In just one week, within days of each other, two major settlements related to security and privacy were announced by the Federal Trade Commission (FTC) – a $575 million fine for Equifax and an unprecedented record-breaking $5 billion fine for Facebook.
While both settlements have inherent differences, they have some similarities as well, which leads us to wonder if regulatory requirements and enforcement actions will now evolve to include changes based on what was discovered with these two companies.
Facebook was fined for multiple reasons related to data privacy, as stated by the FTC, including but not limited to the following:
- Facebook did not take sufficient steps to deal with third party apps that were violating its platform policies.
- Facebook shared the data of users’ Facebook friends with third-party app developers even when those friends had set more restrictive privacy settings.
- Facebook failed to disclose that even when users selected the most restrictive sharing settings on Facebook, the company could still share user information with third party apps.
- Facebook did not consistently enforce its privacy policies on its third party app developers.
- The company misrepresented the users’ ability to control facial recognition technology with respect to “tagging” users on Facebook.
- Facebook also used phone numbers collected from users for advertising purposes, after having told users that the phone numbers were collected for security purposes.
Equifax was fined for multiple reasons related to information security, as stated by the FTC, including but not limited to the following:
- Equifax failed to secure massive amounts of personal information stored on its network, leading to a data breach of social security numbers, dates of birth, addresses and other personal information of approximately 147 million people.
- Even after being alerted about a critical security vulnerability, Equifax failed to patch its network.
- Administrative credentials were stored in clear text, which enabled hackers to gain access to large amounts of Personally Identifiable Information (PII).
- Sensitive consumer information was also stored in clear text.
- Equifax failed to implement basic security measures such as segmenting its servers or installing robust intrusion detection and prevention measures.
Here are some similarities we found between the Facebook and Equifax settlements:
- Both settlements require the companies – Facebook and Equifax - to take specific actions and bolster their data privacy and information security programs respectively.
- Both settlements require that Equifax and Facebook provide annual certifications that each company is in compliance with the settlement order filed by the FTC.
- Both settlements call for external third party assessment of each company. Equifax is required under the terms of the settlement, to obtain third-party assessments of its information security program every two years. The Facebook settlement order also strengthens the external oversight of Facebook, where a third-party assessor will evaluate the effectiveness of Facebook’s privacy program and identify any gaps.
- Both Equifax and Facebook will need to make structural changes to their information security and data privacy programs respectively. Facebook will have an independent privacy committee of its Board of Directors, thereby limiting the CEO Mark Zuckerberg’s control over decisions affecting user privacy. Facebook will also need to designate compliance officers who will be responsible for the company’s privacy program. Equifax will need to implement a comprehensive information security program that includes several different measures such as designating an employee to oversee the program, conducting annual security risk assessments, implementing safeguards to address risks, and more.
- Both companies will need to ensure that their third parties are in compliance with their information security and data privacy programs.
The Facebook settlement goes over and above corporate responsibility and even calls for individual personal accountability from the CEO Mark Zuckerberg and the company’s senior management, where they must independently submit quarterly certifications to the FTC stating that the company is in compliance with the privacy program mandated by the settlement order. Any false certifications will subject these individuals to civil and criminal penalties.
To summarize: here is a key message from the joint conference by the Department of Justice (DoJ) and the Federal Trade Commission (FTC), Management matters…. Governance matters. A culture of compliance begins with a company’s management.