“Wherever you are talking, you are talking to investors,” said John Reed Stark, who worked for the SEC’s enforcement division for nearly 20 years and founded its former Office of Internet Enforcement. “There is no place where you have immunity. . . . When you’re a public company official, you have to be careful at all times.”
Facebook discovered in 2015 that Cambridge Analytica, which later worked for the Trump campaign, had obtained Facebook data on 71 million Americans to create voter profiles. Yet Facebook didn’t disclose that information to the public until March, on the eve of the publication of news reports about the matter. The questioning from federal investigators centers on what Facebook knew three years ago and why the company didn’t reveal it at the time to its users or investors, as well as any discrepancies in more recent accounts, among other issues, according to people familiar with the official inquiries.
Facebook is also being investigated by the Federal Trade Commission and the Justice Department. The Wall Street watchdog can fine companies and executives and often works closely with federal prosecutors pursing criminal charges.
If another investigation finds that Facebook violated customers’ privacy for commercial purposes, that could compound its problems with the SEC, legal experts said. “If they were doing things that were unlawful to make a profit and not disclosing that, that could be a financial fraud, too,” said Stark.
The SEC declined to comment.
The questioning of Facebook comes at a time when the SEC is putting increasing pressure on corporations to disclose data breaches and has reopened its cybersecurity unit. “A hot issue for SEC enforcement is when must a public company disclose unauthorized releases or breaches of personal information,” said Jacob S. Frenkel, a former senior counsel in the SEC’s enforcement division.
This year, the SEC fined the company formerly known as Yahoo $35 million for failing to tell investors about a massive cyber-breach for two years — the first time the regulator has punished a company for such conduct. The Web giant learned in 2014 that Russian hackers had stolen the user names, email addresses and other key data of 500 million of its users, the largest breach of its kind at the time. But it didn’t tell investors about it for nearly two years, according to the SEC. The first-of-its-kind fine “should serve as a message to other companies,” Steven Peikin, co-director of the SEC enforcement division, said at the time.
There are no simple guidelines on how quickly a company must disclose such incidents, but the Yahoo case indicates that the SEC views two years as too long, said Frenkel. “To the extent that reasonable investors would view the information as material, the concept of omitting to disclose a material fact is part of the language of the anti-fraud law,” he said.
The SEC has also been dealing with the fallout from its own breach. In 2016, hackers penetrated one of the agency’s most sensitive databases and may have been able to use the information to gain a trading advantage over the investing public to pocket illicit profits. But the breach was not disclosed until 2017, prompting some lawmakers and cyber-experts to question whether the SEC had met its own standards.
“In today’s environment, cybersecurity is critical to the operations of companies and our markets. . . . Public companies must stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion,” SEC Chairman Jay Clayton said in February.
Facebook has said that it is a victim of Cambridge Analytica but not of a cyber-breach.
There is no standard definition of a data breach, which can range from an employee mistakenly taking home a company laptop to a coordinated cyberattack meant to steal millions of pieces of personal information, legal experts said. But that does not change Facebook’s responsibility to keep investors informed about potential risks it is facing, they said. “There is a requirement not to mislead people by representation or omission,” said Stark, who counsels companies on cyber-disclosure issues. “There is a gray area that Facebook may be residing in. But that doesn’t make it any better or worse.”
“An argument that there was no ‘breach’ could backfire, because that could suggest that the company’s controls to protect data were inadequate, which itself would give rise to potential regulatory violations,” said Frenkel.
The SEC could also examine whether Facebook insiders took advantage of knowing about potentially damaging corporate information before it was disclosed to the public. Equifax faced similar fallout after it disclosed last year that hackers had obtained sensitive information, including Social Security numbers and dates of birth, for more than 143 million people. The breach was discovered by the company at the end of July, but it wasn’t reported to the public until September.