` Vendor Risk Management Lessons Coming From Facebook - Clarip Privacy Blog
ENTERPRISE    |    CONSUMER PRIVACY TIPS    |    DATA BREACHES & ALERTS    |    WHITEPAPERS

Vendor Risk Management Lessons Coming From Facebook

Amidst additional scrutiny into Facebook’s personal data sharing by the media this week, the first government lawsuit in the United States over Cambridge Analytica has been filed today – a lawsuit by the Washington DC Attorney General for violation of the region’s consumer protection law. It is possible that the litigation will shape vendor risk management at companies in the United States for years to come.

The Washington Post is reporting today that the Washington DC Attorney General will sue Facebook over Cambridge Analytica. 852 users within the jurisdiction downloaded the app used by Cambridge Analytica and approximately 340,000 people in DC had their data collected. The lawsuit charges Facebook with misleading users in violation of the District’s Consumer Protection Procedures Act. The maximum penalty under that law is $5,000 per violation and CNBC reported that the fines could tally up to $1.7 billion depending on what is considered a violation of the statute. The lawsuit has not been filed jointly with other government agencies.

The lawsuit alleges that Facebook allowed the third-party application to use the platform to harvest personal information through lax oversight and misleading privacy settings. According to the DC AG, “Facebook put users at risk of manipulation by allowing companies like Cambridge Analytica and other third-party applications to collect personal data without users’ permission.

Among the specific allegations of the lawsuit as reported in the press release are that:

– Facebook promised to protect the privacy of personal information and require apps and developers to respect privacy.

– Facebook failed to properly monitor apps’ usage of data.

– Facebook made it difficult for consumers to control how their data was shared and maintained a confusing and ambiguous privacy policy and settings.

– Facebook failed to disclose the Cambridge Analytica breach to consumers for more than two years.

– Facebook failed to ensure the improperly obtained personal data was deleted.

The lawsuit follows dozens of class action lawsuits filed against Facebook and other involved companies as well as the announcement by the UK Information Commissioner’s Office (ICO) that Facebook would receive the maximum pre-GDPR fine of 500,000 pounds. It is the first filed by a regulator in the United States.

The Federal Trade Commission (FTC) has been investigating allegations that Facebook violated the consent decree with the agency since March. However, the FTC has not provided an update to that investigation since it confirmed its existence. When the FTC chair was asked about it by members of Congress in a recent hearing, he declined to answer while citing its policy to avoid commenting on active investigations.

The lawsuit comes amid additional controversy over Facebook’s data sharing with third-party vendors. The New York Times coverage of data sharing at Facebook continued this week with another article about the extensive personal data sharing that has happened between Facebook and some third-parties.

Facebook responded to the coverage with a post in their newsroom indicating that they have had features and partnerships with access to personal data, but these were done with user consent, and most of them have been shutdown over the years. According to Facebook, the partnerships that remain are with Amazon, Apple, Tobii, Alibaba, Mozilla and Opera.

However, CNBC coverage of the ongoing story included comment or statements from some of the providers that reportedly had access, including Netflix, Microsoft, Royal Bank of Canada, Spotify and Amazon. None of the statements specifically corroborated Facebook’s account that the partner had access and sought consent from its users for it.

Facebook stock was down six percent intraday on the news. Shares on the Nasdaq are now trading at around $135, near its lowest point in the year. Shares briefly topped $200 in July before the stock plunged following the release of its quarterly report. The stock was trading at around $185 when the Cambridge Analytica announcement happened.

A lot of the focus on the Facebook – Cambridge Analytica scandal this year has been on privacy. Questions are appropriately being asked about whether Facebook received consent from users to share the information with these companies. However, beyond the narrow question of the privacy policy and consent is a broader question about the responsibilities of companies in the selection of their vendors and their data-sharing with those third-parties.

The fact that these questions may ultimately turn into one about third-party vendor risk management than those around consent is foreshadowed by the new privacy legislation introduced by Senator Brian Schatz which makes the protection of personal data a fiduciary duty of care and loyalty. In order to satisfy these duties, organizations transferring data would have an obligation to conduct reasonable vendor management or risk violating the law.

If the courts ultimately decide that Facebook misled consumers by not acting with appropriate care around their vendors and as a result violated promises that they made to protect user data, other organizations making similar promises would also have to alter their practices around vendor risk management.

The result is that the Facebook – Cambridge Analytica litigation or the FTC investigation could trigger significant additional duties for businesses around third-party vendor risk management.

Other Blog Posts on Facebook:

Three Steps to Prepare for a Record Privacy Fine Against Facebook
Facebook, FTC Hearings Top Privacy News Yesterday
Vendor Risk Management at Facebook Back in Headlines
Facebook Updates on App Privacy Investigation, Bans myPersonality
Warning from Facebook Stock Drop: Take Privacy Seriously!
SEC Investigates Facebook for Non-Disclosure of Cambridge Analytica Risks
UK Privacy Office to Issue Maximum Fine for Facebook Over Cambridge Analytica
Senate Consumer Protection Subcommittee Further Explores Facebook Data Privacy
Facebook Answers Senate Questions on Privacy
Privacy Bills in Congress Get Boost From Facebook’s Latest Data Scandal
Germany Demands More From Facebook on GDPR
Overview of the Facebook-Cambridge Analytica Data Privacy Scandal

Improve Data Privacy for GDPR or CCPA with Clarip

The Clarip team and enterprise privacy management software are ready to meet your compliance automation challenges. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.

If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software. Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent management software.

Need to improve your GDPR compliance solution? Clarip offers modular GDPR software that can fill in gaps in your privacy program. Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.

Contact

  • 1521, Concord Pike, Suite #301,
    Wilmington, DE 19803 USA
  • 20 Montchanin Road, Suite 20,
    Greenville, DE 19807 USA
  • Contact Online

888-252-5653

About

Consumers

Businesses

The pixel
Show Buttons
Hide Buttons