Weighing the Price of a Data Breach: FTC Fines Facebook and Equifax in the Same Week
For most of us the saying goes “Fool me once, shame on you. Fool me twice, shame on me.” But it appears in the case of the US Federal Trade Commission (FTC), the phrase can be modified to “Fool me twice, pay me a massive fine.”
The FTC announced its record-breaking $5-billion penalty against Facebook on July 24, which also comes with new compliance requirements and changes to the company’s operating structure. Facebook is submitting to the decision after a year-long investigation by the FTC into a scandal involving political campaigning firm Cambridge Analytica. The firm launched a Facebook app called “This Is Your Digital Life” and encouraged users to complete a quiz about themselves. In doing so, the users agreed to hand over not only their own personal data but that of their friends list as well. Facebook later confirmed that as many as 87 million users were affected, with 70.6 million of those being from the US.
Let’s compare these numbers – $5 billion for a breach affecting 87 million users – to another FTC fine related to a data breach announced earlier in the week. Equifax was hit with a $575-million penalty on July 22 for its 2017 data breach affecting 147 million users. It resulted from a failure to secure a critical security vulnerability affecting its database, despite receiving an alert.
Considering the sensitivity of the data breached, the Equifax data holds more value. Hackers could use the harvested social security numbers for identity theft and credit fraud. In the Facebook breach, Cambridge Analytica used the data to target users with political ads. So why does the Facebook case justify such a severe markup on the fine?
The FTC says it’s because Facebook failed to follow a settlement made in 2012. That order, which didn’t include a fine, required Facebook to “give consumers clear and prominent notice and obtain their express consent before sharing their information beyond their privacy settings.” However, the FTC says that in the years since making that promise Facebook has fallen short in several ways:
- Just four months after the 2012 ruling, Facebook removed a disclosure from its Privacy Settings page informing users that information they shared with friends could be extended to apps used by those friends. But that data sharing was still happening.
- Facebook launched “Privacy Shortcuts” in late 2012 and “Privacy Checkup” in 2014. Yet these services allegedly failed to disclose that data could still be shared with apps of a user’s friends even with the most restrictive settings.
- Despite announcing in April 2014 that it would stop allowing third-party developers to collect the data of Facebook friends of app users, it allowed existing developers to continue collecting it until April 2015, and the FTC alleges it actually waited until June 2018 to stop this data flow.
So while the FTC says that both Equifax and Facebook are guilty of the FTC Act’s prohibition against deceptive practices, only Facebook violated a previous FTC order. That’s the main justification for hitting it with a heavier gavel: it’s a repeat offender.
Further, while Equifax’s data breach was caused by negligence in a security lapse that allowed criminals to make off with the data, Facebook’s incident was the result of its intentional actions to siphon data out to third parties.
The FTC says its $5-billion penalty against Facebook is almost 20 times greater than the next largest privacy or security penalty ever imposed worldwide. Source: FTC.
Facebook may appear to be harder hit by the FTC’s punitive actions at first blush, but what do the penalties look like when compared against company financials? With the help of David Tomljenovic, principal advisor in InfoTech’s financial industry practice, let’s take a look at the numbers:
Facebook fine: $5 billion
Trailing 12-month EBITDA: $27.45 billion – fine equal to 18% of this
Cash balance: $38 billion – fine equal to 13% of cash
Equifax fine: $575 million
Trailing 12-month EBITDA: $684.2 million – fine equal to 84% of this
Cash balance: -$2.75 billion – fine will increase debt load by 21%
Looking at it this way, Facebook’s fine will have much less impact on its financials compared to that of the Equifax fine. In fact, Facebook has already set aside $3 billion toward paying the settlement, and its quarterly revenue earnings announced this week exceeded $5 billion.
Want to Know More?
HUD Sues Facebook for Housing Discrimination – All Technology Companies Beware
Special Letter: An Economic View of Cybersecurity
Proteus-Cyber Provides a Tactical Solution for Schrems II Stress With the Transfer Impact Assessment (TIA) Tool
The recent Schrems II invalidation of the EU-US Privacy Shield has added a layer of difficulty for organizations that operate across borders, as they now require additional contractual clauses and measures in place to ensure data can transfer freely. Privacy program management vendor Proteus-Cyber offers a streamlined solution with the release of its Transfer Impact Assessment tool.
PHEMI: A Data Privacy Tool for Healthcare Providers
PHEMI is a data privacy solution focused on keeping data-processing activities secure by redacting information based on the role of the accessor. Thus, allowing such data to be used for multiple use cases without compromising privacy.
OneTrust Dips Its Toes Into the AI Pond With Launch of OneTrust Athena
OneTrust challenges the antiquated idea of data privacy and artificial intelligence (AI) as stark opponents, with the introduction of OneTrust Athena, the vendor’s AI and robotic automation-powered platform.
SECURITI.ai Wins Innovation Sandbox Contest at RSA Conference
Startup security vendor SECURITI.ai wins RSAC “Most Innovative Startup” at the RSA Conference 2020 Innovation Sandbox Contest.
Osano Applies for Certified-B Status
Osano recently released its SaaS privacy solution aimed at simplifying compliance and vendor assessments. The product feels familiar, but Osano’s ethical commitment sets it apart from the crowd.
Datex’s DataStealth Reduces Data Loss by Limiting Sensitive Data Acquisition
DataStealth is a difficult product to classify. It resembles DLP and privacy software but doesn’t fit neatly in either category. DataStealth focuses on data obfuscation, using a novel approach aimed at limiting sensitive-data acquisition.
TrustArc Acquires Nymity, Seeks to Bolster Feature Set
TrustArc has announced the acquisition of Canadian counterpart, Nymity – a more boutique-style vendor known for its very high standard of privacy research, expertise which manifests in its product offering.
Proteus Helps Enterprises Document Privacy by Design
Privacy by Design (PbD) is a General Data Protection Regulation (GDPR) requirement, but effective implementation requires deep insight into the operation and interconnection of various data collection processes. Thus, PbD can be difficult to document and demonstrate. However, Proteus may help.
Winning Buzzword Bingo With AWS Deep Learning Containers
Amazon’s AWS Santa Clara Summit ‘19 has been chockful of exciting product announcements, including AWS Deep Learning Containers, a service that provides Docker images that will simplify deployment of TensorFlow or ApacheMXNet workloads for training deep learning algorithms (at least according to Amazon).