Securities Regulation Daily Facebook will pay highest-ever civil penalties in Cambridge Analytica data misuse case
Wednesday, July 24, 2019

Facebook will pay highest-ever civil penalties in Cambridge Analytica data misuse case

By John Filar Atwood

SEC assesses $100 million penalty, while FTC and DOJ require Facebook to pay $5 billion.

The SEC has brought charges against Facebook for presenting the misuse of user information as a hypothetical risk when at least 30 Facebook employees knew that Cambridge Analytica had already used the information in its political advertising business. The Commission also claimed that Facebook exacerbated the problem by lying to the press during the Cambridge Analytica investigation, saying that it had discovered no evidence of wrongdoing (SEC v. Facebook, Inc., July 19, 2019).

In a separate action by the Federal Trade Commission and the Department of Justice, Facebook agreed to pay a $5 billion civil penalty, the largest ever assessed by the FTC. The company also will implement a set of compliance measures designed to improve user privacy and provide additional protections for user information. The new measures include the appointment of an independent assessor to monitor Facebook’s conduct, privacy reviews for all new or modified Facebook products, establishment of an independent privacy committee on Facebook’s board, annual compliance certifications by CEO Mark Zuckerberg, and certain reporting and record-keeping requirements.

In the SEC action, Facebook consented to pay $100 million, the largest fine ever imposed by the Commission in a disclosure-related case. SEC Enforcement Co-Director Stephanie Avakian said that the closest comparable case she could recall was the April 2018 Yahoo! matter involving misstatements about a data breach. Yahoo! was fined $35 million.

In a press conference, Avakian was asked why Facebook was not required to disgorge $29 million in cash proceeds it received from the exercise of employee stock options during the relevant period. She said that the record penalty is what the Division deemed appropriate in this case based on the nature of the conduct and how it has handled disclosure cases in the past.

Did Zuckerberg know? Asked whether the Facebook employees that knew of the misuse of personal data included Mark Zuckerberg and Cheryl Sandberg, Avakian said that the Division made no allegations against specific individuals. She referred to the language of the complaint, which said that more than 30 employees in different corporate groups, including senior managers in Facebook’s communications, legal, operations, policy, and privacy groups, knew of the problem.

Avakian emphasized that the thrust of the SEC’s case is that Facebook lacked policies and procedures to ensure that its risk factor disclosure was accurate and complete. It compounded the disclosure problem by lying to reporters during the Cambridge Analytica investigation, giving additional weight to the misleading statements in its public filings.

Allegations. According to the complaint, in 2014 and 2015 Cambridge Analytica paid an academic researcher to collect and transfer data from Facebook to create personality scores for 30 million users. In addition to the personality scores, the researcher violated Facebook’s policies by giving Cambridge Analytica the underlying Facebook user data, including names, genders, locations, birthdays, and "page likes." Cambridge Analytica used the information in its political advertising activities.

The SEC further alleged that Facebook discovered the misuse of its users’ information in 2015 but did not correct its public disclosure for more than two years. Facebook continued to tell investors that users may be improperly accessed, used or disclosed, according to the Commission.

The SEC claimed that Facebook reinforced the false impression by telling reporters who were investigating Cambridge Analytica’s use of Facebook user data that it had discovered no evidence of wrongdoing. When the company finally disclosed the incident in March 2018, its stock price dropped.

Lack of disclosure policies. The SEC found that Facebook’s processes and procedures around the drafting of its periodic reports on Forms 10-K and 10-Q, including its risk factor disclosures, failed to bring the researcher’s sale of data to Cambridge Analytics to the attention of the individuals with primary responsibility for drafting and approving those reports. The lack of specific policies or procedures resulted in Facebook making inaccurate disclosures in its public filings.

Facebook neither admitted nor denied the SEC’s allegations but agreed to the entry of a final judgment ordering the $100 million penalty. The company also is permanently enjoined from violating 1933 Act Sections 17(a)(2) and 17(a)(3), and 1934 Act Section 13(a) and Rules 12b-20, 13a-1, 13a-13, and 13a-15(a).

Attorneys: Erin E. Schneider for the SEC.

Companies: Facebook Inc.; Yahoo! Inc

MainStory: TopStory PublicCompanyReportingDisclosure FormsFilings RiskManagement

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More

Securities Regulation Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on securities regulation legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.