Need a break from all the Trump-Putin news? Take solace in this relatively simple story about the SEC’s stance on data breaches, including some biggies at Yahoo! and Facebook.
The Wall Street Journal and other outlets are reporting that the SEC is looking into the incident in which the personal data of up to 87 million Facebook users was improperly shared with Cambridge Analytica in 2014. Congress grilled Facebook CEO Mark Zuckerberg on that topic in April. The FTC, for its part, has opened an investigation into whether the breach violated a consent decree requiring Facebook to obtain user permission before sharing personal data. The SEC’s line of inquiry is different. It is looking into the question of whether Facebook adequately informed investors about the breach.
The SEC has slowly become more active on this front, and in April levied its first penalty on a public company for failing to disclose a cybersecurity breach. The penalty was $35 million, imposed on Yahoo! successor Altaba Inc., over Yahoo!’s response to a 2014 breach that exposed the information of billions of users.
These two investigations provide proof that, as Bloomberg’s Matt Levine would say, “everything is securities fraud.” Levine often points out that whenever something happens to a company, and the company doesn’t disclose it, that undisclosed thing can become the basis of a securities fraud charge. In Yahoo!’s case, it suffered the two largest data breaches in history–and eventually, they became the basis for a securities fraud action.
The Wall Street Journal notes that “some corporate groups have questioned whether fining a company such as Yahoo is tantamount to punishing the victim,” but that position held little sway at the SEC. Neither does the fact that the perpetrators of the Yahoo! hack were associated with the Russian government, but we aren’t talking about that.
Now, the SEC is considering whether Facebook engaged in securities fraud by not sufficiently disclosing the Cambridge Analytica data breach. Facebook didn’t touch on Cambridge Analytica in its 2017 annual report, but added some color in advance of Zuckerberg’s April Congressional testimony. The social network detailed the fact that 87 million users might have been affected (previous reports put the number at 50 million), and then said in its April 10Q that “additional incidents” of data misuse could “negatively affect user trust and engagement, harm our reputation and brands, and adversely affect our business and financial results.”
That may not be enough to put it in the clear on the Cambridge Analytica data breach. Facebook prefers to call it a “breach of trust,” saying that it took Cambridge Analytica at its word in 2015 when the company told Facebook it had deleted all the data that a University of Cambridge professor improperly shared with it. It has also outlined a backup argument. Facebook maintains that Cambridge Analytica’s receipt of user data was not material to investors (and thus needn’t have been disclosed) because the data was less sensitive than, say, credit card information.
The SEC may have a hard time swallowing that argument for any number of reasons, including the identity of the company that received the ill-gotten data. Cambridge Analytica, after all, is a subject of Special Counsel Robert Mueller’s investigation and a potential key link between the Trump campaign and Russia. Oops, there we go again. We just can’t get away from this topic.
The fact is, it seems to be on everyone’s mind these days – which makes it safe to say that Facebook investors would find their involvement in it material. And if that’s the case, the SEC won’t be giving up its investigation any time soon.