3rd Party Risk Management , Governance & Risk Management , Privacy

FTC Reportedly Approves $5 Billion Facebook Fine

Settlement Stems From Cambridge Analytica Incident

After a long privacy investigation, the U.S. Federal Trade Commission voted to levy a $5 billion fine against Facebook, according to the Washington Post and the Wall Street Journal.

See Also: Live Webinar | Cybersecurity in Healthcare Supply Chains: A CISO Perspective

The FTC voted 3-2 to approve the settlement, with three Republican members voting in favor and the two Democratic members voting against it, according to the news reports. The U.S. Justice Department must approve any final settlement.

The fine is the largest one ever levied by the FTC against a tech company and close to Facebook's recent $5.5 billion profit for the first quarter of this year. The company set aside $3 billion of that in anticipation of a fine.

The report of the proposed fine appeared to provide assurance to investors that it wasn't higher. Facebook's stock rose on Friday by 1.8 percent to $204.87.

The FTC and Facebook have been negotiating a settlement for months over whether the social network violated a 2012 agreement with the agency. The FTC investigation was launched in March 2018 as a result of the Cambridge Analytica controversy.

The now-defunct voter-profiling firm improperly obtained profile data for 87 million Facebook users without their consent (see: Facebook and Cambridge Analytica: Data Scandal Intensifies).

The reported fine ups the risks for tech companies as regulators around the world are increasing their scrutiny of data management practices. Last week, U.K. regulators signaled their intent to fine British Airways £184 million ($230 million) and hotel giant Marriot £99 million ($125 million) over data security incidents under the E.U.'s General Data Protection Regulation (see Marriott Faces $125 Million GDPR Fine Over Mega-Breach).

But the U.S. lacks a federal privacy law covering consumer data. The FTC's strategy has been to allege violations of the FTC Act, which is intended to protect consumers from unfair and deceptive practices. In response to the Post's report, Sen. Mark Warner, D-Ore., renewed a call on Congress for new federal legislation.

"Given Facebook's repeated privacy violations, it is clear that fundamental structural reforms are required," Warner says. "With the FTC either unable or unwilling to put in place reasonable guardrails to ensure that user privacy and data are protected, it's time for Congress to act."

A Facebook spokesperson told Information Security Media Group that the company is not commenting on the reports of a settlement.

Do Fines Spur Change?

The proposed fine also drew criticism from other Democratic lawmakers, including Sen. Richard Blumenthal, D-Conn.

"This reported $5 billion penalty is barely a tap on the wrist, not even a slap," Blumenthal writes on Twitter. "Such a financial punishment for purposeful, blatant illegality is chump change for a company that makes tens of billions of dollars every year."

A broader question is whether a fine will spur internal change within Facebook, as it was already under FTC monitoring when the Cambridge Analytica situation occurred.

Under the August 2012 consent order with the FTC, Facebook was required to obtain permission from consumers before making changes to privacy settings.

It also was barred from sharing data of its users to third parties without their consent. The FTC required Facebook to obtain third-party audits every two years certifying that it is in compliance with the settlement and had a privacy and security program in place.

Cambridge Analytica obtained around 87 million users' profile data, most of who were in the U.S. It obtained the data from Aleksandr Kogan, a Cambridge University lecturer who deployed a quiz app on Facebook around 2013.

The app, called This is Your Digital Life, collected the personal information for people who used it as well as that of their friends, who had not provided their consent. Facebook later changed it rules to prevent such data harvesting. Kogan shared the data in violation of Facebook's policies.

Although Facebook endured many other privacy gaffs over the years that drew questions over how it was managing personal data, the Cambridge Analytica situation triggered a particularly vigorous outrage.

That was, in part, due to the firm's brief work with President Donald Trump's campaign, as well as rising awareness among the public of how their personal data is collected and transferred to third parties.

Ongoing Monitoring

Earlier this year, the Electronic Privacy Information Center - whose complaints led to the 2012 consent order - launched a campaign called #enforcetheorder, alleging the FTC has failed act against Facebook.

EPIC said on Friday that it filed a Freedom of Information Act request that revealed 26,000 outstanding complaints have been filed with the FTC related to Facebook.

"The FTC has not taken a single enforcement action against Facebook since the 2011 consent order," EPIC notes on its #enforcetheorder page.

Of high interest when the FTC announces the new consent order will be under what monitoring terms Facebook will be bound by and how those differ from the 2012 order.

The Center for Democracy & Technology, a public interest group based in Washington, says it "looks forward to learning the final terms of the settlement, which are expected to include further restrictions on how Facebook manages user data."

Executive Editor Jeremy Kirk contributed to this report.