After reporting earlier this month that the Securities and Exchange Commission had joined the federal investigation into Facebook over its failure to disclose Cambridge Analytica's misues of user data, the Wall Street Journal revealed on Thursday exactly what the agency is investigating.
In keeping with its mission to police securities markets, the SEC is looking into whether Facebook's failure to warn investors about the potential for third-party developers to misuse their data represents a violation of disclosure laws.
The SEC has shown greater interest in recent months in probing data-security breaches and lapses. The agency has taken the position, most recently in a case filed against Altaba Inc., Yahoo Inc.’s successor company, that public companies must disclose material data leaks or breaches they know about. Telling investors that such incidents could happen isn’t good enough.
The Justice Department and the Federal Trade Commission are also probing the data leak and how Facebook and other parties handled it. The FTC is probing whether Facebook violated terms of an earlier consent decree requiring the company to get user consent for collecting personal data and sharing it with others.
The SEC is probing whether Facebook should have disclosed to shareholders its knowledge of the Cambridge Analytica violation in 2015, when it learned that Aleksandr Kogan, a professor at the University of Cambridge, had improperly shared data in 2014 for as many as 87 million Facebook users with Cambridge Analytica.
Essentially, the crux of the SEC investigation is whether the fact that Cambridge Analytica improperly used Facebook user data represented material information that should've been disclosed to investors.
Facebook officials believed in 2015 that what they discovered wasn’t material information for investors, because the data shared with Cambridge Analytica wasn’t as sensitive as other types of user data that Facebook keeps, such as some users’ payment information, a person familiar with the matter said. The Cambridge Analytica data included information on people who downloaded a personality-test app Mr. Kogan developed as well as some details about those people’s friends.
One former SEC enforcement attorney told WSJ that if Facebook was "making money" from its developer relationships, then not disclosing the misuse could "raise red flags."
While securities laws violations are never ideal, Facebook has much bigger things to worry about than an SEC fine which - judging by its treatment of the financial services industry - will amount to a few hundred million dollars, at most. The company should be far more concerned with the other agencies that are investigating the Cambridge Analytica "data breach". These include the FBI - which of course has the power to bring criminal charges - and the FTC - which could theoretically bring trillions of dollars in fines against Facebook for data privacy violations.
In other words, while the SEC can at most give Facebook a slap on the wrist, the other agencies participating in the investigation have the authority to potentially bring down the company.