This post was also written by David Z. Smith.

On August 29, 2011, a Google shareholder filed a derivative action against the company’s directors stemming from Google allegedly allowing and supporting Canadian and other foreign pharmacies to advertise and ship prescription drugs to American consumers through Google’s AdWords advertising program in violation of U.S. law. The lawsuit comes on the heels of the announcement days earlier of a $500 million settlement between Google and the U.S. Department of Justice over an investigation of those same advertising practices. Google’s AdWords program displays sponsored advertisements in response to specific searches entered into Google’s search function. AdWords not only allows advertisers to target certain search terms, but to geo-target the searchers, so that certain advertisements will only appear for search terms entered by individuals within a certain geographic location. Plaintiff thus alleges that the directors breached their fiduciary duties and wasted corporate assets by, among other things, failing to ensure that Google had proper internal controls that would have prevented Canadian pharmacies from geo-targeting U.S. citizens with advertisements for prescription drugs.

This lawsuit is the latest in a growing line of derivative and securities fraud complaints based on alleged lack of internal controls over data security and privacy. In past cases, companies such as Heartland Payment, ChoicePoint, TJX, and more recently, Sony, have all been sued for allegedly failing to develop and maintain an adequate security environment, thereby allowing consumers’ private information to be exposed and forcing the companies to expend scarce corporate resources to prevent litigation losses or further reputational hits. The Google case shows that companies not only face the risk of derivative or securities fraud actions over the failure to protect consumers’ data, but may also be forced to defend any failures to control how their systems are used (or possibly misused) by a third-party to target consumers they should not be allowed to target. With the increasing sensitivity over on-line data security and privacy, and growing public awareness of web/search advertising functionalities such as AdWords or sites that allow third-party communication and geo-location check-ins (like social media sites), these lawsuits are likely to become more frequent. Such cases also deliver a fresh reminder to senior management of how strong privacy compliance programs and practices have come to be regarded as a critical component of good corporate governance and behavior.