For more than two years, Facebook’s public disclosures presented the risk of misuse of user data as merely hypothetical when Facebook knew that a third-party developer had actually misused Facebook user data. Public companies must identify and consider the material risks to their business and have procedures designed to make disclosures that are accurate in all material respects, including not continuing to describe risk as hypothetical when it has in fact happened.
According to the SEC’s complaint, in 2014 and 2015, the now-defunct advertising and data analytics company, Cambridge Analytica, paid an academic researcher, through a company he controlled, to collect and transfer data from Facebook to create personality scores for approximately 30 million Americans. In addition to the personality scores, the researcher, in violation of Facebook’s policies, also transferred to Cambridge Analytica the underlying Facebook user data, including names, genders, locations, birthdays, and “page likes.” Cambridge Analytica used this information in connection with its political advertising activities.
The SEC’s complaint alleges that Facebook discovered the misuse of its users’ information in 2015, but did not correct its existing disclosure for more than two years. The complaint further alleges that during this two-year period, Facebook had no specific policies or procedures in place to assess the results of their investigation for the purposes of making accurate disclosures in Facebook’s public filings.
“We allege that Facebook exacerbated its disclosure failures when it misled reporters who asked the company about its investigation into Cambridge Analytica,” said Erin E. Schneider, Director of the SEC’s San Francisco Regional Office. “This gave further weight to Facebook’s misleading statements in its public filings.”
Without admitting or denying the SEC’s allegations, Facebook has agreed to the entry of a final judgment ordering a $100 million penalty.