Comprehensive software reviews to make better IT decisions

Weighing the Price of a Data Breach: FTC Fines Facebook and Equifax in the Same Week

For most of us the saying goes “Fool me once, shame on you. Fool me twice, shame on me.” But it appears in the case of the US Federal Trade Commission (FTC), the phrase can be modified to “Fool me twice, pay me a massive fine.”

The FTC announced its record-breaking $5-billion penalty against Facebook on July 24, which also comes with new compliance requirements and changes to the company’s operating structure. Facebook is submitting to the decision after a year-long investigation by the FTC into a scandal involving political campaigning firm Cambridge Analytica. The firm launched a Facebook app called “This Is Your Digital Life” and encouraged users to complete a quiz about themselves. In doing so, the users agreed to hand over not only their own personal data but that of their friends list as well. Facebook later confirmed that as many as 87 million users were affected, with 70.6 million of those being from the US.

Let’s compare these numbers – $5 billion for a breach affecting 87 million users – to another FTC fine related to a data breach announced earlier in the week. Equifax was hit with a $575-million penalty on July 22 for its 2017 data breach affecting 147 million users. It resulted from a failure to secure a critical security vulnerability affecting its database, despite receiving an alert.

Considering the sensitivity of the data breached, the Equifax data holds more value. Hackers could use the harvested social security numbers for identity theft and credit fraud. In the Facebook breach, Cambridge Analytica used the data to target users with political ads. So why does the Facebook case justify such a severe markup on the fine?

The FTC says it’s because Facebook failed to follow a settlement made in 2012. That order, which didn’t include a fine, required Facebook to “give consumers clear and prominent notice and obtain their express consent before sharing their information beyond their privacy settings.” However, the FTC says that in the years since making that promise Facebook has fallen short in several ways:

• Just four months after the 2012 ruling, Facebook removed a disclosure from its Privacy Settings page informing users that information they shared with friends could be extended to apps used by those friends. But that data sharing was still happening.
• Facebook launched “Privacy Shortcuts” in late 2012 and “Privacy Checkup” in 2014. Yet these services allegedly failed to disclose that data could still be shared with apps of a user’s friends even with the most restrictive settings.
• Despite announcing in April 2014 that it would stop allowing third-party developers to collect the data of Facebook friends of app users, it allowed existing developers to continue collecting it until April 2015, and the FTC alleges it actually waited until June 2018 to stop this data flow.

So while the FTC says that both Equifax and Facebook are guilty of the FTC Act’s prohibition against deceptive practices, only Facebook violated a previous FTC order. That’s the main justification for hitting it with a heavier gavel: it’s a repeat offender.

Further, while Equifax’s data breach was caused by negligence in a security lapse that allowed criminals to make off with the data, Facebook’s incident was the result of its intentional actions to siphon data out to third parties.

The FTC says its $5-billion penalty against Facebook is almost 20 times greater than the next largest privacy or security penalty ever imposed worldwide. Source: FTC.

Our Take

Facebook may appear to be harder hit by the FTC’s punitive actions at first blush, but what do the penalties look like when compared against company financials? With the help of David Tomljenovic, principal advisor in InfoTech’s financial industry practice, let’s take a look at the numbers:

Facebook fine: $5 billion
Trailing 12-month EBITDA: $27.45 billion – fine equal to 18% of this
Cash balance: $38 billion – fine equal to 13% of cash

Equifax fine: $575 million
Trailing 12-month EBITDA: $684.2 million – fine equal to 84% of this
Cash balance: -$2.75 billion – fine will increase debt load by 21%

Looking at it this way, Facebook’s fine will have much less impact on its financials compared to that of the Equifax fine. In fact, Facebook has already set aside $3 billion toward paying the settlement, and its quarterly revenue earnings announced this week exceeded $5 billion.

Want to Know More?

HUD Sues Facebook for Housing Discrimination – All Technology Companies Beware
Special Letter: An Economic View of Cybersecurity