This month, the Federal Trade Commission has taken steps to finalize the two largest fines for data security and privacy violations the agency has ever approved: nearly $5 billion for Facebook over its involvement in letting Cambridge Analytica access user data through a researcher at the University of Cambridge and between $575 million and $700 million for credit bureau Equifax for the 2017 breach that compromised 147 million people’s personal data.
No sooner were the fines announced than people began criticizing them for being too small to have any impact on the companies they targeted. In the New York Times, Kara Swisher compared the Facebook fine to “a parking ticket”: “With $23 billion in cash on hand, Facebook will see a $5 billion fine as simply the cost of doing business.” She argued that the fine would have to be closer to $50 billion for it to have any real impact on Facebook. In Wired, Lily Hay Newman, called the Equifax fine “too little, too late.” She noted that it would account for “less than the company’s overall revenue” reported for its first quarter and add up to just a few dollars per person affected by the breach.
Swisher and Newman are right, of course, that neither of these fines will bankrupt the companies that have to pay them. But that is not—and should not be—the point of fining companies for poor data security practices. The Federal Trade Commission’s motivations in levying these fines are to cover the losses imposed by the incidents and to provide the firms, and others watching these proceedings, with a strong incentive to invest more heavily in security for fear of otherwise facing stiff penalties. Whether that happens remains to be seen, but the fines represent huge progress for the FTC in pushing companies to take seriously the potential regulatory penalties for data breaches.
Glance over the FTC’s privacy and security enforcement press releases from the past few years, and I guarantee you’ll be struck by how much bigger the Facebook and Equifax numbers are than anything else’s on the agency’s website: a $650,000 fine for a toy manufacturer that collected children’s personal information, $3.5 million for Lenovo’s installation of adware on laptops, a $1.6 million fine for the Ashley Madison breach and false advertising of account deletion services.
These fines are often not the full extent of the financial penalties that these companies face. Lenovo, for instance, paid an additional $7.3 million settlement to resolve a consumer class-action lawsuit. Ashley Madison’s parent company paid another $11.2 million to settle U.S. litigation. Last year, Uber ended up paying $148 million to settle state investigations into a 2016 data breach, even after the FTC resolved its own investigation without issuing a fine. (In the case of Equifax, the fine announced this month encompasses not just FTC penalties but also settling enforcement actions with many U.S. states and territories, as well as the Consumer Financial Protection Bureau.)
By just about any measure, the Equifax and Facebook incidents were significantly larger and more serious than these other cases. The Ashley Madison breach affected roughly 30 million people, compared with 147 million people whose data was stolen from Equifax. The stolen Ashley Madison information was limited to user account data, email addresses, and banking information rather than the wide range of content, from friends to messages to photos, that Facebook stores about its users. The Uber breach affected 25 million customers and drivers, the Lenovo Superfish adware infected roughly 750,000 computers, and the toy firm VTech exposed information about 4 million parents and 280,000 children. So it absolutely makes sense that the penalties for Facebook and Equifax would be bigger. But the penalty for Equifax leaking roughly five times as many users’ information as Ashley Madison is not five times larger than Ashley Madison’s—it’s closer to 50 times larger!
That’s no small feat for the FTC, which has long been reluctant to overstep its bounds in terms of regulating data security and privacy or issuing fines that do not correspond directly to consumer losses. Swisher mentions the only tech company fine in recent memory that comes close in size to these is the EU’s $5.1 billion Google fine, announced last summer for antitrust violations related to Android. But, notably, that was an antitrust fine—not a data privacy or security enforcement action.
Even by the European Union’s own, generally stricter, standards for privacy and security regulation, the Facebook and Equifax penalties are pretty steep. The maximum penalty for data protection infractions permitted under the European Union’s General Data Protection Regulation is up to 4 percent of a company’s annual global revenue. Going by 2018 revenue, that would have meant a potential maximum fine of up to $136.4 million for Equifax and up to $2.23 billion for Facebook. Much less than the fines the companies actually ended up facing in the United States!
So these fines are really big, but none of these comparisons answer the question of whether they are big enough. The answer to that question depends, to some extent, on what you think the penalties are intended to accomplish. If you think the FTC penalties should eviscerate breached companies and leave them penniless shells of their former selves, then no, these are not the fines for you. Much of the outrage about the Facebook fine’s inadequacy seems to be linked to the fact that the company’s stock rose in value after the penalty was announced. But why shouldn’t a company be able to suffer a serious security incident, resolve it with regulators, pay handsomely for the damages, promise to do better, and reemerge in a stronger market position than before? It’s hard not to feel, from watching people criticize the Facebook fine and stock value, that they just wanted to see the company suffer.
But if you think the purpose of the FTC’s enforcement powers is to strengthen security at companies that have suffered breaches, protect consumers from harms inflicted by those breaches, and send a clear signal to other companies that they should be investing heavily in data privacy and security protections, there’s a good chance that these settlements will accomplish those aims.
For one, they include important provisions beyond just the fines themselves: For instance, for the next seven years, Equifax will have to provide an additional six free credit reports per year to U.S. consumers so they can better monitor their own credit for possible identity theft. That’s a big improvement over the one free credit report you’re currently entitled to. It’s less clear what the Facebook settlement provisions will be since the settlement has not yet been approved by the Justice Department. Based on past FTC settlements, outside security audits, strengthened consent measures from users for data sharing, and the implementation of comprehensive privacy programs are all possible conditions. But the restrictions on sharing data with third parties were reportedly not strict enough to satisfy the two Democratic FTC commissioners who voted against the settlement.
In terms of actually covering the tangible, financial losses suffered by consumers, the settlements will go a long way—though it’s only a few dollars per victim, many of those victims will probably not personally face significant financial losses given the significant protections from their banks and credit card companies. The intangible losses users suffer from these incidents—loss of privacy, embarrassment, anxiety, frustration, time spent on the phone trying to resolve credit monitoring alerts—are, and always have been, much harder to quantify. That doesn’t mean they should be ignored, just that it’s difficult to make any assessment about whether these fines address them adequately.
As for sending a message to other companies that security investments should figure heavily on their balance sheet: The Facebook and Equifax fines will certainly do that. Will it be enough? Perhaps not. Perhaps we will yet see larger fines in the future. But for now, this is real progress, and it’s important to recognize it as such rather than just pushing for ever larger punishments.