Facebook filed its long-awaited Form S-1 with the SEC on February 1. Given the nature of its business, concerns regarding data privacy were peppered throughout the filing. While other business risk factors may be paramount (e.g., reliance on Zynga, slowing growth, etc.), data privacy has been and will continue to be an important issue for Facebook.
For instance, in November 2011 Facebook settled a case with the FTC in which it agreed to subject itself to bi-annual privacy audits for the next 20 years. Using this example, the filing states that Facebook expects to continue to be subject to similar regulatory investigations regarding privacy going forward.
The filing also cites new and changing laws and regulations regarding data privacy, both U.S. and foreign, as potentially having the following negative consequences on Facebook’s core business:
“[Such laws and regulations] can be costly to comply with and can delay or impede the development of new products, result in negative publicity, increase our operating costs, require significant management time and attention, and subject us to claims or other remedies, including fines or demands that we modify or cease existing business practices.”
Considering the risks presented by continued pressure on the data privacy front, Facebook says it is not taking any chances, putting in place “a dedicated team of privacy professionals who are involved in new product and feature development from design through launch; ongoing review and monitoring of the way data is handled by existing features and apps; and rigorous data security practices.”
Facebook’s cybersecurity disclosure represents a fairly sophisticated example of a disclosure prepared subsequent to the fairly recent guidance released by the SEC on this topic. Facebook’s disclosure here could be seen as a blueprint for other companies going forward.
By contrast, VeriSign is facing scrutiny for waiting until September 2011 to disclose successful attacks against its corporate network that occurred in 2010. VeriSign’s 2011 disclosure contained little information about the nature of the attacks, the type of data that was taken, and the remedial measures that were taken. VeriSign did insist that its SSL business had not been compromised.