Facebook may become the textbook case on how a company’s poor governance and weak privacy practices cost it more than any breach in history. Congress, regulators (U.S. and international), state attorneys general, plaintiffs lawyers and the public at large have put Facebook in the crosshairs.

On March 17, The New York Times and The London Observer reported data on 50 million Facebook users was impermissibly shared with Cambridge Analytica, which used it to help Donald Trump shape campaign messages and win the presidency. Unlike earlier reports, which surfaced in 2015 and 2017, the articles provided information from a former Cambridge Analytica employee, Christopher Wylie, who blew the whistle on how the Facebook data were used.

“We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on,” he said.

Within days, a former Facebook employee, Sandy Parakilas, followed suit and regaled U.K. members of Parliament about Facebook’s refusal to heed his warnings of lax data protection policies. The whistleblowers added credibility to the stories and blunted Facebook’s ability to respond using its usual statements about taking privacy seriously and investigating any allegations. 

Path to a Crisis

By way of background, from 2007 to mid-2014, Facebook routinely allowed application developers to scrape the data of Facebook users who used their apps, as well as data about all of their friends. This “friends permission” policy attracted developers to the Facebook platform because they were enticed and rewarded by access to a rich mine of data. Parakilas estimated the feature was used by developers to gather data on “hundreds of millions” of Facebook users. 

Parakilas, who was responsible for enforcing violations of Facebook policies by third-party application developers in 2011-2012, detailed how the company never monitored, audited or investigated how any developer was using Facebook data. “They felt that it was better not to know. I found that utterly shocking and horrifying,” he explained.

During the period “friends permission” was allowed, a U.K. company called Global Science Research (GSR), developed a personality application that was used by 270,000 Facebook users. In return, GSR was able to scoop up data on the users and all of their friends, resulting in a database full of personal details on 30 million to 50 million Facebook users (original estimates were 30 million, later ones are 50 million). In 2015, GSR’s founder violated Facebook’s terms and conditions and gave the data to Cambridge Analytica to use for data analytics and targeted campaign messaging. 

All Hell Breaks Loose

The New York Times and The London Observer reports in March created a firestorm. The news came in the midst of a broad recognition that Russia really had meddled in the 2016 elections and this had occurred—in large part—through fake Facebook pages, ads, and deceptive and manipulative messaging that reached 126 million Americans. Through the press, people were beginning to understand the enormity of the privacy violations that had occurred and the power of big data. 

Around the same time, The New York Times reported Alex Stamos, Facebook’s chief information security officer, was being pushed out of his job because he had compiled massive amounts of data about Russia’s misuse of the platform during the elections and had repeatedly urged Facebook to be transparent about what it had discovered. Stamos reportedly put together a team of engineers in June 2016—the same month the Democratic National Committee announced it had been hacked—and by November 2016, he had uncovered evidence that the Russians had “pushed DNC leaks and propaganda on Facebook.” 

The Times article details the increasing amount of evidence uncovered by Stamos, his drafting a memo that was subsequently scrubbed, and his futile but continuing entreaties to Facebook’s management to disclose the findings. Parakilas said, “The people whose job is to protect the user always are fighting an uphill battle against the people whose job it is to make money for the company.” Others interviewed by the Times noted senior management’s desire to protect their legacies and reputation.

Facebook tried to cut off the head of the snake by reassigning Stamos’s 120-member team to two divisions—product and infrastructure (not, by the way, where information security should be located within an organizational structure). Stamos reportedly was asked to stay until August because Facebook’s senior executives were concerned his leaving would look bad.

Here Comes the Hammer

Facebook’s lack of governance of its own corporate practices, its blatant attempt to sideline an officer of the company to avoid disclosing evidence its users had been manipulated, and its mismanagement of the public relations crisis created by the news reports has been stunning. In less than two weeks, Facebook found itself under siege, not only in the United States but also around the globe. The Federal Trade Commission confirmed it was investigating Facebook’s privacy practices and whether it violated a 2011 FTC consent decree. A group of 37 state attorneys general sent Facebook a letter “demanding answers…about the company’s business practices and privacy protections.”  The Senate Judiciary Committee, the Senate Committee on Commerce, Science, and Transportation, and the House Energy and Commerce Committees asked Mark Zuckerberg to testify on Facebook’s data privacy and data use standards. (Hint to the Hill: You need to ask Alex Stamos to testify.)

Canada’s privacy commissioner launched an investigation into whether Facebook mishandled Canadians’ personal information and announced that Britain’s privacy office had begun a similar investigation and the two offices would be coordinating. On the same day, the EU’s data protection chief called the allegations against Facebook the “scandal of the century” and called for EU data protection authorities to join together in a task force to investigate Facebook’s activities.

In just six days, Facebook lost $75 billion in market capitalization, and before it could even blink, a federal class action securities lawsuit against Facebook, Zuckerberg and CFO David Wehner was filed alleging:

[Facebook] made false and/or misleading statements and/or failed to disclose that: (i) Facebook violated its own purported data privacy policies by allowing third parties to access the personal data of millions of Facebook users without the users’ consent; (ii) discovery of the foregoing conduct would foreseeably subject the company to heightened regulatory scrutiny; and (iii) as a result, Facebook’s public statements were materially false and misleading at all relevant times.

Securities suits are a new tactic taken by plaintiffs attorneys in response to cyber incidents. In the past year, securities class action suits have been filed against Equifax, Yahoo and PayPal following highly visible breaches, exposing directors and officers to substantial liability.

The Facebook debacle does present opportunities for agents and brokers. The sting from Facebook will raise the bar for privacy protections and good corporate governance. Insurance professionals should reach out to clients and help them evaluate their current D&O coverage. Also, encourage them to review their privacy policies and develop compliance procedures to ensure their privacy obligations are upheld.

Westby is CEO of Global Cyber Risk. westby@globalcyberrisk