A Nielsen shareholder has sued the company and its CEO and CFO for damages, alleging that it made misleading statements about its GDPR readiness.
Arun Bhattacharya took the case to the District Court for the Southern District of New York last week, claiming that shareholders were misled by statements made in conference calls and via press releases and other documents.
The statements are said to have covered both the preparedness of the company to comply with the regulation and whether it would affect Nielsen’s ability to access third-party data from Facebook and other firms which it relies on to generate its own metrics.
According to the filing, these included: “GDPR, we’ve been focused on this for some time … We’re ready. And we don’t see any significant impact for our … business.”
Another noted: “We’ll still have access to all the data that we’re going to need for our products. So yes, we’re in good shape.”
However, despite these assurances, Nielsen then blamed the GDPR for poor Q2 financials this year, according to the complaint.
It claimed the firm “significantly missed” its public net income and free cash flow estimates “by a wide margin.”
“Our results are significantly below our expectations as revenues were impacted by GDPR and changes to the consumer data privacy landscape. We have several hundred clients and data partners in this space, and market changes have been disruptive,” Nielsen also said at the time.
The subsequent 25% drop in share price in July damaged shareholders, it is alleged.
Bhattacharya is seeking damages for violation of Section 10(b) and Rule 10b-5 of the Securities Exchange Act as well as certification of a Class Action pursuant to Rule 23 of the Federal Rules of Civil Procedure.
It’s another example of the long reach of the GDPR: firms not only have to get their data protection house in order but to follow the principles of the law, accountability and transparency, or risk the consequences.
Rashmi Knowles, field CTO EMEA at RSA Security, claimed the floodgates are now open for shareholder legal action against firms they feel have let them down over GDPR compliance.
“As such, it’s a final warning to all organizations that securing personal data is no longer just the responsibility of the IT team, but a board level issue that impacts every aspect of a company from profitability to shareholder confidence," she added.
“Organizations need to effectively manage digital risk by regularly asking a few critical questions. Do you have a clear understanding of what the data is, where it is and what it is used for? Have you taken a risk-based approach to categorizing the data, so that you know where the most high-risk assets reside? This is important as it informs how you go about protecting that data. When it comes to protection itself, you need to check that your data is protected from hackers externally and employees internally, with appropriate security technologies, data encryption and access permissions.”