KazantsevAlexander - Fotolia
The Federal Trade Commission reportedly approved a $5 billion fine against Facebook following an investigation into multiple privacy violations, which experts said should serve as a wake-up call for all U.S. enterprises.
The FTC began investigating Facebook in March 2018 following the Cambridge Analytica scandal, in which a third party abused Facebook data access in order to build profiles on at least 50 million users and influence elections around the world. The FTC probe focused on whether Facebook violated a 2012 agreement that the company would improve user privacy protections; since the investigation began, a number of Facebook security and privacy issues have come to light.
The FTC has not publicly commented on the Facebook fine, but both the Wall Street Journal and New York Times have cited anonymous sources saying the vote passed and now the agreement will be reviewed by the Department of Justice. It is unclear if any other stipulations or penalties will be part of the settlement, but the Facebook fine of $5 billion far exceeds the $22.5 million fine against Google in 2012, which was the previous record FTC penalty.
At $5 billion, the Facebook fine would be equivalent to the company's entire profit for the first quarter of 2019, and equivalent to about 9% of the company's 2018 revenue. In comparison, Europe's GDPR caps potential penalties at 4% of a company's previous year revenue.
Tim Mackey, principal security strategist at Synopsys Inc., said it was hard to compare the Facebook fine with those levied against Google or British Airways under GDPR. He noted that it appears "regulators are increasingly willing to prosecute and fine organizations based on how they process the digital aspects of our daily life."
"Comments on the Facebook fine are trending to $5B being too light, while comments on the British Airways fine of £183 million from last week have trended to towards being too heavy. Part of what's feeding this difference is the perception of the companies," Mackey wrote via email. "Facebook has a reputational challenge on its hands, which extends beyond any monetary fine. What will be interesting is whether the FTC judgement ultimately includes sanctions on operations, [such as] requiring Facebook to include in SEC filings how it directly benefits from the processing of user data."
Dan Tuchler, CMO, SecurityFirst
Dan Tuchler, CMO at SecurityFirst, said it is likely the size of the Facebook fine is a "one-time event," but just as European enterprises "have been motivated by GDPR to improve their approach to data security and privacy, we expect this FTC action to further increase the sense of urgency."
"It will be interesting to see how Facebook changes their approach to data security after this very public punishment, and whether that reassures their users," Tuchler said. "The public's trust in companies like Facebook will drive security responses at other companies, and will also influence public policy and future government actions."
Mackey added that the Facebook fine "changes the economics of how U.S. organizations plan for any potential breach in much the same way GDPR changed the economics for EU-based organizations."
"Effectively, the FTC has set a new bar for what level a fine might take when a large data breach is involved," Mackey said. "CISOs and their CFO should now have a conversation which includes the potential impact of security measures throughout their software supply chain and armed with a detailed accounting for what data is collected, processed, transmitted and retained."