Meta (formerly Facebook) has been hit with a revived class action shareholder suit stemming from its involvement with Cambridge Analytica, a firm that infamously mined Facebook user data for hyper-targeted political engagement. The 9th U.S. Circuit Court of Appeals in San Francisco restored shareholders’ claims that Meta falsely stated that user data “could” be compromised, even though the company was already aware that the UK-based consulting firm Cambridge Analytica had violated its privacy policies. The breach, first publicly reported in 2015, reportedly compromised 87 million Facebook users’ data. The lawsuit was first filed in 2018, and Meta has already paid over $5 billion in penalties to U.S. authorities over the Cambridge Analytica scandal and $725 million to settle a lawsuit by Facebook users. The court’s opinion relied heavily on 9th Circuit precedent in a similar case brought by shareholders of Alphabet, Google’s parent company. Alphabet had stated that data privacy risks “could” occur when a known breach had already occurred.

This line of cases brings up an interesting new risk factor for companies caught in data breaches: shareholder suits brought for loss in valuation caused by a company’s mismanaged security. Shareholder suits join regulatory enforcement actions and consumer class actions as major risks and potential expenses following a data breach – not to mention the cost of incident response, remediation, and ransom payments in cases of ransomware. Companies, particularly those that collect personal information and publicly listed companies, should keep these considerable knock-on costs in mind when considering what resources to devote to cybersecurity and incident preparedness.