Publications

Yesterday, the Securities and Exchange Commission announced a settled enforcement action with Facebook for the company’s failure to adequately disclose the misuse of its customer information by the data analytics firm Cambridge Analytica. The SEC’s case, announced on the same day as Facebook’s $5 billion settlement with the Federal Trade Commission for violations of the consumer privacy laws, alleges that a researcher with access to Facebook’s user data sold that data to Cambridge Analytica in violation of Facebook’s Platform Policy. Further, it alleged that Facebook misleadingly presented the misuse of that data as a merely hypothetical risk in its public filings even after discovering the actual violations of its Platform Policy. The settlement’s terms include Facebook’s payment of a $100 million penalty and permanent injunctions from further violations of a variety of non-scienter provisions of the federal securities laws.  

The case highlights two notable trends in the SEC’s approach to public company enforcement. First, the settlement underscores that particular care is required when issuers use hypothetical language (e.g., “may”) to disclose risks that have already come to fruition. As Stephanie Avakian, Co-Director of Enforcement at the SEC, observed in connection with the settlement: “Facebook presented the risk of misuse of user data as hypothetical when they knew user data had in fact been misused.” (Emphasis added.) Last year, in a similar vein, the SEC sued Yahoo! for stating in its SEC filings that a security breach “may” incur significant legal and financial exposure, when the company already knew that a massive data breach had occurred. The SEC’s expectation that issuers screen operational issues against its risk disclosures may pose challenges in public companies with operational and geographic complexity, but these actions suggest that proactive and rigorous review of existing disclosure controls and procedures is critical.

Second, the Facebook action is another example—following on the heels of the SEC’s Volkswagen case—of the growing trend of characterizing failures to disclose operational misconduct as securities fraud. According to the SEC’s complaint, although more than 30 Facebook employees were aware of the Cambridge Analytica-related violation of Facebook’s Platform Policy, the company allegedly failed to assess the disclosure implications of this breach in connection with Facebook’s public filings. Public companies should be alert to the risk that the failure to disclose an operational breakdown may in fact constitute “securities fraud.” Where lines will be drawn in determining just when that is the case remains an open question.[1]