Washington D.C., July 24, 2019 — The Securities and Exchange Commission today announced charges against Facebook Inc. for making misleading disclosures regarding the risk of misuse of Facebook user data. For more than two years, Facebook’s public disclosures presented the risk of misuse of user data as merely hypothetical when Facebook knew that a third-party developer had actually misused Facebook user data. Public companies must identify and consider the material risks to their business and have procedures designed to make disclosures that are accurate in all material respects, including not continuing to describe a risk as hypothetical when it has in fact happened.
Facebook has agreed to pay $100 million to settle the charges.
According to the SEC’s complaint, in 2014 and 2015, the now-defunct advertising and data analytics company, Cambridge Analytica, paid an academic researcher, through a company he controlled, to collect and transfer data from Facebook to create personality scores for approximately 30 million Americans. In addition to the personality scores, the researcher, in violation of Facebook’s policies, also transferred to Cambridge Analytica the underlying Facebook user data, including names, genders, locations, birthdays, and “page likes.” Cambridge Analytica used this information in connection with its political advertising activities.
The SEC’s complaint alleges that Facebook discovered the misuse of its users’ information in 2015, but did not correct its existing disclosure for more than two years. Instead, Facebook continued to tell investors that “our users’ data may be improperly accessed, used or disclosed.” (emphasis added) According to the SEC complaint, Facebook reinforced this false impression when it told news reporters who were investigating Cambridge Analytica’s use of Facebook user data that it had discovered no evidence of wrongdoing. When the company finally did disclose the incident in March 2018, its stock price dropped.
The complaint further alleges that during this two-year period, Facebook had no specific policies or procedures in place to assess the results of their investigation for the purposes of making accurate disclosures in Facebook’s public filings.
“Public companies must accurately describe the material risks to their business,” said Stephanie Avakian, Co-Director of the SEC’s Enforcement Division. “As alleged in our complaint, Facebook presented the risk of misuse of user data as hypothetical when they knew user data had in fact been misused. Public companies must have procedures in place to make accurate disclosures about material business risks.”
“We allege that Facebook exacerbated its disclosure failures when it misled reporters who asked the company about its investigation into Cambridge Analytica,” said Erin E. Schneider, Director of the SEC’s San Francisco Regional Office. “This gave further weight to Facebook’s misleading statements in its public filings.”
Without admitting or denying the SEC’s allegations, Facebook has agreed to the entry of a final judgment ordering a $100 million penalty and permanently enjoining it from violating Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934, and Rules 12b-20, 13a-1, 13a-13, and 13a-15(a) thereunder.
The SEC’s investigation was conducted by Matthew Meyerhofer and Robert Tashjian and supervised by Tracy L. Davis and Erin Schneider of the San Francisco office.