Article

FTC’s history-making settlement with Facebook spurs call for data privacy governance and transparency

Co-authored with Mike Vanderbilt and Rachael Reinis

Settlement includes record-breaking fines and mandated privacy oversight of the company

After a year-long investigation into Facebook for its misuse of customers’ personal data, the Federal Trade Commission (FTC) filed its official order on July 24, 2019. The settlement comes on the heels of the two biggest fines submitted under the European Union’s (EU) General Data Protection Regulation (GDPR) and just two days after the official complaint was filed against Equifax in response to their 2017 data breach. While regulatory bodies begin to exercise their ability to levy large fines in response to privacy violations, the impact to organizations reaches far beyond the financial. Organizations must act now to prepare for further data privacy oversight, regulation, accountability and transparency requirements.

What you need to know

The FTC, together with the Department of Justice, settled with Facebook for a record breaking 5 billion dollars. Not only is this the largest fine in both FTC and the privacy world’s history, it also amounts to roughly 9 percent of Facebook’s 2018 total revenue. Under the GDPR, companies may be fined up to 4 percent, making this fine substantially larger than the world’s de-facto privacy standard stipulates.

While the fine is large by any standard, many believe the penalty should have been larger for a company of Facebook’s financial stature. Arguably more significant than the fine, as part of the settlement Facebook agreed to implement sweeping changes to its corporate governance structure. These changes firmly establish privacy as a top priority risk and initiative factored into and addressed at nearly every level of the company. The changes also take into account considerations through multiple, independent channels. Privacy is now a board-level requirement at Facebook and with this change, comes the following:

  • Mandated privacy program: Facebook must formally establish and implement a comprehensive privacy program with special attention paid to Covered Information[1] that is 1) obtained or accessed by third parties, 2) collected or used in new or modified products or services, and 3) access by employees or Facebook-owned affiliates. A more rigorous approach to identifying, assessing and mitigating privacy risks is also part of the mandate.
  • Independence requirements: The creation and assessment of the new privacy program will be supported by two new committees, made up of independent professionals and the selection of an independent, third-party assessor. A nominating committee will support the appointment of new directors to the board and will evaluate and appoint members to the second new committee. A privacy committee will support the privacy program, brief the board on a quarterly basis and meet regularly with the independent assessor. The independent assessor must be engaged to conduct a review of the privacy program within the first 180 days after the program has been put in place and biennially thereafter for a period of 20 years.
  • Oversight: Designated compliance officers will be identified within the company, to include a chief privacy officer for product, with consultation from the privacy committee. These individuals must report directly to the CEO and to the independent assessor on a quarterly basis. The compliance officers together with the CEO are responsible for the mandated FTC certifications.
  • Certifications: Formal certifications are to be made to the FTC, beginning after the one-year anniversary of the effective date of the FTC’s order, on Facebook’s progress and continued maintenance of all requirements set forth. Any false certification can lead to personal liability in the form of civil or criminal penalties for the CEO and/or the designated compliance officer(s).

Along with the governance changes, there are several conditions related to sharing specific data, reporting incidents involving Covered Information, and the continued handling of facial recognition that must also be addressed.

Why this matters

During the press conference announcing the groundbreaking fine and the new mandates required by the settlement, the FTC Commissioner, Christine Wilson, also took the opportunity to advocate on behalf of privacy for the United States. Specifically, Commissioner Wilson renewed “the FTC’s bipartisan call to Congress to pass comprehensive privacy and data security legislation.”

If an organization does business in a regulated industry, such as healthcare or finance, or has a majority of their business in a privacy-forward jurisdiction, such as the EU, there are frameworks to build a privacy program. For organizations in less regulated spaces, the best approach may be to look to peers or, better yet, to an industry leader.

As Facebook moves forward with implementing / complying with this privacy mandate, other organizations should look to emulate this level of privacy oversight. While three different injections of independence may not always be necessary, the assessment and evaluation of professionals that possess the right knowledge and skill set will be. The key pillars of the mandated privacy program - conducting risk assessments, documenting safeguards and providing training to employees - can also be scaled to fit any organization’s needs. The requirements clearly laid out a drive toward one intent – to keep privacy at the forefront of an organization’s strategy, so that it can be addressed as an enterprise risk.

Even in the absence of a federal privacy law, states are moving forward with legislation to regulate businesses and protect their residents. Some, such as California, have created a fairly comprehensive law – the California Consumer Privacy Act (CCPA), while others are beginning with niche markets, such as Maine targeting internet service providers. An organization with a comprehensive and sustainable privacy program as its foundation will be more prepared and flexible in adjusting to state-by-state changes.

Steps to take now

Organizations should regard this settlement and its requirements as a bellwether of what’s to come and to assess the breadth and strength of their own programs. It will take time to see the overall impact from Facebook’s implementation, but the following steps can set an organization on the right path to stronger privacy governance.

  • Evaluate the organizational matrix: Look at your organizational matrix to see where the privacy officer or privacy point of contact currently sits. Is this individual reporting to a high-level official? Does this individual have a level of independence in their role? Are there clear, defined communication channels to and from this individual? If an individual hasn’t been identified yet, assess the needs of the organization. Does the role require a full-time employee or can the position be filled by a virtual privacy officer to get started?
  • What privacy principles are already in place? Does your organization already have policies and procedures to be compliant with the Privacy Shield or Health Insurance Portability and Accountability Act (HIPAA)? How can this be leveraged to build out a more comprehensive privacy program? Identify the types of data the organization collects and uses and the specific data that is already regulated to identify existing gaps and areas of strength around data protection.
  • Promote a culture of accountability: Whether your organization has a fledging or robust program, is the principle of privacy being driven from the top down? Have a balance between internal implementation and reviews with external, independent assessments to ensure a complete picture is developed. Keep all levels of the organization aware of their part to play in protecting not only company and customer data, but their own as well.

For more information on this topic, or to learn how Baker Tilly specialists can help your organization to develop a sustainable privacy program at your organization, contact our team.

[1] means information from or about an individual consumer including, but not limited to: (a) a first or last name; (b) geolocation information sufficient to identify a street name and name of city or town; (c) an email address or other online contact information, such as an instant messaging User identifier or a screen name; (d) a mobile or other telephone number; (e) photos and videos; (f) Internet Protocol (“IP”) address, User ID, or other persistent identifier that can be used to recognize a User over time and across different devices, websites or online services; (g) a Social Security number; (h) a driver’s license or other government issued identification number; (i) financial account number; (j) credit or debit information; (k) date of birth; (l) biometric information; (m) any information combined with any of (a) through (l) above; or (n) Nonpublic User Information

David Ross
Principal, Cybersecurity and Privacy, MBA, MEng, CIPP/E

Mike Vanderbilt

Dental equipment
Next up

A recap of key topics discussed at the Academy of dental CPAs (ADCPA) biannual meeting