The power of technology and the large-scale aggregation of personal data means tech companies face “unintended inferences” that can threaten our anonymity, reputation, credit, and even our safety. Even Facebook may be coming to grips with this notion.
In March, Mark Zuckerberg posted a statement called A Privacy-Focused Vision for Social Networking where he noted the growing awareness that “the more entities that have access to your data, the more vulnerabilities there are for someone to misuse it” or use it in “other ways” you don’t expect.
Federal guidance exists on compliance programs that tech companies can apply to their privacy and security organizations. It describes criteria for compliance program effectiveness and is used in enforcement cases to hold companies accountable for program failures. It’s likely that the FTC will have the first opportunity to set a precedent and apply the guidance to Facebook’s privacy program.
Facebook is rumored to be in negotiations with the FTC regarding potential breaches of their 2012 settlement regarding privacy failures by the company. The post-2012 settlement chain of events leading to the Cambridge Analytica scandal and the current FTC probe is now well-documented. This week, the company reported to investors the fine could reach $5 billion.
The remaining question is how the FTC will use its enforcement authority. In the 2012 Consent Agreement, Facebook was ordered to implement a comprehensive privacy program. The federal compliance guidance noted above has been in place since the 1990s and is routinely used in enforcement cases relating to corporate fraud.
It appears that the FTC had the compliance guidance in mind when defining Facebook’s required privacy program.
Compliance Programs vs. Act of Compliance
Compliance professionals familiar with the guidance understand that a compliance program is different than the act of compliance.
An “act of compliance” can manifest as the much-maligned corporate “box-checking” exercise. But an effective compliance program means accountability, effective risk management, upholding integrity in your work, and adhering to ethical values with regard to your team, customers and external stakeholders. So, the federal government already has the tools to measure program effectiveness and hold companies accountable for privacy and security program failures.
There are two key points to understand about the U.S. Sentencing Commission’s guidelines on effective compliance programs when considering how the FTC could apply them to privacy and security. One, the guidelines are meant to incent organizations to implement programs that encourage ethical conduct and compliance with laws. Two, they are applicable to any size organization, because they are not prescriptive.
The Department of Justice has also provided guidance on effective compliance programs. Section 9-28.800 of the Justice Manual gives specific guidance to prosecutors for evaluation of compliance programs in enforcement cases. There are no “formulaic” requirements in this guidance. It is aimed at assisting prosecutors to determine whether a program is well designed and being applied earnestly and whether it is working. For example, one key test in the Manual is whether a company has a compliance program on paper only, or whether it is both documented and implemented in good faith.
These same standards can apply to privacy and security programs. The privacy program ordered by the FTC in the Facebook case tracks closely with the federal compliance guidance.
At its core, the federal compliance program guidance aims to help companies develop structure that promotes ethical behavior and empowers them to operationalize a culture in support of good compliance practices. Those who adopt this holistic approach starting with tone from the top of the company and extending to company culture recognize that this reflects the same goal as privacy and security programs.
With the Facebook case, the FTC has the opportunity to formally set a precedent to apply the federal standards on effective compliance programs to privacy. Privacy, security and compliance can’t operate in silos. The federal guidance provides a framework for consistent program standards across these functions that promotes ethics, compliance with laws, and a culture of awareness and commitment at all levels.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.