The Wall Street Journal and other media reported late Friday that Facebook will be charged with a $5 billion fine for privacy lapses in conjunction with the company’s 2018 Cambridge Analytica scandal. The fine represents the largest ever imposed by the FTC against a tech company. The FTC began probing Facebook in March 2018 following reports that political consulting firm Cambridge Analytica had improperly accessed the data of 87 million Facebook users.
Breaking News: A roughly $5 billion fine for Facebook was approved by the FTC over privacy violations, by far the biggest penalty ever for a tech company https://t.co/Ow1AHrwb56
— The New York Times (@nytimes) July 12, 2019
Experts Comments:
Pravin Kothari, Founder and CEO at CipherCloud:
“The situation with Facebook is an eye opener and has brought considerable attention to data privacy requirements. We’ll see more and more regulators “bring the hammer down” and levy some of the largest fines ever seen in an effort to drive data privacy and raise awareness. This time it’s the FTC, the next could be GDPR or the upcoming California Consumer Privacy Act, followed by many other privacy regulators worldwide.
Data is becoming an important currency, but businesses are still not doing enough to protect their sensitive information in the cloud. Many businesses don’t realize that internet and cloud services are not bullet-proof. They assume that their information is safe with cloud providers. But a simple misconfiguration, a bug or abuse of API could cause major exposure and havoc.
Organizations should select tools that automatically protect their sensitive information. As more data and applications are moving to the cloud, businesses should access their cloud applications with a layer of a security broker with automatic rights management and end-to-end encryption. By ensuring appropriate protective measures are always in place, businesses can avoid the stiff financial penalties, forensics costs and reputational damage that result from data breaches.”
Tim Erlin, VP, Product Management and Strategy at Triwpire:
“While this is clearly a substantial fine by any measurement, the real question is whether it will ultimately change any of Facebook’s policies or practices. Unfortunately, as consumers we don’t really have the transparency to see how our data is being used, and to evaluate whether practices have changed. At best, consumers can evaluate whether Facebook’s marketing around privacy changes.
Other organizations should take notice of this fine as a warning that the FTC will issue meaningful fines for privacy violations. It’s a good time to proactively get your house in order with regards to data privacy.”
Alastair Pooley, Chief Information Office at Snow Software:
“The massive $5 billion fine levied on Facebook for mishandling of consumer data certainly made a few headlines. However, the jump in the price of Facebook stock in response to the announcements suggests that markets were concerned that the fine could be larger still. Certainly a behemoth such as Facebook, which earned more than $15bn in revenue in the first three months of 2019 can afford it and perhaps accept it as a cost of their business model. Recognising this, lawmakers are starting to question just how it is possible to hold such companies accountable.
“When lawmakers feel that financial penalties are unlikely to curb behaviour, then minds tend to turn to regulation. Facebook has every reason to comply with the law in future but other companies may, whether because of their size, or because of the sector they work in, have more trouble complying with the new rules. Companies need to protect the privacy of those with whom they have a relationship, as well as being transparent with them so that they know exactly what is being done with their data.”
Willy Leichter, VP of Marketing at Virsec:
It’s interesting that while most of the world focuses on strengthening fundamental privacy rights, the FTC is wielding a huge stick based on essentially false advertising. Most consumer-facing online businesses make sweeping promises about respecting user privacy, but this should be a huge wake-up call that you can’t just talk-the-talk.
It’s also worth comparing this to the comparatively light fine that Equifax got from the FTC earlier this week – a mere $700 M. While Equifax broke its customer promises through gross negligence, Facebook showed deliberate intent to monetize customer data wherever possible. Willful deceit still seems to warrant a much bigger punishment than large-scale incompetence.
Fouad Khalil, VP Compliance at SecurityScorecard:
“It is difficult to believe that Facebook can claim compliance with privacy requirements any time soon. These gaps in security controls and lack of 3rd party developers’ oversight is not a small undertaking to fix. Let us not forget that Facebook executed wilful neglect when ignoring compliance with regulations and laws and deceiving consumers on level of control they had over their personal data. Wilful neglect opens the door to criminal offenses, but surprising enough no litigations against Facebook management took place.
The settlement mentions quarterly assessments. It also mentions an independent assessor. All is great, but not good enough in my opinion. With an organization like Facebook, things change regularly and to keep up with change, Facebook must implement a continuous oversight program. A program that can identify risk as it happens and offers near real-time mitigation steps. A mature privacy program requires an up-to-date inventory of all regulatory protected data, what controls are required to eliminate risk and how they support privacy policies. It is my belief, if Facebook had any level of this privacy program maturity, they would not be in the spotlight today.
You still wonder how seriously Facebook will take the privacy of their consumers? The fine is less than last quarter’s revenue, so the financial impact is minimal. Consumers are hopefully more aware of their rights and what could happen when organizations do not take them seriously. We now have the SEC and FTC as privacy program supporters. A couple of US states enacted privacy laws and others are still struggling to pass them (such as NY state this week failing to pass a privacy law.) Congress introduced a bill back in February of 2019 that is still in the introduced state – maybe this unfortunate event will elevate the bill into the spotlight.
It is time for us to become “Compliance professionals” as it relates to our personal data. “Trust but verify” has to be in the nature of everything that we do. When a company says they’re protecting my privacy, sometimes they will need to prove it.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.