Facebook did things right in its S-1 disclosures relating to data protection and privacy as it relates to business risk. Among other things, the myriad disclosures warn investors of risks related to unfavorable media coverage of its privacy practices and concerns about privacy, sharing and security. They also note that unauthorized access to or improper use of user information could damage Facebook’s reputation and result in legal or regulatory action, which could be expensive and require Facebook to modify its business practices. (This has happened before, as the disclosures point out: last year a 20-year settlement agreement with the Federal Trade Commission required the company to establish and refine policies related to user data and privacy settings, submit to privacy audits every two years and take other measures.) The company says complex, evolving laws and regulations for privacy and data protection could harm its business.
This seems to be as it should be—at least for the SEC, which last fall issued disclosure guidance on cybersecurity risk that all public companies should be aware of (private companies should take note too). But while Facebook followed this disclosure guidance, these disclosures are aimed protecting investors; they reveal the potential effects of problems after the fact. That’s not reassuring to Facebook users.
As more and more data moves online and into the cloud, companies need to actively protect their customer data. Cyber attacks happen with increasing frequency, and only the big cases (like Zappos.com last month) are publicized. It’s critical: our finances, medical records, credit cards, employment, passwords and other aspects of our personal lives are online. Companies that don’t take data protection and cyber security seriously are gambling with risks that may be very expensive or change how they do business.
At least some relief may be in the works. The Federal Trade Commission will soon release its final staff report of recommended controls and standards for the online protection of consumers’ privacy. The report is expected to expand the scope of what may constitute consumer data and propose sweeping new standards.
It’s unlikely, however, that U.S. regulations will be as stringent as the proposed Data Protection Directive issued Jan. 25 for the European Union. Those regulations would apply to anyone processing data in the EU—including those outside Europe who offer goods or services to EU citizens. Key points include:
- Significant fines for organizations that don’t follow basic knowledge/consent obligations or requirements to adopt good policies and procedures
- A requirement to appoint a data protection officer who must ensure that the organization adopts good data governance policies and procedures
- Regular data protection audits and privacy impact assessments
- A requirement to notify data protection authorities within 24 hours of a data breach
We’ll be watching to see if the FTC grasps the severity of problem and fully addresses the need to protect consumer information.
Whether it does or not, companies should pay full attention to both their privacy and data protection measures and their disclosures around it. Building customer trust and goodwill takes a lot of corporate resources; losing that trust can have a significant adverse impact to any business. With better protections in place, transparency and disclosure will follow more easily—and those companies will be trusted more by customers and investors alike.