Thinking the Unthinkable logo Thinking the Unthinkable icon
Latest Unthinking / What all leaders must learn from Facebook’s data breach fine

What all leaders must learn from Facebook’s data breach fine

Filed under Cyber Security

27 October 2018

The £500,000 fine on Facebook by the UK Information Commissioner’s Office (ICO) for a ‘serious breach of law’ is puny.

For one of the world’s five richest corporations it will be like petty cash slipping unnoticed through a hole in a trouser pocket.

This time the fine is a reputational and brand irritation for Facebook, not much more. The cost will barely register on the accounts at 1 Hacker Way in Menlo Park, California.

But the lessons are not just for FB.

There is a deep, profound and disturbing message for all leaders. All of them should take note and learn.

Facebook headers crop
Facebook headers crop

The fine has exposed the cost to even the highest level and wealthiest leaders like Mark Zuckerberg of failing to think the unthinkable.

By their own admission, the possibility of such a breach was not even on the trouble-shooting minds of the sharpest and best paid at the top of FB.

They knew about the breach for which they have been fined. But having decided that what is now defined as a ‘breach’ was not that significant, they did nothing. They viewed the implications as unthinkable.

As FB now admits: “We should have done more to investigate claims about Cambridge Analytica and taken action in 2015.”

The key take-away for all leaders here is the cost of such complacency and arguably arrogance.

It is the assumption that the roller coaster of global success and a phenomenal capacity to generate cash means that by default all threats and options are covered off.

That is a dangerous and rash assumption in this increasingly disrupted world of both unthinkables and unpalatables.

Every leader must ask: what internal challenge and Red Team systems do I have to identify vulnerabilities and make sure everyone at the highest level is aware of them?

The ‘serious breach’ of law was exposed earlier this year by revelations of the Cambridge Analytica involvement in unauthorised scraping of Facebook (FB) data by a third party.

The investigation by Channel Four News and the Observer was brilliant.

The ICO ruled that up to 2015 third party App developers had been allowed access to FB subscribers’ data ‘without clear consent’. FB had to admit belatedly that there had indeed been a ‘breach of trust’.

Even when alerted to what was happening ‘Facebook did not do enough to ensure those who continued to hold it [data] had taken adequate and timely remedial action, including deletion’.

One million FB subscribers were affected in the UK. Globally FB says it was 87 million.

FB’s culture problems are clear.

Zuk confirmed to the US Senate on 10 April that the super wealthy company he founded and runs as CEO is an ‘idealistic and optimistic company’. But ‘it is clear now that we did not do enough to prevent these tools from being used for harm as well’.

He realised that too late.

Odd really, given that he started 2018 with a New Year message that preached a ‘serious year of self improvement’.

As he admitted then: “We currently make too many errors enforcing our policies and preventing misuse of our tools.”

This over idealistic and positive culture did not change fast enough.

Alerts in 2015 about questionable exploitation of data by third parties had been marginalised internally at FB.

‘We should have done more to investigate claims about Cambridge Analytica and taken action in 2015,’ FB has now reiterated in a statement.

Had they done so, they would probably not have been found guilty of the ‘serious breach’.

As Chris Langdon and I report in our new book Thinking the Unthinkable, FB’s self confidence had been brought up short by its own complacency.

‘Only Good News’ was the secret label for the conference room of FB’s COO Sheryl Sandberg. That was because good news was all she wanted to hear, as one jaundiced former insider revealed.

Additionally, ‘we have been as a tech company too focused on the positive and not nearly vigilant enough about the negative. We have been caught flat footed’, admitted Campbell Brown, FB’s Head of News Partnerships.

Last Thursday FB got away lightly with the ICO’s fine, which is the largest allowed under legislation applying at the time of the breach of law. The law has now changed. Next time the cost of a similar complacency and failure to think the unthinkable could be enormous.

Were a similar ‘serious breach of law’ to be committed after May 25th this year, the fine for FB under the new GDPR regulations could have been gigantic.

It could easily be 20 million euros or 4% of group worldwide turnover (whichever is greater) “against both data controllers and data processors”. Working on FB’s turnover of $40 billion for 2017, that could have meant a fine of $1.6 billion, not half a million UK pounds.

As we detail in our book, the Cambridge Analytica revelations forced Zuckerberg to concede how narrow was his mega company’s view of responsibility.

Vast wealth and commercial success had not generated the worldly capacity for wisdom that many expected.

“Today, given what we know … I think we understand that we need to take a broader view of our responsibility … That we are not just building tools, but that we need to take full responsibility for the outcomes of how people use those tools as well,” he told a press briefing on 4 April.

This was clearly a revelation.

After being grilled by two US Congressional committees Zuckerberg said it would take three years to fix the nature and scale of the problems revealed by others about Facebook’s failings.

Campbell Brown conceded ‘there is an awakening that is taking place inside the company where the mentality is very much all hands on deck. People have to see how we perform on our promise’.

That awakening needed to be dramatic. Three years to fix things? The urgency is in weeks, days and hours, perhaps even minutes.

In late September, the data of 50 million more FB users was exposed by a security flaw.

So there are significant problems of culture, mindset and behavior to overcome at high speed.

It is all very well for the former UK Deputy Prime Minister Sir Nick Clegg to accept a $1 million a year job as FB’s new Head of Global Affairs and Communications.

But window dressing and image massaging globally will not fix systemic problems of flawed attitudes by highest level executives and highly paid engineers which then leads to a violation of laws.

And parliamentary efforts to tighten significantly the accountability of the tech giants like Facebook seem to be getting scant traction.

The UK’s Digital Culture Media and Sport committee warned in July that the UK faces a democratic crisis founded on the manipulation of personal data.

This is what happened unlawfully to FB’s data and led to the fine.

MPs demanded new powers for the UK’s Electoral Commission to help block the accelerating scale of manipulation. This would include bigger fines and new regulation of social media firms.

But of 42 recommendations in its interim report, the committee chairman Damian Collins said last week that the government has accepted only three in its official response.

It will probably take an unthinkable digital disaster of seismic proportions to force high speed engagement on these issues.

Then there will be realization that reality is well ahead of the capacities of tech giant’s and political systems alike to define new limits to what is not just acceptable but legal.