It’s becoming increasingly clear that Facebook will not emerge unscathed from the Cambridge Analytica scandal. Facebook has already warned investors that it could be facing an FTC fine of anywhere from $3 billion to $5 billion. Moreover, anonymous sources with insider knowledge of the upcoming Facebook settlement with the Federal Trade Commission suggest that Facebook could be forced to create a new privacy oversight review board that would report to the FTC. In addition, CEO Mark Zuckerberg might be asked to designate himself as the head compliance officer at the company, thereby forcing him to take personal responsibility for the ongoing privacy and user data breaches at the social networking site.
Details of the potential FTC fine
The FTC has not formally announced the final details of its enforcement actions against Facebook, but people familiar with the negotiations between the United States government and the Silicon Valley giant say that, at a minimum, the FTC fine will be north of $1 billion. That would easily make it the single biggest penalty ever levied against a tech company for user data and privacy breaches. By way of comparison, the FTC previously set a record by fining Google $22.5 million for privacy breaches related to the Apple Safari browser. Thus, an FTC fine of $1 billion would be truly unprecedented. Although, in the annals of regulatory enforcement actions, it would still pale in comparison to the $16.7 billion fine that the U.S. Justice Department levied against Bank of America, or the more than $15 billion fine that the EU levied against Apple.
Dan Tuchler, CMO at SecurityFirst, commented on the size of the FTC fine and what it means, “Facebook has reported that it may be fined as much as $5 billion by the FTC for privacy violations. That’s the FTC, and there may be additional exposure internationally, including the GDPR in the EU, which has been increasing its aggressive stance on fines for privacy violations. Is this the new business normal – should business plans include money set aside for these types of fines? No, this is bad business. Organizations should take data privacy seriously and take the steps necessary to keep the trust of their users, by doing a comprehensive survey of their security practices and then filling the gaps. Strong security products exist and should be put in place. Organizations like Facebook owe this to their shareholders, but more importantly to their users.”
Facebook has taken the extraordinary steps to brace for imminent impact from regulatory action. When it released its latest quarterly earnings, CEO Mark Zuckerberg specifically noted that he was setting aside $3 billion to deal with the problem. And, in past months, Zuckerberg and his executive team have sounded a much more conciliatory note, clearly eager to limit the extent of the damage and move on with business as usual in the wake of the Facebook settlement.
Key privacy provisions of the upcoming Facebook settlement
Clearly concerned that Facebook might be in violation of its 2011 consent decree, the FTC is working on a range of possible options for its final Facebook settlement that would limit Facebook’s ability to abuse user privacy. One option on the table is the creation of new privacy-related positions, including a new privacy oversight committee that would have at least one member (the “external assessor”) who would report directly to the FTC. This privacy committee would meet quarterly and provide updates on the latest privacy initiatives at the social media giant.
Colin Bastable, CEO of Lucy Security, notes that Facebook needs to be thinking more about addressing structural problems rather than just paying off fines, ”The problem with fines is that they go to the government, which is a poor custodian of money, and not to the victims. Facebook should be compensating the victims of its laxity. Congress needs to establish in law that citizens own their personal data and that social media companies should not or store it without consent and appropriate security, nor exploit it without due compensation, and must compensate those whose data is negligently leaked. These breaches were avoidable – the technology, competence and processes to prevent them are commonplace.”
Potential implications of the Facebook settlement
You might think that a company facing a multibillion fine and under a swirling cloud of controversy all over the world would be facing some very distraught investors. Yet, Wall Street investors barely flinched at the potential size and scope of the Facebook settlement. In fact, Facebook shares actually went up 5 percent on the news that the company was preparing for an FTC fine anywhere from $1 billion to $5 billion. After hours trading in the stock of the Silicon Valley company was strong after the news broker, and investors have generally taken a bullish stance on the future at Facebook, even with an FTC fine and Facebook settlement looming on the horizon.
One big reason for the optimism on the part of investors is that the long term picture for Facebook still looks rosy. The latest quarterly earnings report was stellar, and it appears that all of the latest privacy scandals (including any fallout from the Cambridge Analytica scandal) have barely dented Facebook’s business model. For example, Facebook actually reported a 26 percent increase in revenue on a year-over-year basis for a total of $15 billion in revenue. And the number of monthly active users and daily active users T Facebook is on the rise. A reported 2.7 billion people use Facebook (and its various properties, such as WhatsApp and Instagram) at least once every month, and an extraordinary 2.1 billion people use at least one of these services every day.
Moreover, taking a big picture view, an FTC fine of $3 billion as part of a final Facebook settlement is really just a drop in the bucket for Facebook. The number might sound massive, but it is really just 6 percent of all cash and marketable securities that the company has on hand. And the fact that Facebook just reported revenue of $15 billion for a single quarter suggests that Facebook is in a strong position to weather a hefty FTC fine. One anonymous report cited by the Washington Post, in fact, suggested that CEO Mark Zuckerberg might intentionally be lowballing the FTC. By constantly repeating the figure of “$3 billion to $5 billion,” Zuckerberg is making it much harder for the FTC to go beyond that number in its Facebook settlement.
A worst-case scenario for Facebook
So what would it really take to hurt Facebook and force the social network to take user privacy seriously? One suggestion mentioned by privacy advocates is a restructuring of the company. In short, only the complete dismantlement of the company, in which Facebook breaks apart its Instagram and WhatsApp businesses, and operates all of them as separate companies, will satisfy some detractors of Facebook.
But does the FTC have the power and authority to do this? As the primary consumer protection agency in the nation, the FTC has the ability to assess fines against companies that are harming the interests of consumers. However, actually breaking apart a company would also require the involvement of the U.S. Justice Department.
Paul Bischoff, privacy advocate at Comparitech.com, noted the importance of holding tech companies like Facebook accountable: “It’s a good idea to hold tech companies accountable when they fail to adhere to their own terms of use. If anyone has the authority to levy a fine against Facebook for privacy violations in the U.S., it would be the FTC. Does Congress instead need to pass a data privacy law? Many states are moving forward with their own privacy laws, but at this point some federal regulation seems inevitable.”
Holding tech companies accountable
The writing is on the wall for tech companies, and especially for companies like Facebook and Google that have a track record of playing fast and loose with user privacy and exerting leverage on business partners via the withholding of user data. Once the size of the FTC fine has been finalized, and once we know the full extent of the Facebook settlement, it will be possible to see whether regulators are really holding tech compan“Facebook, Data Breach, Cambridge Analytica”