On July 24, 2019, the SEC charged Facebook Inc. $100 million for inaccurately disclosing the risk of misuse of user data. Facebook agreed to pay, without admitting or denying any wrongdoing. So, what happened?
According to the SEC complaint, the Facebook public filings (such as the annual reports on Form 10-K or the quarterly reports on Form 10-Q, etc.) informed the public that “our users’ data MAY be improperly accessed, used or disclosed” (emphasis added), but in fact, at that time Facebook already knew that it was true. It all goes back to the infamous Cambridge Analytica scandal (CA paid an academic to collect and transfer from Facebook certain data in violation of the Facebook policies). Later, CA used such data for clients’ political campaigns. According to the SEC complaint, Facebook discovered the misuse by December 2015 but failed to correct its public company disclosure until May 2018.
This was a material risk, and in Facebook’s case, it became a reality. However, the company did not move it from the category of “possible risks” to the category of “real events”. Rule 10b-5 under the Securities Exchange Act (like Section 17(a)(2) of the Securities Act which is near identical) prohibits companies to make “any untrue statement of a material fact or to omit to state a material fact necessary in order to make the statements made, in the light of the circumstances under which they were made, not misleading…”. Most securities lawyers know this phrase verbatim. Perhaps, there was a question of whether such information was “material” to Facebook’s stockholders (there are ongoing debates about the materiality standard, although in this case misusing data of 30 million Facebook users does sound “material”). Perhaps, Facebook management did not actually know about what was happening or was in disbelief. Perhaps, some people knew but failed to communicate it to others with the disclosure-making responsibilities. Whatever the explanation is, the fact remains that after Facebook finally publically announced that it knew about the data breach, its share price dropped, underscoring the importance of this information. Well, this turned out to be a costly misuse of the three letters MAY.
Drafting disclosure documents is not creative writing. This skill is rooted in the deep understanding of the legal standards, the industry, the company, and the specific risks the company faces. It is also based on the information that is being made available to the drafter.
This article is not legal advice and was written for general informational purposes only. It does not express anyone else’s views except for the author’s. If you have questions or comments about the article or are interested in learning more about this topic, feel free to contact its author Arina Shulga.