July 15, 2019

The US Federal Trade Commission (FTC) has levied a $5 billion USD penalty against Facebook for improperly sharing users’ personal data – a ground-breaking penalty that signals regulators in the US are following Europe’s lead when it comes to making large companies take data protection seriously.

Last week British Airways and global hotel chain Marriott were hit with big fines under GDPR for data breaches – potentially £183.4m for BA and £99m for Marriott.

BA’s penalty comes after a hack compromised data held on 500,000 customers. Marriott’s fine followed a breach that lasted from 2014 to 2018, exposing close to 339 million customer records.

Facebook’s latest punishment (it was fined £500k by the UK ICO for its part in the Cambridge Analytica scandal) still needs final consent by the US Justice Department, but in the past it has normally rubber-stamped FTC penalty settlements.

If that happens it will be the biggest fine ever imposed by the US federal government against a technology company – an order of magnitude larger than the $22 million Google had to pay in 2012.

It reflects a wider frustration among users, politicians and regulators with the apparently blasé attitude Silicon Valley have toward the collection, storage, and use of people’s information.

In addition to the fine, Facebook has apparently agreed to more government oversight of how it handles user data. But none of the conditions in the settlement are understood to limit Facebook’s ability to collect and share data with third parties.

There is also speculation that the fine, though huge on its own, is minor in relative terms – a drop in the bucket of you consider the tech giant’s current estimated market value.

– Actual footage of Facebook’s response to the fine.

Compliance bares its teeth

Regardless, the size of Facebook’s penalty is another sign that data security is firmly on the political agenda. Failure to protect privacy and secure personal information now comes with painful penalties. Even for a company of massive proportions – $5 billion lopped off the bottom line will be noticed, not least by investors.

Whether it will do Facebook’s brand long-term damage is another question. The social network’s reputation for data privacy is already atrocious.

From Facebook to BT and Marriott, all the penalties are well above those levied by regulators in the past.

  • In Facebook’s case the fine represents roughly what Mark Zuckerberg’s personal net worth is calculated to be.
  • In BA’s case, it’s fine represented 1.5% of turnover in 2017.
  • Marriott’s represented about 3% of the hotel company’s $3.6bn revenue from 2018.

And the long-term damage from a major breach can be significant. Equifax had its investment rating downgraded by Moody’s almost two years after it reported one of the largest data hacks of all time. Costs and lost business directly related to the breach prompted the downgrade.

Recent studies have also shown that customers will punish companies after a major security incident. A recent survey on consumer trust shows that British take a particularly dim view of brands after a breach. Some 41 percent of UK consumers said they would steer clear of a brand forever after a hack, and a third said they would spend less with brands they perceive to have poor data practices.

Big companies are assumed to be less trustworthy on data protection than smaller ones, with a smaller business seen as being a less likely target for hackers, and more likely to care about its reputation.

The politics of privacy

Facebook, BA and Marriott fines prove that regulators will now act to ensure data and privacy are protected – and punish organisations when they don’t measure up.

Governments have got the message that voters value their privacy. Rising expectations of how diligently businesses need to protect it are firmly on the political agenda

From regulatory penalties to reputational damage, failing to adequately protect customer data is fast becoming a self-inflicted business harm.

The long-term damage caused by a breach can be mitigated by how well a company reacts, but organisations need to continually assess their security posture – as well as the level of awareness inside the organisation of how sensitive the issue of privacy and data protection has become for consumers.

Getting this wrong, or allowing a perception to develop that your organisation is weak on privacy and security, is a recipe for lost revenues.

Want to learn more about empowering your employees security defences?  Why not sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this: