Facebook will pay $5 billion fine for Cambridge Analytica data breaches

The company will also be subject to a new privacy oversight committee.

The Federal Trade Commission has announced that Facebook will pay a massive fine in the wake of the Cambridge Analytica scandal. The social network will pay $5 billion to settle the charge that it broke a 2012 FTC order concerning the privacy of user data. And, as part of the settlement, Facebook has had to agree to a new management structure and new rules about how it manages user data.

Facebook, now subject to a 20-year settlement order, will have to create a new independent privacy committee. A group of Facebook directors will meet, every quarter, to receive reports from an independent privacy "assessor," who will monitor Facebook's actions. The FTC has also put in place rules to prevent CEO Mark Zuckerberg, who has majority control of the company, from single-handedly dismissing them.

The social network (including WhatsApp and Instagram) will also be bound by new reporting rules on disclosing privacy breaches to authorities. Should personal information affecting more than 500 users be leaked, Facebook will have 30 days to notify the FTC. Facebook was criticized after using phone numbers, supplied to enable two-factor authentication, for advertising purposes. As part of the settlement, it will no longer be able to do so.

The $5 billion figure was agreed upon back in early July, and was widely-reported at the time, although the figure was seen as far too small. Recode founder Kara Swisher wrote in the New York Times that $5 billion was "A parking ticket," and that the FTC should "put another zero" on the fine. Investors, similarly, seemed happy that the fine was survivable, and Facebook's stock price rose after the reports filtered out.

The FTC voted along party lines to bring the suit, with the two Democrats voting no as they felt the FTC didn't go far enough. Commissioner Rebecca Slaughter said that the FTC was "more than justified" in bringing a lawsuit against Facebook for its numerous privacy failures. Slaughter feels, however, that the fine was "insufficient," and that the new rules imposed will not have the desired outcome. The fact that Facebook avoided litigation, and CEO Mark Zuckerberg was not held accountable for any of this, were other objections Slaughter held.

At the same time, the FTC has also doled out punishments for two key figures within Cambridge Analytica. Alexandr Kogan (who developed the infamous personality test app), and Cambridge Analytica CEO Alexander Nic have both agreed to restrictions on their future business conduct.

That includes an order to delete, or destroy, any remaining personal information they hold as part of their work for CA. And, in future, both Kogan and Nix will be barred from making false or deceptive claims regarding their use of personal data, and the sale of it.

The SEC, too, has fined Facebook $100 million for misleading investors about its data security. Officials said that the social network said that data breaches were hypothetical, despite the fact one had already taken place. The fact that Facebook "knew that a third-party developer had actually misused Facebook user data," was a failure to disclose.

In a statement, SEC officials say that Facebook knew about Cambridge Analytica's breaches in 2015, but didn't disclose until 2017. The SEC's Erin E. Schneider says that Facebook also "misled reporters, who asked the company about its investigation into Cambridge Analytica." In that instance, Facebook has agreed to pay the fine but without "admitting or denying the SEC's allegations."

Facebook has published its own response, by general counsel Colin Stretch, which says that the settlement will "require a fundamental shift in the way" it approaches its work. Stretch says that Facebook's handling of the Cambridge Analytica scandal was "a breach of trust" between the company and its users.

Stretch also admits, several paragraphs in, that, just this month, "shortcomings" in its systems allowed some partners to continue accessing data they should not have had access to. Essentially, that even after all of this, Facebook has still struggled to get a grip on the vulnerabilities in its system.

And Mark Zuckerberg posted a status -- the FTC opted not to interview him as part of its investigation -- agreeing with Stretch's points. The CEO said that he will appoint a Chief Privacy Officer, and that "more than a thousand people across our company" will be tasked with identifying and limiting privacy risks.