On the same day its record $5 billion dollar settlement with the FTC was announced, Facebook agreed to pay a $100 million fine to settle charges from the U.S. Securities and Exchange Commission (SEC) that Facebook misled investors for over 2 years about misuse of user data.
Facebook did not admit or deny wrongdoing in agreeing to settle.
The SEC announced the $100 million fine and other settlement terms on Wednesday.
Here is the entirety of the SEC release, "Facebook to Pay $100 Million for Misleading Investors About the Risks It Faced From Misuse of User Data," from sec.gov:
The Securities and Exchange Commission today announced charges against Facebook Inc. for making misleading disclosures regarding the risk of misuse of Facebook user data. For more than two years, Facebook's public disclosures presented the risk of misuse of user data as merely hypothetical when Facebook knew that a third-party developer had actually misused Facebook user data. Public companies must identify and consider the material risks to their business and have procedures designed to make disclosures that are accurate in all material respects, including not continuing to describe a risk as hypothetical when it has in fact happened.
Facebook has agreed to pay $100 million to settle the charges.
According to the SEC's complaint, in 2014 and 2015, the now-defunct advertising and data analytics company, Cambridge Analytica, paid an academic researcher, through a company he controlled, to collect and transfer data from Facebook to create personality scores for approximately 30 million Americans. In addition to the personality scores, the researcher, in violation of Facebook's policies, also transferred to Cambridge Analytica the underlying Facebook user data, including names, genders, locations, birthdays, and "page likes." Cambridge Analytica used this information in connection with its political advertising activities.
The SEC's complaint alleges that Facebook discovered the misuse of its users' information in 2015, but did not correct its existing disclosure for more than two years. Instead, Facebook continued to tell investors that "our users' data may be improperly accessed, used or disclosed." (emphasis added) According to the SEC complaint, Facebook reinforced this false impression when it told news reporters who were investigating Cambridge Analytica's use of Facebook user data that it had discovered no evidence of wrongdoing. When the company finally did disclose the incident in March 2018, its stock price dropped.
The complaint further alleges that during this two-year period, Facebook had no specific policies or procedures in place to assess the results of their investigation for the purposes of making accurate disclosures in Facebook's public filings.
"Public companies must accurately describe the material risks to their business," said Stephanie Avakian, Co-Director of the SEC's Enforcement Division. "As alleged in our complaint, Facebook presented the risk of misuse of user data as hypothetical when they knew user data had in fact been misused. Public companies must have procedures in place to make accurate disclosures about material business risks."
"We allege that Facebook exacerbated its disclosure failures when it misled reporters who asked the company about its investigation into Cambridge Analytica," said Erin E. Schneider, Director of the SEC's San Francisco Regional Office. "This gave further weight to Facebook's misleading statements in its public filings."
Without admitting or denying the SEC's allegations, Facebook has agreed to the entry of a final judgment ordering a $100 million penalty and permanently enjoining it from violating Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934, and Rules 12b-20, 13a-1, 13a-13, and 13a-15(a) thereunder.
The SEC's investigation was conducted by Matthew Meyerhofer and Robert Tashjian and supervised by Tracy L. Davis and Erin Schneider of the San Francisco office.
As with the FTC fine, Facebook didn't have to admit guilt, though it also didn't deny the allegations. The deal also permanently enjoins the company from violating relevant sections of the Securities Act and Securities Exchange Act.
An SEC penalty wasn't expected to be the focus — numerous leaks had concentrated on the FTC's actions. However, the $100 million payout may reinforce worries from some senators and other critics that Facebook is receiving a light punishment that doesn't reflect the full scale of the company's actions. Millions of people had their data compromised, and the company didn't reveal this until years after the fact.