SEC Probes Why Facebook Didn’t Warn Sooner on Privacy Lapse

SEC Probes Why Facebook Didn’t Warn Sooner on Privacy Lapse

Facebook faces questions on what it knew and when about Cambridge Analytica’s use of social-media data

Mark Zuckerberg prepared to testify before the House Energy and Commerce Committee on April 11 about a data breach affecting millions of Facebook users by U.K. political consulting firm Cambridge Analytica. PHOTO: CHIP SOMODEVILLA/GETTY IMAGES

Dave Michaels and
Georgia Wells

Securities regulators are investigating whether Facebook adequately warned investors that developers and other third parties may have obtained users’ data without their permission or in violation of Facebook policies, people familiar with the matter said.

The Securities and Exchange Commission’s probe of the social-media company, first reported in early July, follows revelations that Cambridge Analytica, a data-analytics firm that had ties to President Donald Trump’s 2016 campaign, got access to information on millions of Facebook users.

The SEC has requested information from Facebook as it seeks to understand how much the company knew about Cambridge Analytica’s use of the data, these people said. The agency also wants to know how Facebook analyzed the risk it faced if developers were to share data with others in violation of its policies, they added.

The SEC, one of several government agencies investigating Facebook and its handling of user data, enforces securities laws governing what must be disclosed to shareholders so they can make informed investment decisions. It could close its investigation, which is in its early stages, without taking enforcement action against Facebook.

Facebook and the SEC declined to comment.

The SEC has shown greater interest in recent months in probing data-security breaches and lapses. It has taken the position, most recently in a case filed against Altaba Inc.,AABA +0.00% the successor company of Yahoo Inc., that public companies must disclose material data leaks or breaches they know about. Telling investors that such incidents could happen isn’t good enough.

The Justice Department and the Federal Trade Commission also are probing the data leak and how Facebook and other parties handled it. The FTC is looking at whether Facebook violated terms of an earlier consent decree requiring it to get user consent for collecting personal data and sharing it with others.

The SEC is probing whether Facebook should have disclosed to shareholders its knowledge of the Cambridge Analytica violation in 2015, when it learned that Aleksandr Kogan, a professor at the University of Cambridge, had improperly shared data with Cambridge Analytica in 2014 for as many as 87 million Facebook users.

Facebook has said it told Mr. Kogan and Cambridge Analytica in 2015 to delete the data and believed they had done so. Cambridge Analytica, Mr. Kogan and another data-analytics expert who worked on the project, Christopher Wylie, certified they had destroyed the data, Facebook has said. The company said it learned in 2018 that it was possible not all of the data were destroyed.

That aspect didn’t come to light until March, when the New York Times and Guardian Media Group revealed more about the data harvesting and Cambridge Analytica’s voter-profiling efforts.

Facebook’s shares fell about 17% in the weeks after news of the breach broke. Since then, the shares have climbed more than 30% and recently have been at or near all-time highs.

In April, Facebook Chief Executive Mark Zuckerberg said it was possible others misused data from the social network. Later that month, Facebook updated its investor disclosures to reflect that likelihood and said the FTC and other government agencies were probing how it responded to the episode. The company’s April quarterly investor filing said it could discover “additional incidents of misuse of user data or other undesirable activity by third parties” and said such incidents could “negatively affect user trust and engagement, harm our reputation and brands, and adversely affect our business and financial results.”

Facebook has characterized the Cambridge Analytica incident as a “breach of trust” but not a data breach. Its prior investor filing, the 2017 annual report in February, used the word “misuse” just once when describing the risk of hackers breaking into its systems to steal user data. It didn’t address the risk of app developers or other commercial entities such as Cambridge Analytica improperly obtaining user data but warned if “developers fail to adopt or adhere to adequate data security practices…our data or our users data may be improperly accessed, used or disclosed.”

Facebook officials believed what they had discovered in 2015 wasn’t material information to investors because the data shared with Cambridge Analytica was less sensitive than other types of data that Facebook keeps, such as some users’ payment information, a person familiar with the matter said. The Cambridge Analytica trove included data on people who downloaded a personality-test app Mr. Kogan developed and some details about their friends.

John Reed Stark, a cybersecurity consultant and former SEC enforcement attorney, said the way Facebook reported the incident could raise a red flag for the SEC if Facebook earned revenue from contracts with third-party vendors that misused private member data yet failed to disclose that the contracts potentially violate global and U.S. privacy laws as well as Facebook’s terms of use.