Fraud Management & Cybercrime , Governance & Risk Management , Incident & Breach Response
Report: Facebook Faces Multibillion Dollar US Privacy Fine
FTC and Social Network Are Negotiating Record Penalty, Washington Post ReportsThe Federal Trade Commission is reportedly negotiating a settlement with Facebook that includes a multibillion dollar fine for its privacy failures.
See Also: Gartner Market Guide for DFIR Retainer Services
The FTC has demanded a fine be levied on Facebook that would be a record for any penalty yet imposed on a technology firm, but the social network is alarmed about the proposed settlement agreement's terms and conditions, The Washington Post reports, citing two unnamed people familiar with the government's probe.
The largest fine imposed by the FTC against a technology company to date was $22.5 million against Google. The regulator accused the search giant of having been "misrepresenting the extent to which consumers can exercise control over the collection of their information."
Facebook reported fourth quarter 2018 revenue of $16.9 billion and a $6.9 billion profit.
With first-time offenders, the FTC can only negotiate a settlement, which frequently results in a company agreeing to specific information security improvements and regular audits. Organizations that break that agreement can then be hit with penalties or taken to court by the FTC.
Since 2011, Facebook has been bound by an agreement with the FTC stemming from its previous privacy missteps, including sharing users' data without consent.
Cambridge Analytica Probe
The FTC launched a fresh probe in March 2018 over revelations that a controversial data analytics firm, Cambridge Analytica, was able to obtain 87 million Facebook profiles from a Cambridge University lecturer who created a popular personality quiz on the social network (see: Facebook: 87M Accounts May Have Been Sent To Cambridge Analytica).
London-based Cambridge Analytica, which is now defunct, was a political consulting firm that worked for both President Donald Trump's campaign as well as the U.K.'s "Brexit" referendum on its EU membership.
If Facebook fails to reach an agreement with the FTC, the regulator's next move would be to take the case - and its penalty demands - to court. If that happens, the FTC could call on the social network's top executives to testify (see: Facebook's Zuckerberg Takes First Drubbing in D.C.).
"Facebook faces a moment of reckoning, and the only way it will come is through an FTC order with severe penalties and other sanctions that stop this kind of privacy misconduct going forward," said Democratic Sen. Richard Blumenthal, D-Conn., tells the Washington Post.
News of the penalty discussions follows the newspaper reporting last month that the FTC was close to concluding its investigation and looking to levy a record-setting probe. But it was unclear when the probe might conclude, because the FTC was not open because of the government's partial shutdown (see: Report: Federal Trade Commission Weighs Facebook Fine).
Facebook also faces a lawsuit filed by users in Washington federal court last year; they have accused the social network of violating consumer protection law by failing to protect personal data that consumers thought they'd secured using Facebook's confusing privacy controls. The lawsuit cites Cambridge Analytica as just one example of how Facebook allegedly shared users' personal data without their consent.
Sanctions in Europe
Facebook has already faced its first European moment of reckoning. In October 2018, the U.K. Information Commissioner's Office, which enforces the country's privacy laws, slammed Facebook with the maximum privacy penalty possible over the failures that facilitated the Cambridge Analytica debacle. The ICO fined Facebook £500,000 ($645,000), which was the maximum fine possible, because the privacy failings occurred before the EU's General Data Protection Regulation, which sets much higher potential penalties, came into effect (see: Facebook Slammed With Maximum UK Privacy Fine).
While GDPR only applies to Europeans' personal data, the regulation is helping to redefine acceptable privacy practices worldwide, even if they're not ensconced in other nations' laws (see: Facebook Gets Its First Real Privacy Penalty - From Apple).
In Germany, Facebook faces another assault on its privacy practices in the form of a proposed ruling from the country's antitrust authority.
The Bundeskartellamt, or Federal Cartel Office, says Facebook should not be allowed to require that users either submit to letting the social network collect and process their data however it chooses, or else be blocked from using the service altogether. Instead, the regulator says users should be allowed to choose whether Facebook will be allowed to mix their personal data with data the social network collects from its other services or third-party sources (see: German Antitrust Office Restricts Facebook Data Processing).
"We are carrying out what can be seen as an internal divestiture of Facebook's data," said Andreas Mundt, president of the Bundeskartellamt.
Both Congress and the U.K. Parliament are continuing to probe the practices of Facebook and other social media firms over Russia's election interference efforts and fake news campaigns (see: UK Parliament Seizes Internal Facebook Privacy Documents).