The Governance Implications of the Equifax and Facebook Settlements

Michael W. Peregrine is a partner at McDermott Will & Emery LLP. This post is based on his McDermott Will & Emery memorandum.

Corporate boards across industry sectors should give close attention to the impact the recent privacy settlements entered into by Equifax and Facebook will have on governance.

Read together, the settlements send an important message regarding regulatory expectations of board oversight of consumer privacy concerns. They also provide useful suggestions to corporate boards on how to structure meaningful governance interaction with existing information security programs.

The Equifax Settlement

On July 22, the consumer credit reporting agency Equifax Inc. (“Equifax”) entered into a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S. states and territories (the “Equifax Settlement”) to resolve allegations that its failure to take reasonable steps to secure its network led to a 2017 data breach that exposed the personal information of 147 million people.

According to the Equifax Settlement, Equifax agreed to provide at least $575 million, and potentially up to $700 million, in monetary relief to consumers affected by the data breach. The company is also required to implement a comprehensive information security program (the “Program”) incorporating the following elements—key portions of which directly relate to the role of the board of directors:

  • Designating an employee to oversee the Program;
  • Conducting annual assessments of internal and external security risks and implementing safeguards to address potential risks;
  • Obtaining annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order, including its information security requirements;
  • Testing and monitoring the effectiveness of the security safeguards; and
  • Ensuring service providers with access to personal information stored by Equifax also implement adequate safeguards to protect such

As part of the Program, Equifax is also required to provide the written Program and any material evaluations thereof or updates thereto at least once every 12 months to its board of directors (or a relevant subcommittee thereof). It must establish a clear and easily accessible process overseen by a senior corporate manager for employees to submit complaints or concerns about Equifax’s information security practices. Furthermore, no later than 30 days after the end of each quarter, Equifax must provide its board of directors, or a subcommittee, a report summarizing all Covered Incidents that occurred in that calendar quarter.

The Facebook Settlement

On July 24, 2019, the FTC also announced a settlement (the “Facebook Settlement”) with the online social media and social networking service company Facebook to resolve allegations that the company violated a 2012 FTC order by deceiving users about its ability to control the privacy of their personal information.

Pursuant to the Facebook Settlement, Facebook will pay what the FTC describes as a “record-breaking” $5 billion penalty and submit to new restrictions and a modified corporate structure intended to increase the company’s accountability for the decisions it makes about its users’ privacy. Several of these restrictions and modifications have corporate governance implications, including the following:

First, by establishing a board-level privacy committee, the order is designed to create greater accountability at the Facebook board level. Members of the privacy committee must be independent (Facebook officers and employees are disqualified from membership) and will be appointed by an independent nominating committee. Members can only be removed by a supermajority of the Facebook board of directors. The committee will be informed about all material privacy risks and issues at the company.

Second, the order is designed to improve accountability at the individual level by requiring Facebook to designate “expert” compliance officers. These officers must be approved by the independent privacy committee, who will implement and maintain Facebook’s privacy program. The compliance officers will also be responsible for documenting every material privacy decision in detail and are to provide that documentation quarterly to the third-party assessor and the Facebook CEO. In addition, the compliance officers will also have to certify to the FTC quarterly that Facebook is complying fully with the privacy program.

The Facebook CEO must also certify to the FTC quarterly that the company’s privacy program complies with the order. A false certification could trigger civil or even criminal penalties.

Analysis

Clearly, the terms of both settlements are highly fact-specific and arise from circumstances involving significant consumer harm. Rarely do settlements involving such fact patterns serve to establish broader industry or commercial standards, or best practices.

Yet there are numerous themes arising from the settlements that are worthy of board-level discussion, likely with the support of the general counsel and chief information security officer. These themes include the following:

Enterprise Risk: the settlements send a clear message of the increased risk of government enforcement response to privacy failures by corporations. This message extends not only to the technology sector, but also to other industries with special access to consumer information (e.g., retail, health, credit, finance, higher education).

Board Engagement: both settlements call for enhanced board oversight of the company’s information security programs (as well as its compliance with the terms of the respective settlements). This is suggestive of increased government expectations in all commercial sectors of board oversight of information security and privacy matters. Board efforts to monitor privacy concerns can be expected to increase materially. More specifically, directors may need additional training on how to spot privacy security “yellow” and “red flags”.

Privacy Committee: the importance attributed by the Facebook Settlement to the establishment of a board level privacy committee composed of independent directors may prompt other boards to evaluate whether the creation of a similar committee would materially contribute to information security oversight. Will a board “privacy committee” become best practice? Will there be a premium on directors with consumer expertise?

Compliance Oversight: the settlements’ focus on an internal privacy compliance function suggests value in re-evaluating how information security compliance is addressed within the context of current corporate compliance programs. Board oversight of compliance may require a special privacy focus. Coordination between traditional compliance officers and information security officers may necessitate enhanced board supervision.

Individual Accountability: settlement provisions requiring certifications by the board and the CEO are consistent with a broader regulatory focus on individual accountability and attributing greater responsibility to boards for corporate wrongdoing. Boards may also seek the input of the general counsel on the implications of the recent Marchand v. Barnhill decision on their personal liability for information security failures.

Conclusion

Corporate boards should not dismiss the Equifax and Facebook Settlements as “one-off” regulatory resolutions of egregious fact patterns. Rather, boards may wish to consider more closely the enhanced expectations of governance oversight of information security that are at the core of the settlements.

Both comments and trackbacks are currently closed.