Apparently, there’s more fallout for Facebook over its sketchy Cambridge Analytica data transfer policy. The Wall Street Journal’s Adrienne LaFrance reports that the latest revelation is another instance of SEC rules broken and could result in a strong fine — perhaps even a whole lot of money. The SEC rejected Facebook’s 2016 application for a “phantom” exemption from SEC regulations. The delay may have happened for a myriad of reasons. One possibility is that at least some leaders at the SEC, which acts as a regulator for financial markets, apparently felt that the phantom exemption application did not fully justify Facebook’s desire to avoid disclosure. Another consideration, according to LaFrance, could have been that Facebook employees could have figured out early on how it worked and figured out how to work around it (which might have resulted in future SEC filings, would not have necessarily avoided reporting requirements).
Based on that information, Facebook now may have to submit to more onerous SEC reporting requirements when it reports quarterly results. The proposed enforcement action continues to be vague. Facebook hasn’t yet disputed the Journal’s report or raised any questions about the application for the phantom exemption.
Other legal, financial and social consequences
As LaFrance notes, Facebook failed to disclose that outsiders, who acquired about 50 million Facebook users’ data, were also responsible for a separate 2.8 million additional profiles without any user input. The unmodified users were the ones which Facebook did not compromise. The “situation with Cambridge Analytica” is covered in full at her story. The rules relate to Facebook’s failure to “adequately disclose” that a third party acquired the data without proper consent and then kept it for at least six months. The SEC denied the application for the phantom exemption. This development in SEC rules could increase the pressure on Facebook to tell its story publicly — finally, in a way that will enable the public to know how it was misleading users and ultimately betrayed their trust.
What makes this news significant is that it’s part of a larger story about what happens when giant companies violate our privacy and also don’t tell us the truth. In this case, the failure of Facebook to protect the user data allowed Cambridge Analytica to dominate headlines. It might seem trivial to one of its users that Facebook hadn’t informed users about losing their data. But when the backlash grows, as it did when Facebook still hadn’t publicly disclosed the breach, it becomes a painful realization that they did not care. Further, we learned that the “data” that was accessed in this case was not even all Facebook users, but it was enough data to change someone’s voting preferences (i.e., this data didn’t represent “all” Facebook users). Facebook probably wanted to keep this data from the public at large because it saw it as less risky (especially when you combine it with email addresses and other information), perhaps even a higher-value asset.
Lastly, it is possible that the SEC’s claim that it may “consider further actions” could encourage more measures by the Commission to respond to the data breaches and disclose more, or even disclose more than it is already required to disclose. Most observers have already been expecting Facebook to face a hefty SEC fine related to the data breaches. That action may have started with settlements with states and it may still be in the pipeline.
This story is written and posted by The Washington Post with the assistance of the International Consortium of Investigative Journalists.