Cambridge Analytica data mined over 50 million subscribed Facebook user's private information. As more details emerge over the questionable activities performed, the fall out continues.
While we know that the event centered on information pertaining to the US election and that of strategic messaging to the electorate, there is no telling if other such firms have undertaken similar activities on a global scale.
Data mining is nothing new, and clearly, its insight into consumer habits is key in tailoring a successful marketing message. However, there is a dark side to any good technology and in the sense that technology can be leveraged as both a positive and negative force. It adds to the perfect storm that financial services or any service for that matter which is involved in processing or storing data finds themselves in.
An Expensive Lesson in Trust But Verify
On Wednesday March 21, Mark Zuckerberg gave several interviews to the press and was quoted as saying the that the event was a breach in trust. It's noted that Cambridge Analytica did not illegally access the data of the Facebook users since they legally created an app which plugged into Facebook. The breach occurred when they allegedly shared the collected information with a third party.
According to sources, upon discovery Facebook instructed Cambridge Analytica to delete the information. Facebook must be a trusting bunch because they didn’t verify that the information had been deleted. Anyone in third party risk management could give a lesson to Mr. Zuckerberg on the concept of trust but verify. It has since proved to be an expensive lesson. Financial analysts and Wall Street are watching value being wiped off the Facebook stock price. At the time of writing, the stock price has lost anywhere from 10–14 percent of its value - not an insignificant amount for an over $500 billion company.
Prior to the news, Facebook valuation on February 1 was listed as $560.93 billion - compare to March 22 with a new valuation of $491.18 billion. As stated above, this has become an expensive lesson and the fall out may still continue. Mistrust, reputational risk and financial exposure is something which the social network will now have to focus on. We expect Mr. Zuckerberg to continue with the media apologies and may even appear before congress to explain what happened and what remediation steps will be implemented. Even as this story developed, the stock price took another hit as the FTC announced they would be looking into the social media giant data privacy controls.
Data Security Continues to Be Significant
As we saw in the 2017 data breach at Equifax, data security or lack of continues to be a significant area of risk to dominate the news but also our ongoing duties in third party risk management. There is a statistic that is garnering lots of attention in recent months regarding data breaches and where they might originate from. Sixty-three percent of known data breaches originate with a third party. This is sometimes difficult to relate to, but the Cambridge Analytica story adds weight to the fact and makes it much more tangible.
Reputational risk can have significant impact on organizations and can even cause firms to close altogether. In the case of Cambridge Analytica, the CEO Alexander Nix was suspended shortly after the scandal continued to garner attention.
In a similar event reported back in 2015 known as the Panama Papers, 11.5 million financial documents involving shell companies, offshore firms and private attorney privileged information was leaked by an anonymous source. The information was obtained from Panamanian law firm Mossack Fonseca. The reputational fall out from this scandal eventually led to reports on March 14, 2018 that the law firm had decided to close its doors after being in business for over 40 years.
The firm issued a statement which quoted, “...reputational deterioration… have occasioned an irreversible damage that necessitates the obligatory ceasing of public operations.” Time will tell if Cambridge Analytica will suffer a similar fate.
GDPR Is Furthering Data Protection Compliance
As institutions brace and prepare for the oncoming compliance storm of GDPR compliance, we are reminded how important data protection has become. The European Union (EU) wisely introduced the GDPR law in 2016 and was a long overdue update to the former 1985 EU data protection laws since it recognized how its 28-member States' citizens now conducted their lives and business within a digital landscape. As for Facebook, this would be an organization which had the scandal impacted EU residents could have resulted in fines and additional bad press. Timing is everything.
From a third party risk exercise, the scandal has proven that every organization should vet potential partners and software integrations and view data security as a top tier priority. The risk to your organization and the potential loss of trust of your consumer or user base can be significant.