Trouble Comes in Threes: Long-term Impacts of the Facebook/Cambridge Analytica Controversy Trouble Comes in Threes: Long-term Impacts of the Facebook/Cambridge Analytica Controversy

Trouble Comes in Threes: Long-term Impacts of the Facebook/Cambridge Analytica Controversy

By Nick Merker and summer clerk Mason Clark

Beginning in 2014 and leading up to the 2016 Presidential election, Facebook disclosed approximately 87 million users’ personal data to political consulting and data analytics firm Cambridge Analytica, who in turn used the data to target certain Facebook users with political messaging. Facebook’s misuse of personal data —and the universal public outrage it caused—carries short- and long-term consequences for companies collecting, storing, and using consumers’ personal data. The short-term impact of the Facebook/Cambridge Analytica debacle is heightened awareness and skepticism by both government agencies and private consumers of data collection and aggregation. Your company can combat this short-term consequence by reevaluating your company’s privacy policy—privacy policies and vendor agreements that tell the consumer exactly what you are doing or intend to do with her data reduce the risk of public exposure as dishonest and unethical.

But the long-term impact of the Facebook controversy on your company is less certain and more difficult to anticipate; it depends on how successful public and private actors outside the company—government agencies, public officials, investors, and so on—are changing best privacy practices within your industry. Facebook’s data misuse may cause long-term impacts in three areas: 1) regulation, 2) litigation, and 3) legislation. 
 
  1. Regulation: The FTC could increase the number of enforcement actions (and the accompanying monetary penalties) against non-compliant companies.
Recent failures to prevent or remediate data breaches and data misuse were met with
strong FTC enforcement, and last year the FTC brought nearly two hundred privacy and data security enforcement actions—a record for the agency. In January, the FTC settled with electronic toy maker VTech for $650,000 after the company collected personal information from children without providing direct notice and obtaining parental consent.[1] Just last month, the FTC also proposed an order against Uber that would require the company to submit reports to the agency about software design security and initiatives to prevent, detect, and respond to attacks.[2]

With FTC acting director Tom Pahl confirming an investigation into Facebook’s privacy practices,[3] it is clear the agency is willing and able to investigate and penalize companies that violate FTC Act Section 5(a), engaging in unfair acts that cause substantial injury to consumers, through data misuse. Though the agency carries the burden of proving non-compliance, the Facebook case could stimulate even more aggressive FTC enforcement against and penalties for data misuse than witnessed in the recent VTech and Uber cases, as some suggest Facebook could face millions of dollars in FTC fines.[4]
 
  1. Litigation: You may see an increase in shareholder class action or derivative suits for consequences of data breaches.
Within weeks of the Facebook scandal, investors filed a stock-drop suit in the U.S. District Court for the Northern District of California, alleging the company made misleading statements to the SEC about data misuse. Yuan v. Facebook, Inc. et al., No. 3:18-cv-01725 (N.D. Cal. Mar. 20, 2018) (Complaint). According to the complaint, Facebook knew Cambridge Analytica was misusing data but did not inform the SEC or shareholders. Id. Facebook’s stock then dropped more than $20 over two days after publication of the scandal. Though a recent class action suit brought by consumers against VTech for data breach was dismissed,[5] companies may still be liable to investors for breach of fiduciary duty.

In a similar case, a single investor filed a stockholder derivative suit in the Delaware Chancery Court last month, claiming she was entitled to “extraordinary equitable relief” after Facebook executives breached their fiduciary duty when hiding the scandal. Sbriglio v. Zuckerberg et al., No. 2018-0307 (Del. Ch. 2018) (Complaint). In the complaint, Sbriglio alleges Facebook board members didn’t inform shareholders about the disclosures because it would have served as an admission that the company violated a 2011 FTC settlement to stop allowing third party access to data without user consent. Id.

Both cases serve as a warning to companies collecting, storing, and using personal data: misleading or outright lying about data misuse can not only create issues with the FTC, but it can also lead to shareholder suits that, even if you win, cost your company time and money.
 
  1. Legislation: Even if Congress doesn’t fully understand the Internet, they could pass legislation that restricts the previously self-regulated tech industry.
Still reeling from Mark Zuckerberg’s testimony last month, Congress proposed legislation that will regulate how industry leaders like Facebook, Google, and Twitter use and share consumer data. The Facebook revelations produced widespread public outcry that forced politicians to pacify constituents. Senators Richard Blumenthal (D-Conn.) and Ed Markey (D-Mass.) recently proposed the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act, which would force the FTC to create and enforce privacy protections for customers of “edge” providers like Facebook.[6] While legislation like the CONSENT Act won’t have significant impact on small businesses and other non-edge providers, you can expect tougher regulation on tech leaders, on which your clients and employees may rely depending on your industry.

For guidance on data protection and privacy compliance, please contact Nick Merker. Nick Merker is a partner and co-chair of Ice Miller’s Data Security and Privacy Practice. Mason Clark is a summer clerk and lead author on this article.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
 
[1] Federal Trade Commission, Electronic Toy Maker VTech Settles FTC Allegations That it Violated Children’s Privacy Law and the FTC Act, FTC Press Release (Jan. 8, 2018).
[2] Federal Trade Commission; Uber Technologies, Inc., Analysis to Aid Public Comment, 83 Fed. Reg. 18,061 (Apr. 25, 2018).
[3] Federal Trade Commission, Statement by the Acting Director of FTC’s Bureau of Consumer Protection Regarding Reported Concerns about Facebook Privacy Practices, FTC Press Release (Mar. 26, 2018).
[4] Timberg, Craig and Romm, Tony, Facebook could face record fine, say former FTC officials, The Washington Post (Apr. 8, 2018).
[5] In re VTech Data Breach Litigation, No. 1:15-cv-10889 (N.D. Ill. 2017).
[6] S.2639, CONSENT Act. 115th Congress (2017-2018).
View Full Site View Mobile Optimized