fuchs Family Trust v. Parker Drilling Co., the court denied the plaintiff’s

demand for inspection, partly because its late-term modification of the demand was

prejudicial to the defendants.174 There, the plaintiff’s initial demand letter sought

eight categories of documents and described its purpose as the investigation of

possible mismanagement and violation of law by the company. 175 In its complaint,


disclosure questionnaires for the board’ or similar materials that could ‘provide more detail
about the thickness of the relationship[s]’ in the boardroom.”) (citing Del. Cty. Empls.’ Ret.
Fund v. Sanchez, 124 A.3d 1017, 1024 (Del. 2015)).
172
   I say metamorphosis rather than evolution because there has been no linear progression
in Plaintiffs’ requests for books and records; they have expanded and contracted with no
apparent pattern.
173
    Thomas & Betts Corp. v. Leviton Mfg. Co., 681 A.2d 1026, 1031 (Del. 1996)
(“Undergirding this discretion [to determine the scope of inspection] is a recognition that
the interests of the corporation must be harmonized with those of the inspecting
stockholder.”).
174
      Fuchs Family Tr. v. Parker Drilling Co., 2015 WL 1036106 (Del. Ch. Mar. 4, 2015).
175
      Id. at *3.

                                             48
the plaintiff modified its purpose and narrowed the scope of its demand.176 The

demand changed again eight days before trial and after both parties had filed pre-

trial briefs, when the plaintiff “updated” the demand by substantially broadening the

scope of the documents requested.177 The court refused to enforce the eleventh-hour

update upon finding the defendant had been prejudiced by the moving targets set by

the plaintiff:

          Given the circumstances, [the plaintiff’s] late attempt to expand its
          inspection must be rejected.          ‘Strict adherence to the section
          220 procedural requirements for making an inspection demand protects
          the right of the corporation to receive and consider a demand in proper
          form before litigation is initiated.’ [The defendant’s] right to
          consider [the plaintiff’s] demand properly would be substantially
          impaired by forcing it to adapt its response and defense to [the
          plaintiff’s] evolving requests.178
The court then rejected the plaintiff’s effort to enforce its demand after finding the

books and records plaintiff sought were not “necessary and essential” to fulfill its

stated purpose.179 Other decisions of this court are in accord.180


176
      Id. at *3–4.
177
      Id. at *4 (emphasis in original).
178
    Id. (“Even beyond concerns related to Section 220’s requirements, forcing [the
defendant] to defend against issues raised only a week before trial would be at odds with
fundamental fairness.”).
179
      Id. at *7.
180
   See, e.g., Beatrice Corwin Living Irrevocable Tr., 2016 WL 4548101, at *7 (denying
plaintiffs’ Section 220 demand because it “was not clearly made until after trial” and
refusing plaintiffs’ attempts to expand the scope of their demand by adding participants in
the alleged mismanagement and a new theory because the attempted expansions came too
                                            49
       While Plaintiffs’ lack of precision in formulating its Demand, particularly

with respect to the scope of documents requested, has provoked justified frustration

and has questions regarding possible abuse of the Section 220 process, I am satisfied

there has been no such abuse here. Plaintiffs’ stated purposes for inspection have

remained constant throughout the various iterations of their Demand. And their lack

of focus regarding the documents they seek, while unfortunate, does not evidence a

lack of good faith. In my view, the proper approach here is to hold Plaintiffs to the

request for documents as stated in the Pre-Trial Order, a request that was refined by

the parties’ several meet and confer sessions.181 This is the version of the Demand

that Defendants addressed in their pre-trial brief and at trial. The scope of documents

requested in that version, therefore, has been properly joined for decision.




late); Highland Select Equity Fund, L.P. v. Motient Corp., 906 A.2d 156, 167 (Del. Ch.
2006) (holding the plaintiff’s multiple amendments to its demand reflected a lack of
precision that, in turn, suggested the plaintiff had not articulated a proper purpose in the
first place). But see Apogee Invs., Inc. v. Summit Equities LLC, 2017 WL 4269013, at *4
(Del. Ch. Sept. 22, 2017) (granting plaintiff’s motion for leave to amend its demand—after
plaintiff had already modified the scope of its demand on several occasions—and rejecting
the defendant’s argument that the amendment reflected a “creeping expansion” of claims
on the eve of trial, and would have the same prejudicial effect on the defendant as identified
in Fuchs Family). In Apogee, the court explained that, unlike in Fuchs Family, where the
plaintiff broadened its demand after both parties had filed opening pre-trial briefs, and eight
days before trial, the “trial in this case is weeks away, pretrial briefing has not yet taken
place, and [the defendant] has been aware of the mismanagement and party loan purposes
since at least December 2016.” Id.
181
  PTO ¶ 18, 19. See Apogee, 2017 WL 4269013, at *4 (enforcing post-litigation demand
upon finding that the Company had been given an adequate opportunity to respond to it).

                                              50
      D. Scope of Production

         Plaintiffs seek to inspect seven categories of books and records they claim

“address the crux” of their stated purposes.182            Some of these materials are

“necessary and essential”; others are not.183 Specifically, I am satisfied that the

following categories of non-privileged documents184 relating to the following topics

(the “Ordered Documents”) are “necessary and essential” to pursue Plaintiffs’ proper

purposes and should be produced:

         (1) Hard-copy documents provided to, or generated by, the Board
             relating to investigations conducted by the FTC, DOJ, SEC, FBI and
             ICO regarding Facebook’s data privacy practices (“Investigation
             Documents”);
         (2) Facebook’s formally adopted policies and procedures respecting
             data privacy and access to user data, including those promulgated
             following the entry of the Consent Decree (“Policies and
             Procedures”);

  Pls.’ Pre-Trial Br. 27 (quoting Wal-Mart Stores, Inc. v. Ind. Elec. Works Pension Tr.
182

Fund IBEW, 95 A.3d 1264, 1271 (Del. 2014)).
183
      Wal-Mart Stores, 95 A.3d at 1278 (discussing the “necessary and essential” standard).
184
   Plaintiffs have invoked the so-called Garner exception to the attorney-client privilege
as a basis to defeat the Company’s assertion of privilege. See Garner v. Wolfinbarger,
430 F.2d 1093, 1104 (5th Cir. 1970) (listing “good-cause” factors that would justify an
exception to the privilege asserted by a fiduciary in response to a stockholder’s request for
documents). This exception is “narrow, exacting, and intended to be very difficult to
satisfy.” Wal-Mart Stores, 95 A.3d at 1278. Plaintiffs have not met their heavy burden
under Garner because, on this record, they have not demonstrated that the privileged
information they seek “is both necessary to prosecute the action and unavailable from other
sources.” Buttonwood Tree Value P’rs, L.P. v. R.L. Polk & Co., 2018 WL 346036, at *4
(Del. Ch. Jan. 10, 2018). This is “the most important of the Garner factors. See id. at *3,
*5 n.24 (declining to apply Garner where necessity/unavailability factor not met even
though the other two principal factors were satisfied); Elow v. Express Scripts Hldg. Co.,
2018 WL 2110946, at *2 (Del. Ch. Apr. 27, 2018) (same).
                                              51
       (3) Facebook’s Atlas (SOC1 & SOC 2/3), Custom Audience (SOC 2/3)
           and Workplace (SOC 2/3) audits performed on behalf of the
           Company, and any other formal internal audits performed regarding
           compliance with Facebook formal data privacy policies and
           procedures or with the Consent Decree (“Audit Documents”);
       (4) documents concerning the independence of Facebook’s directors
           and committees of the Board, particularly the Board disclosure
           questionnaires (“Independence Documents”); and
       (5) electronic communications, if coming from, directed to or copied to
           a member of the Board, concerning Facebook’s post-Consent
           Decree whitelist practices, post-Consent Decree government
           investigations into Facebook’s data privacy practices and
           compliance with the Consent Decree, to be collected from the
           following custodians: Erskine B. Bowles, Sheryl Sandberg, Alex
           Stamos, and Mark Zuckerberg (“Communication Documents”).185



185
     Plaintiffs have presented evidence that Board members were not saving their
communications regarding data privacy issues for the boardroom. See JX 103 at 24, 30–
36 (Parliamentary Report found emails from Zuckerberg, Sandberg and other senior
management relating to the extent to which Facebook was complying with data privacy
laws and relating to the scope of its whitelisting agreements); JX 3, 4, 5 (emails among
executives and Board members discussing Zuckerberg’s plan to monetize user data within
the Facebook platform). See Yahoo!, 132 A.3d at 791–94 (ordering the production of
electronic documents and emails because they were “corporate records” that would “show
what [key players] knew and when”); KT4 P’rs, 203 A.3d at 754–55 (reversing trial court
for not ordering production of emails upon finding the plaintiff had presented evidence that
board members were communicating by email regarding the subjects of the stockholder’s
investigation and defendant had “not buttressed its claims [that emails were not necessary]
with any evidence that other materials would be sufficient to accomplish [the
stockholder’s] purpose.”). Here, Plaintiffs’ Demand sought Board level documents
concerning Facebook’s compliance with the Consent Decree and response to government
investigations into Facebook’s data privacy practices. In response, Facebook produced a
compilation of highly redacted Board minutes that contain essentially no information
regarding the relevant subjects. See, e.g., PX 1–22. When considered against the backdrop
of the evidence of Board level email communications Plaintiffs have introduced in this
record, the Company’s production of redacted Board minutes hardly “buttresses” its claim
that these books and records are sufficient “to accomplish [Plaintiffs’] purpose.” KT4 P’rs,
203 A.3d at 754–55.

                                            52
       Because many of Plaintiffs’ document demands landed with the precision of

buckshot,186 I have tailored the inspection award to the purposes articulated in their

inspection Demand. Thus, I have denied Plaintiffs’ request for correspondence with

the FTC at or near the time the Consent Decree was entered because those documents

are far removed from what Plaintiffs seek to investigate now. I have similarly denied

Plaintiffs’ request for documents relating to “third party access to and handling of

Facebook user data, including agreements with other companies regarding the same”

beyond any such documents that might be within the Ordered Documents. The full

breadth of the third-party documents Plaintiffs seeks extend far beyond what is

necessary and essential.187 Also, except for the Policies and Procedures and Audit

Documents, I have limited the scope of production to Board-level documents (and

communications) because management-level communications are not, on this

record, necessary and essential to Plaintiffs’ investigation of their Caremark-based

claims. Finally, I have limited the custodians from whom the Company must collect

electronic communications to comport with the evidence in the record, or lack of




186
    Id. at 776 (“The production order ‘must be carefully tailored.’ Framed metaphorically,
it should be ‘circumscribed with rifled precision’ to target the plaintiff’s proper purpose.”)
(quoting Sec. First, 687 A.2d at 565, 570).
187
   Cook v. Hewlett-Packard Co., 2014 WL 311111, at *5 (Del. Ch. Jan. 30, 2014) (holding
that Section 220 demands should not amount to “fishing expeditions”).

                                             53
evidence, regarding the role of specific Facebook executives in the Company’s post-

Consent Decree data privacy compliance.188

         While the temporal scope of discovery should a derivative claim be brought

may well be broader, I am satisfied that Plaintiffs’ demand for documents dating

back to 2011 is too broad for a Section 220 inspection.189 Claims relating to conduct

in 2011, or conduct giving rise to the Consent Decree, likely would be time-barred.190

Moreover, the Cambridge Analytica events primarily took place in 2014 and 2015.191

And, importantly, the original Demand sought documents for a “period February 3,

2017 to present.”192 With these facts in mind, I am satisfied the scope of production

of Communication Documents, for reasons of burden and expense, and Investigation


188
   I have also removed Facebook’s General Counsel, Colin Stretch, as a custodian both
because Plaintiffs have failed to demonstrate that his documents are essential to accomplish
their purpose and also to minimize the extent of post judgment privilege disputes. See Sec.
First Corp., 687 A.2d at 569 (holding that Section 220 plaintiff must show by a
preponderance of the evidence “that each category of books and records is essential to the
accomplishment of the stockholder’s articulated purpose for the inspection.”).
189
   See, e.g., Okla. Firefighters Pension & Ret. Sys. v. Citigroup Inc., 2015 WL 1884453,
at *7 & n.61 (Del. Ch. Apr. 24, 2015) (“substantially narrow[ing]” the starting date for
defendant to produce documents to 2011, where plaintiffs requested materials from 2008);
UnitedHealth, 2018 WL 1110849, at *10 (holding that Section 220 demand seeking
documents over an eight year span too broad.).
190
    See Graulich, 2011 WL 1843813, at *1, *6 (finding derivative claims resulting from
Section 220 action investigating possible corporate mismanagement from 6–8 years prior
to the demand would likely be time-barred).
191
      See JX 45; JX 46.
192
      Compl. Ex. A at 6.

                                            54
Documents, for reasons of temporal relevance and burden, should be limited to the

time specified in the original Demand—February 3, 2017 to present. As for the

Audit Documents, the scope of production shall be from January 2013 to present, in

order to capture a time just prior to the Cambridge Analytica breach and far enough

removed from the Consent Decree that the Company’s compliance with the privacy

program and third-party audit requirements of that mandate should have been

evident. As for the Policies and Procedures, the scope of production shall be from

January 2013 to present, not only to capture the time prior to the Cambridge

Analytica breach but also to reveal the Company and the Board’s response to the

Consent Decree.       Finally, as for the Independence Documents, the scope of

production will be limited to the most recent Board questionnaires given that the

Board’s independence for demand futility purposes will be measured as of the time

the complaint alleging demand futility is filed.193

                                 III.   CONCLUSION

       For the foregoing reasons, a judgment shall be entered in favor of Plaintiffs

that directs Facebook to allow inspection of the books and records designated in this




193
   See Rales v. Blasband, 634 A.2d 927, 934 (Del. 1993) (“[A] court must determine
whether or not the particularized factual allegations of a derivative stockholder complaint
create a reasonable doubt that, as of the time the complaint is filed, the board of directors
could have properly exercised its independent and disinterested business judgment in
responding to a demand.”) (emphasis supplied).

                                             55
Memorandum Opinion. The parties shall confer and submit a joint proposed

implementing order and final judgment within fifteen (15) days.




                                        56
