The Federal Trade Commission’s (FTC) recent $5 billion settlement with Facebook is unprecedented in multiple respects:
- The $5 billion penalty represents the largest privacy and data security settlement in history – it is almost 20 times larger than the recent Equifax Inc. settlement and dwarfs recent EU data protection enforcement actions.
- As part of the settlement, new corporate governance measures relating to privacy and data security will be required, including an independent committee of the board of directors, with specific nomination requirements and subject matter coverage. This will place pressure on many boards and organizations to freshly examine information governance risk.
- The settlement also requires executive certifications, which, if modeled by other companies, will trigger dramatic changes in accountability as executives turn to rely on experts, internal compliance teams, audit and related expertise for assurance and attestation in order to avoid civil and criminal penalties and derivative litigation.
The signaling effect of the settlement to the broader business community intended by the primary privacy regulator in the United States cannot be overstated. Similar enforcement actions, such as individual prosecutions in Europe under the EU Data Protection Directive, triggered immediate response and attention from corporations just as the emergence of breach notification laws resulted in massive new investments in information security programs in the United States.