There’s a great quote from the 5th Circuit’s 1981 decision in Huddleston v. Herman & MacLean that says that “to warn that the untoward may occur when the event is contingent is prudent; to caution that it is only possible for the unfavorable events to happen when they have already occurred is deceit.” That quote pretty much sums up the basis for the SEC’s enforcement proceeding against Facebook that was announced yesterday. Here’s an excerpt from the SEC’s press release:
The Securities and Exchange Commission today announced charges against Facebook Inc. for making misleading disclosures regarding the risk of misuse of Facebook user data. For more than two years, Facebook’s public disclosures presented the risk of misuse of user data as merely hypothetical when Facebook knew that a third-party developer had actually misused Facebook user data. Public companies must identify and consider the material risks to their business and have procedures designed to make disclosures that are accurate in all material respects, including not continuing to describe a risk as hypothetical when it has in fact happened.”
The misleading disclosures arose out of Cambridge Analytica’s unauthorized use of Facebook user data. Facebook allegedly found out about Cambridge Analytica’s antics in 2015, but didn’t revise its disclosure until two years later. Facebook consented to a “neither admit nor deny” settlement that, among other things, enjoins it from future violations of Section 17(a)(2) and (3) of the Securities Act and Section 13(a) of the Exchange Act & various rules thereunder.
The company also agreed to pay $100 million to settle the charges, which sounds like a lot, but is chump change to Facebook. After all, the company also agreed yesterday to pay a $5 billion fine to settle FTC charges arising out of customer data privacy lapses. Still, it seems to me that the real elephant in the room may not be the size of the settlement, but the fact that no individuals were named.
“The SEC almost always names individuals in corporate disclosure cases, although it didn’t do so in last year’s high-profile data privacy case against Altaba (Yahoo!). In any event, there’s nothing in the press release to suggest that actions against any individuals are contemplated – despite language in the complaint to the effect that “more than 30 Facebook employees in different corporate groups including senior managers in Facebook’s communications, legal, operations, policy, and privacy groups” were aware that Cambridge Analytica had improperly been provided with user data.
-John Jenkins, TheCorporateCounsel.net July 25,2019