The SEC announced charges against Facebook Inc. for making misleading disclosures regarding the risk of misuse of Facebook user data.  According to the SEC, for more than two years, Facebook’s public disclosures presented the risk of misuse of user data as merely hypothetical when Facebook knew that a third-party developer had actually misused Facebook user data.  In connection with the case the SEC made known its view that public companies must identify and consider the material risks to their business and have procedures designed to make disclosures that are accurate in all material respects, including not continuing to describe a risk as hypothetical when it has in fact happened.

Facebook has agreed to pay $100 million to settle the charges.  Facebook did not admit or deny the SEC’s allegations

According to the SECs complaint, protecting user data is critical to Facebook’s business, and Facebook had identified the potential for improper access to and misuse of user data as a significant risk.  The complaint alleges Facebook did not maintain disclosure controls and procedures designed to analyze or assess incidents involving misuse of user data for potential disclosure in the company’s periodic filings.

The complaint notes that Facebook identified trends and events for possible disclosure through a series of quarterly meetings to prepare for the company’s earnings announcements. This process relied on the employees and managers who attended these meetings to identify issues that might need to be disclosed. Although several employees in Facebook’s legal, policy, and communications groups who attended these meetings during the relevant period were aware of the improper transfer of data, that incident was never discussed. Facebook also did not share information regarding the incident with its independent auditors and outside disclosure counsel in order to assess the company’s disclosure obligations.

Facebook had no specific mechanism to summarize or report violations of its relevant policies to employees responsible for ensuring the accuracy of Facebook’s filings with the Commission according to the complaint. For example, the Facebook employees responsible for monitoring violations of the company’s relevant policies were not provided with the draft disclosures pertaining to the misuse of user data.

The complaint therefore concludes Facebook senior management and relevant legal staff did not assess the scope, business impact, or legal implications of the researcher’s improper transfer of data, including whether or how it should have been disclosed in Facebook’s public filings or whether it rendered, or would render, any statements made by the company in its public filings misleading. As a result, the SEC states Facebook filed materially misleading periodic reports with the SEC and knew, or should have known, that its risk factor were materially misleading.

The complaint also alleges Facebook’s communications group provided misleading quotes to reporters inquiring about the incident.  Facebook’s communications group provided the following quote to reporters: “Our investigation to date has not uncovered anything that suggests wrongdoing.” The SEC stated this was misleading because Facebook had, in fact, determined that use of the data by the third party violated the company’s relevant policies. The quote served to reinforce the misleading impression in Facebook’s periodic filings that the company was not aware of any material developer misuse of user data.