It is difficult to believe that Facebook will be able to claim compliance with privacy requirements any time soon. The gaps in security controls and lack of third-party developers’ oversight is not a small undertaking to fix. Let us not forget that Facebook executed willful neglect when ignoring compliance with regulations and laws and deliberately deceived consumers on the level of control they had over their personal data. Despite the fact that willful neglect opens the door to criminal offenses, surprisingly no litigations against Facebook management took place.
It’s apparent Facebook’s lack of strong policies, compliance due diligence and commitment has led to fine after fine and a reputational impact that will last for many years. Unfortunately, before the privacy tidal wave hit, most fines were minimal, not well publicized and consumers not as aware of their privacy rights as they are today. Fortunately for users, that easy path has ended – fines are now as high as billions with global visibility and impact.
How will this impact Facebook?
Financially? No major impact since the latest FTC fine was less than a third of Facebook’s profit for a single quarter. But will Facebook survive more embarrassing and costly exposures like this one? I doubt it – just look at the backlash and privacy concerns when Facebook announced plans for its own cryptocurrency, Libra. The lack of user trust could end this endeavor before it even gets off the ground.
Privacy – possibly. As a practitioner and a consumer, I am always seeking confirmation that organizations are taking the protection of my personal information seriously. When in doubt, I will leverage any available law or regulation to push for change or simply request my data be removed from all their systems.
With GDPR, California and Washington state privacy laws, the updated New York state breach reporting law, the brewing NY state privacy law and the federal level privacy law awaiting congress – privacy has become much more important to consumers and organizations need to keep up with the changing tides.
What action can Facebook take to salvage their reputation?
The FTC settlement mentions quarterly assessments as well as an independent assessor, which is a great start but does not go far enough. Organizations like Facebook move fast; things change regularly. To make sure its policies and compliance keep up with these changes, Facebook must implement a continuous oversight program that can identify risk as it happens and offers near real-time mitigation steps. A mature privacy program requires an up-to-date inventory of all regulatory protected data, knowledge of what controls are required to eliminate risk and how they support privacy policies. I’m certain that if Facebook had any privacy program maturity, they would not be in the spotlight today.
Even in the wake of the record-setting $5 billion fine, we’re all still wondering how seriously Facebook will take the privacy of its users. Consumers hopefully are more aware of their rights, organizations cognizant of the consequences for not taking them seriously and the SEC and FTC attentive and supportive of privacy programs.
High-level privacy action plan:
The plan outlined below is a best-practice approach to ensure ongoing privacy compliance.
Conduct a complete and thorough personal data inventory:
State of data (use, transmission, storage, etc.)
Level of consent acquired for each
Controls assessment: What controls are effective, when we need to update and add
Mapping of these controls to privacy requirements to ensure compliance
Conduct a risk assessment against this data on an annual basis
Establish continuous assurance practices:
Group owning the continuous monitoring and compliance
Timely alerting on potential compliance gaps
Leverage continuous assurance capabilities to enable proactive measures
Rinse and repeat
What’s in store for Facebook?
An up-to-date data inventory is key and the ability to show progress and implementation steps is critical. Facebook is not short on funds, so dedicating a reasonable budget to establish a mature privacy program is quite possible (and costs way less than $5 billion). One aspect of maturity requires accountability across the entire organization – from the CEO down to the entry level. No exceptions and no exclusions.
It is time for us to become “compliance professionals” as it relates to our personal data. “Trust but verify” has to be in the nature of everything that we do. When a company says they’re protecting user privacy, they’ll need to prove it and those who do it best will be rewarded with our business.