The Wall Street Journal and other media reported late Friday that Facebook will be charged with a $5 billion fine for privacy lapses in conjunction with the company’s 2018 Cambridge Analytica scandal. The fine represents the largest ever imposed by the FTC against a tech company. The FTC began probing Facebook in March 2018 following reports that political consulting firm Cambridge Analytica had improperly accessed the data of 87 million Facebook users.
Breaking News: A roughly $5 billion fine for Facebook was approved by the FTC over privacy violations, by far the biggest penalty ever for a tech company https://t.co/Ow1AHrwb56
— The New York Times (@nytimes) July 12, 2019
Experts Comments:
Pravin Kothari, Founder and CEO at CipherCloud:
Data is becoming an important currency, but businesses are still not doing enough to protect their sensitive information in the cloud. Many businesses don’t realize that internet and cloud services are not bullet-proof. They assume that their information is safe with cloud providers. But a simple misconfiguration, a bug or abuse of API could cause major exposure and havoc.
Organizations should select tools that automatically protect their sensitive information. As more data and applications are moving to the cloud, businesses should access their cloud applications with a layer of a security broker with automatic rights management and end-to-end encryption. By ensuring appropriate protective measures are always in place, businesses can avoid the stiff financial penalties, forensics costs and reputational damage that result from data breaches.”
Tim Erlin, VP, Product Management and Strategy at Triwpire:
Other organizations should take notice of this fine as a warning that the FTC will issue meaningful fines for privacy violations. It’s a good time to proactively get your house in order with regards to data privacy.”
Alastair Pooley, Chief Information Office at Snow Software:
“When lawmakers feel that financial penalties are unlikely to curb behaviour, then minds tend to turn to regulation. Facebook has every reason to comply with the law in future but other companies may, whether because of their size, or because of the sector they work in, have more trouble complying with the new rules. Companies need to protect the privacy of those with whom they have a relationship, as well as being transparent with them so that they know exactly what is being done with their data.”
Willy Leichter, VP of Marketing at Virsec:
It’s also worth comparing this to the comparatively light fine that Equifax got from the FTC earlier this week – a mere $700 M. While Equifax broke its customer promises through gross negligence, Facebook showed deliberate intent to monetize customer data wherever possible. Willful deceit still seems to warrant a much bigger punishment than large-scale incompetence.
Fouad Khalil, VP Compliance at SecurityScorecard:
The settlement mentions quarterly assessments. It also mentions an independent assessor. All is great, but not good enough in my opinion. With an organization like Facebook, things change regularly and to keep up with change, Facebook must implement a continuous oversight program. A program that can identify risk as it happens and offers near real-time mitigation steps. A mature privacy program requires an up-to-date inventory of all regulatory protected data, what controls are required to eliminate risk and how they support privacy policies. It is my belief, if Facebook had any level of this privacy program maturity, they would not be in the spotlight today.
You still wonder how seriously Facebook will take the privacy of their consumers? The fine is less than last quarter’s revenue, so the financial impact is minimal. Consumers are hopefully more aware of their rights and what could happen when organizations do not take them seriously. We now have the SEC and FTC as privacy program supporters. A couple of US states enacted privacy laws and others are still struggling to pass them (such as NY state this week failing to pass a privacy law.) Congress introduced a bill back in February of 2019 that is still in the introduced state – maybe this unfortunate event will elevate the bill into the spotlight.
It is time for us to become “Compliance professionals” as it relates to our personal data. “Trust but verify” has to be in the nature of everything that we do. When a company says they’re protecting my privacy, sometimes they will need to prove it.”