SEC Probes Why Facebook Didn't Warn Sooner on Privacy Lapse

0

Facebook Chairman and Chief Executive Mark Zuckerberg prepared to testify before the House Energy and Commerce Committee on April 11 about a data breach affecting millions of Facebook users by a U.K. political consulting firm, Cambridge Analytica, linked to the Trump campaign.

Facebook Chairman and Chief Executive Mark Zuckerberg prepared to testify before the House Energy and Commerce Committee on April 11 about a data breach affecting millions of Facebook users by a U.K. political consulting firm, Cambridge Analytica, linked to the Trump campaign.


Photo:

Chip Somodevilla/Getty Images

Securities regulators are investigating whether

Facebook
Inc.


FB 2.16%

adequately warned investors that developers and other third parties may have obtained users’ data without their permission or in violation of Facebook’s policies, people familiar with the matter said.

The Securities and Exchange Commission’s probe of the social-media company, first reported in early July, follows revelations that Cambridge Analytica, a data-analytics firm that had ties to President

Donald Trump’s

2016 campaign, got access to information on millions of Facebook users.

The SEC has requested information from Facebook seeking to understand how much the company knew about Cambridge Analytica’s use of the data, these people said. The agency also wants to know how the company analyzed the risk it faced from developers sharing data with others in violation of Facebook’s policies, they added.

The SEC enforces securities laws that govern what must be disclosed to shareholders so they can make informed investment decisions. It is one of several government agencies investigating Facebook and its handling of user data.

The agency could close the Facebook investigation, which is in its early stages, without taking enforcement action against the firm.

Facebook and the SEC declined to comment.

The SEC has shown greater interest in recent months in probing data-security breaches and lapses. The agency has taken the position, most recently in a case filed against Altaba Inc., Yahoo Inc.’s successor company, that public companies must disclose material data leaks or breaches they know about. Telling investors that such incidents could happen isn’t good enough.

The Justice Department and the Federal Trade Commission are also probing the data leak and how Facebook and other parties handled it. The FTC is probing whether Facebook violated terms of an earlier consent decree requiring the company to get user consent for collecting personal data and sharing it with others.

The SEC is probing whether Facebook should have disclosed to shareholders its knowledge of the Cambridge Analytica violation in 2015, when it learned that

Aleksandr Kogan,

a professor at the University of Cambridge, had improperly shared data in 2014 for as many as 87 million Facebook users with Cambridge Analytica.

Facebook has said it told Mr. Kogan and Cambridge Analytica in 2015 to delete the data, and that it believed they had. Cambridge Analytica, Mr. Kogan and another data-analytics expert who worked on the project,

Christopher Wylie,

all certified they had destroyed the data, Facebook has said. The company said it learned in 2018 that it was possible not all of the data were destroyed.

That aspect didn’t come to light until March, when the New York Times and the Guardian newspapers revealed Mr. Kogan’s role in harvesting data for Cambridge Analytica.

Facebook’s shares fell about 17% in the weeks after news about the breach broke. Shares of Facebook have subsequently climbed more than 30% and have recently been at or near all-time highs.

In April, Facebook Chief Executive

Mark Zuckerberg

said it was possible that others misused data from the social network. Later that month, Facebook updated its investor disclosures to reflect that likelihood and said the FTC and other government agencies were probing how Facebook responded to the episode. The company’s April quarterly investor filing said it could discover “additional incidents of misuse of user data or other undesirable activity by third parties.” Such incidents could “negatively affect user trust and engagement, harm our reputation and brands, and adversely affect our business and financial results,” Facebook wrote in the disclosure.

Facebook has characterized the Cambridge Analytica incident as a “breach of trust” but denies it amounted to a data breach.

Facebook’s prior investor filing, its 2017 annual report issued in February, used the word “misuse” just once, when describing the risk of hackers breaking into its systems to steal user data.

The 2017 report didn’t address the risk of app developers or other commercial entities such as Cambridge Analytica improperly obtaining user data, although Facebook warned  if “developers fail to adopt or adhere to adequate data security practices … our data or our users data may be improperly accessed, used or disclosed.”

Facebook officials believed in 2015 that what they discovered wasn’t material information for investors, because the data shared with Cambridge Analytica wasn’t as sensitive as other types of user data that Facebook keeps, such as some users’ payment information, a person familiar with the matter said. The Cambridge Analytica data included information on people who downloaded a personality-test app Mr. Kogan developed as well as some details about those people’s friends.

John Reed Stark, a former SEC enforcement attorney who is now a cybersecurity consultant, said the agency could find fault with how the company reported the incident. “If Facebook is earning revenue from contracts with third-party venders that misuse private member data, yet failing to disclose that these contracts potentially violate global and U.S. privacy laws as well as whatever terms of use Facebook maintains with its members, this could raise a red flag for the SEC,” Mr. Stark said.

Write to Dave Michaels at dave.michaels@wsj.com and Georgia Wells at Georgia.Wells@wsj.com