11 days after the fine, new guidelines announced which Facebook says will require structural changes
All who’ve been wondering for over a year what Facebook’s penance would be for its Cambridge Analytic violation finally have answers. News of Facebook’s $5B fine came out a couple weeks ago, followed by a list of security guidelines announced last Wednesday, July 24. The FTC hopes the list of restrictions will be what finally moves the needle on Facebook’s approach to privacy, given that its past approaches have repeatedly failed.
Facebook has agreed to restructure its user privacy under these new security terms, which span the next 20 years. They will make changes to the board and third-party developers. If any future violations occur, they will be held more accountable.
Mark Zuckerberg didn’t escape unscathed. His decision-making power must now be shared with an independent privacy committee the board of directors must create. The members can’t be fired by an individual, including Mr. Zuckerberg, but only by two-thirds of the voting shares. Zuckerberg must turn in quarterly and annual reports to the FCC demonstrating compliance with the terms of the agreement.
Facebook has tangled with the FTC before and had been under an order from 2012 that the Cambridge Analytica issue violated. This arrangement raises the bar, though many say it doesn’t go nearly far enough. The two who didn’t vote in favor of this FTC decision voted against it not because it was too strong but because they felt it wasn’t strong enough.
Facebook isn’t in the spotlight alone. The FTC imposed new rules on Equifax this month too for its massive data breach in September 2017. (See our blog, FTC Fines Equifax up to $700M for 2017 Data Breach). Equifax and Facebook are now both required to submit regular reports on the status of their ongoing FTC compliance.
Will a Big Month of Fines and Regulations Motivate Companies to Take Data Privacy More Seriously?
Despite the $5B fine being the largest ever against a US firm, it doesn't make a dent in Facebook's pocketbook and many are questioning if there is enough incentive to change its former ways.
In response to last Wednesday's ruling, Mr. Zuckerberg and Facebook’s general counsel promised reform. Zuckerberg posted on his Facebook page that Facebook would “set a completely new standard for the industry.”
His post continued, "Going forward, when we ship a new feature that uses data, or modify an existing feature to use data in new ways, we’ll have to document any risks and the steps we're taking to mitigate them. We expect it will take hundreds of engineers and more than a thousand people across our company to do this important work. And we expect it will take longer to build new products following this process going forward."
He announced the appointment of one of Facebook’s “most experienced product leaders” to the role of chief privacy officer of products. Zuckerberg also said the company was going to make some major structural changes to how we build products and run this company.” He didn’t specify how all of this would look.
Colin Stretch, Facebook general counsel, posted in his blog that the FTC agreement will “require a fundamental shift” in Facebook’s new product development process. His words: “Going forward, our approach to privacy controls will parallel our approach to financial controls, with a rigorous design process and individual certifications intended to ensure that our controls are working—and that we find and fix them when they are not.”
Big claims that many will be watching.
~ ~ ~
White Paper: Why Web Application Firewalls Are Not Enough
Data Breach Self-Protection Guide: 10 Steps for Consumers and 7 Steps for Businesses to Protect Themselves Against Data Compromise Before- & After-the-Fact