Buying a Cyber Company Wouldn’t Solve Facebook’s Data Woes

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Sara Merkenand Daniel R. Stoller (Bloomberg Law)

As Facebook Inc. scrambles to deal with high-profile data scandals, buying a cybersecurity company likely wouldn’t be the cure-all for its privacy and security regulatory woes, privacy and cybersecurity attorneys say.

Facebook CEO Mark Zuckerberg said Oct. 24 that the company is “investing heavily in both privacy and security. We now have more than 20,000 people working to keep people safe and protect their information.”

The social media giant is said to be looking to buy a cybersecurity company, according to news service website The Information. Facebook declined a Bloomberg Law request for comment on the subject. But Zuckerberg said in his Oct. 24 speech before top EU privacy officials that making big investments that impact the company’s profitability to protect privacy and security is “the right thing to do.”

Acquiring a cybersecurity business might allow Facebook “to say with a greater degree of sincerity that they are putting money behind the problem by hiring a best in class security group,” Robert Braun, co-chair of Jeffer Mangels Butler & Mitchell LLP’s cybersecurity and privacy group, told Bloomberg Law.

But such a move would only help out in future regulatory investigations, not those Facebook is already facing, attorneys say.

EU privacy regulators in Ireland and multiple U.S. state attorneys general are probing Facebook after the company recently disclosed a data breach that revealed the personal information of millions of users worldwide. The “View As” data breach allowed hackers to steal access tokens—digital keys that keep people logged into the site—and take over users’ accounts. Facebook reset the access tokens for 90 million accounts.

Facebook also faced a major data privacy scandal when it was shown that data linked to as many as 87 million of its users and their friends ended up in the hands of Cambridge Analytica, a political consultancy that helped get President Donald Trump elected.

Regulators wouldn’t allow an acquisition of a cybersecurity company, now or in the future, affect their review of prior actions and compliance, Michelle Cohen, privacy shareholder at Ifrah Law, told Bloomberg Law.

“Regulators would review the acquisition as a proactive measure,” she said. “The acquisition of additional cybersecurity experts would reflect favorably on Facebook in terms of future compliance and demonstrates good faith and proactive efforts going forward.”

Any reputational boost that comes from buying a cybersecurity company could help improve Facebook’s culture around privacy and security and impact future data security probes, attorneys said.

But even then, Facebook wouldn’t get an automatic boost. The social media company would have to show that adding an in-house cybersecurity presence represents substantive change, and isn’t just window dressing, Braun said.

“If it represents a change in culture, it will do something for the regulators,” he said.

Zuckerberg highlighted the need for trust after the company’s recent data security troubles. “If people don’t trust us, or don’t feel like Facebook is providing something valuable, they won’t use it. And if they leave, that’s bad for us too. So we have every incentive to build the best of experiences and keep bad stuff off our services,” he told EU privacy leaders.

A Facebook spokeswoman declined to comment on the ongoing investigations.

Balance Inside and Out

An in-house cybersecurity unit would be expected to function as an internal watchdog, auditing and fixing problems that arise within the company, Shawn Tuma, partner at Spencer Fane LLP in Dallas, Texas, said.

If Facebook is in the market for a cybersecurity company, it should look for one that will maintain its independence when reviewing practices—not succumb to any tendency to overlook problems, attorneys say.

If that doesn’t happen, it’s just “an effort to put a Band-Aid over a bigger problem,” Tuma said.

Potential cybersecurity acquisition targets include FireEye Inc., Symantec Corp., Palo Alto Networks Inc., and Fortinet Inc., based on the significant market activity they experienced after Facebook’s rumored search for a cybersecurity company was announced, according to Bloomberg News. A Symantec spokesperson declined to comment on “speculation or rumors.”

Even if Facebook bought a cybersecurity company to keep in-house, it should consider hiring outside cybersecurity professionals to limit its hack and enforcement risks, privacy attorneys and cybersecurity consultants told Bloomberg Law.

Third-party cybersecurity companies could come in “where there are external regulatory requirements that would make an outside investigation more credible,” Alan Brill, senior managing director of cyberrisk at Kroll Inc, said. One example would be in showing a regulator that it hired a third party to probe an insider data breach.

An acquisition “may be too narrowly focused,” and Facebook may need to rely on a combination of cybersecurity parties to fully address their issues, John Van Blaricum of cybersecurity firm Kudelski Security said in an email. That’s particularly true because the public nature of the company’s data breach problems.

“The engagement of proven third parties may provide the public greater assurances that the company is addressing the issues that have led to recent events,” Van Blaricum said.

—With assistance from Arie Shapira in New York (Bloomberg)

Request Bloomberg Law: Privacy & Data Security