User privacy violations from Facebook lead to a record-breaking historic fine which is considered the larger ever imposed by the FTC against a tech company; $5 billion.

The case of Cambridge analytical created a welter of reactions and a deep examination of Facebook’s practices around privacy which backfired to the company in so many aspects and cost way more than the actual $5 billion fine.

Lesson #1: Your intentions matter and can be proven: The US senate has given clear warnings that the US Government is not taking privacy issues lightly and they will be very strict with the company unless they see move to the right direction, yet the latest release of the company of an application called Faceapp showed that the company had no intention for compliance with the governmental frameworks for security and privacy. Even though US does not have a dedicated law crafted specifically for privacy related violations companies misleading consumers or using unfair practices can be punished. US is following the same approach as EU GDPR law and I would predict that they will soon draft an equivalent law as well.

Lesson #2: There is more to privacy agreements than legal terms: Privacy is not about a legal statement. It’s about understanding the dynamics between the legal, usable and security related components of an agreement established between a company and a consumer. The legal part itself will not do the part.

Lesson #3: Previous mistakes will not be forgiven OR forgotten: $5 billion is the biggest fine ever levied against a company for violating consumers’ privacy and it represents approximately 9% of the company’s 2018 overall revenue. That is a clear indication that this is the path it will be followed in terms of fines for future breaches related to users’ privacy and it is expected to be increased with repeated breaches from the same companies.

Lesson #4: Privacy is a cultural and structural change, not a legal one: The message is well communicated and understood by Facebook’s CEO and Founder Marc Zuckerberg who is taking action by announcing structural changes in order to avoid this situation from happening again in the future. Among the changes to be expected and which are a good practice to follow by any company are the following:

• An independent dedicated “privacy board management committee” to evaluate the privacy controls and measures in place
• The creation of a new department with newly employed privacy officers

Of course, those are just a start and Marc can contact me for more direction.

Lesson #5: Privacy becomes a pillar for company’s decisions: The goal and mission of this new team is to review & establish privacy policies, measures and controls and to protect the company from falling into the same issues. It is a cultural change towards privacy & protection and it is a historic win for privacy as it becomes a pillar for company’s decisions for future products & services. What that means for any company is that you need to consider privacy as one of your specs for any decision taken from now one. That would be a great winning point to prove you have taken user privacy seriously in the unlikely scenario of a breach and a great defining factor for the fine you will be assigned to because of that breach. Having a strategy on how to fight a legal fine due to privacy issues is an essential part of your preparation for compliance.

#Lesson 6: The fine is not your only cost: Fines related to privacy have many roots and will drain from your company way more than you expect. The Securities and Exchange Commission announced that Facebook will pay $100 million for not being transparent regarding the risk of misuse of Facebook user data. Facebook’s stock was down slightly when the market opened Wednesday morning and it keeps going down. Let alone the brand damage and trust issues created to the consumers due to:

• Deceptive user privacy disclosures and settings used which violated a prior agreement Facebook signed with the Securities and Exchange Commission in 2012.
• Misuse of phone numbers obtained for account security purposes to also target advertisements to its users.
• Deceiving “tens of millions of users” by implying that a facial recognition feature on the service had not been enabled by default, when in fact it had.

Lesson #7: Transparency is key: Not being transparent with the authorities and the users is not the smartest approach as it violates privacy basic principles as well as it breaks the law for individuals’ rights and protection. Not only consumers leave traces which can be mined for companies profits and propaganda. Systems leave clues and online traces so be transparent with the authorities. Any privacy regulation like GDPR required anticipation and strategy prior to having a serious privacy breach.

Lesson #8: Finding the golden ration: I believe we all agree that mind programming has reached a new level with social media enabled propaganda. Politicians in Washington and worldwide come to the realization of this new form of control that private companies have already established and want to find the best way of avoiding it in the future so fines will be substantial to regulate and communicate their expectations.  

What that means for you is that there is a golden ratio to balance marketing, competition, security & privacy but this equation is unique for each case and it needs customized evaluation so please find someone who can help you do that for your own business.

Lesson #9 Negotiate favor for old mistakes but prepare more to avoid a security breach: One of the greatest wins for Facebook is that they managed to get immunity for anything that happened before but that will only be valid for anything related to collaborators and marketing. How much of a win it is; time will tell; as in case of a security breach the agreement will fall. That is because cyber attacks by nature have a continues cycle so data collected in the past can be re-used for future attacks by being curated in a different manner.

Overall the fine sets the tone and gives a flavor not only for the US but for the European equivalent law GDPR.

As a general note, governmental authorities should come into a decision about the best use of the fines collected as in the Facebook case the settlement will go to the U.S. Treasury. It would be optimal to use the money for

• building better privacy & security infrastructures for governments as they are not immune to attacks and breaches
• fund consumer education and
• pay out consumers whose privacy has been violated.

So I am now turning it over to you. If you found this tip useful please share it with others. Privacy is an issue that affects everyone. Share your thought with me.