Workload and Application Security Blog

FTC Approves Record $5B Fine for Facebook

Written by Virsec Systems | Jul 23, 2019 5:03:33 AM

Facebook’s Looming Fine Not Posing a Dire Worry to Them

Many companies if they received a $5 billion fine would be looking for a bankruptcy attorney. But Facebook was expecting this and for them, it’s barely more than a drop in the bucket. Facebook’s annual revenue in 2018 was $56 billion. The forecast for 2019 is $69 billion.

The vote in favor of the fine was 3:2, with Republicans backing the fine. Final approval is pending, though expected, from the Justice Department. Prior to this, the largest fine on record from the FTC was to Google for $22.5 million in 2012. After a 6-month investigation, Google agreed to pay the fine for ignoring Apple Safari security settings designed to prevent advertisers from tracking users with cookies.

For Facebook, if this breach were to be a one-time violation, the company could report it as a one-time event (expense) and not have to report it in its earning results. But as noted above, other investigations are pending so this may not be a one-time expense.

Resilience After Cambridge Analytica

After Facebook’s Cambridge Analytica transgressions made headlines last year, the FTC began investigating. Cambridge Analytica is a political consulting firm in the UK that accessed data about 87 million users without informing them.

The Cambridge Analytica scandal involved a data mining firm accessing Facebook user information in 2016 with permission through a quiz app. The number of users impacted was as many as 87 million. Questions swirled as to how much Facebook knew and when – and why they didn’t revoke the firm’s access, as well as why they simply trusted the firm to delete the information as they said they had (but didn’t). Also, Facebook knew of the breach (which they avoided calling a data breach) for months before they admitted it publicly.

At first, Facebook stock took a hit, losing over $100 billion in a matter of days. They’ve had no trouble recouping since then and Wall Street took the FTC’s fine news without batting an eyelash. Facebook shares are up more then 50 percent since the beginning of the year. Their market value is up $64 billion just since its earnings report in April when it disclosed that it expected to be fined a high amount by the FTC.

Will Restrictions Come with the Fine?

FTC found Facebook at fault and some are relieved by the FTC’s decision while others are frustrated and view it as leniency if it comes without means to prevent similar acts going forward. It’s not certain if the penalty will come with restrictions necessary to prevent another privacy breach of this kind or some means of holding Facebook more accountable for how it handles users’ data.

Some officials and politicians feel imposing real changes are justified, even past due, in the form of structural updates, how user data is gathered and used, imposing company restraints, and implementing clear and consequential terms to protect user data and user privacy. The subject of altering the way Facebook advertising works has also been discussed.

Public advocacy groups and lawmakers argue that Facebook should receive rules and reforms in all these areas, including their expansions of adding Messenger, instagram and WhatsApp. With a great deal of money and influence, it remains to be seen what Facebook may face in terms of altering their usual course of business as part of this settlement and other pending investigations.

Because Facebook appears to be more than able to absorb its penance without a hitch, some have suggested holding its founder, Mark Zuckerberg personally responsible for the company’s many privacy violations. So far, that doesn’t seem likely in the near future at least.

Plenty More Investigations Pending

As noted, Facebook is already awaiting outcome of additional investigations, both in the US and globally, that will very likely impose more fines for poor practices that also resulted in data breaches. They could also face limitations imposed on how they collect data.

As of March of this year, Facebook was defending itself against at least 10 Data Protection Commission (DPC) investigations in Ireland, where European companies have their international headquarters. This includes at least two investigations about its WhatsApp application. In all cases, investigators feel European privacy laws have been violated and users’ information compromised. In one data breach in September of 2018, close to 30 million accounts were compromised due to a glitch with its View As feature (See our blog: Facebook breach could have impacted third-party apps; Is a huge GDPR fine on the horizon?).

In December, a software bug exposed photos of close to 7 million users to third-party apps (See our blog: Facebook compromises users’ privacy yet again.). All of these data violations were without user awareness or consent.

Part of these investigations includes regulators looking into whether Facebook correctly notified European authorities about breaches and compromise of user data within specific timelines – a requirement under GDPR.

It’s public now too that Facebook has given tech giants Amazon and Yahoo exceptional access to user’s personal data, allowing them to sidestep their regular privacy rules.

Facebook Repeats Promises to Do Better

Facebook has appeared to testify a number of times in the past couple of years – Mark Zuckerberg and other company representatives swearing in to face the heat. They’ve promised repeatedly to do a better job of protecting user data. They’ve promised to improve how they collect data, and how they use it, tighten down apps as well as to give users more control. We’ve heard it before – hopefully it will be true soon.

If it turns out Facebook is also in violation of the GDPR for one or more breaches, more large fines will be imposed. The GDPR allows for big fines – €20 million Euros, about $22 million US dollars, or 4% of annual global revenue, whichever is greater. For Facebook, given last year’s revenue of $56 billion, that would be over $2 billion for that one breach.

Perhaps a $5 billion FTC fine isn’t something Facebook gets too worked up about. But if they continue to face big fines for their breaches and violations, the rising amount could amount to something even they would find most unpleasant. Wouldn’t it be better to implement better practices to protect data in the first place?

Breaking News

Yesterday’s headlines brought more news of another FTC fine being announced. This one is in regards to the long awaited decision about the Equifax data breach in September 2017 that affected 147 million Americans. Per the terms, Equifax has agreed to pay $575 million, though the fine could reach $700 million across 50 states.

Further resources:

White Paper: Making Applications Truly Self-Defending

Blogs:

Five Tech Giants – Facebook, Twitter, Apple, LinkedIn, Google – Face Investigations for Possibly Violating European Privacy Laws

Facebook breach could have impacted third party apps: is huge GDPR fine on the horizon

Facebook compromises users’ privacy yet again

Facebook is under the spotlight yet again for another huge data breach—this time affecting many other apps and sites you’ve logged into