By Mark Speck
Partner at Specktrum, Inc.
Never was the importance of having a robust compliance program more apparent than during Mark Zuckerberg’s testimony to the US Senate’s Commerce and Judiciary committee on Tuesday to discuss data privacy and Russian disinformation on Facebook.
On the Capitol Hill stage, Facebook’s founder and CEO struggled to represent a sound data privacy policy, data retention policy, suitable due diligence assurance activities on high-risk third parties, and data user agreement that Senator Kennedy claimed, “sucks.”
“You can spot me 75 IQ points. If I can figure it out, you can figure it out. The purpose of that user agreement is to cover Facebook’s rear end. It’s not to inform your users about their rights,” said Kennedy. “I’m going to suggest to you that you go back home and rewrite it. And tell your $1,200-an-hour lawyers—no disrespect, they’re good—but, but tell them you want it written in English and non-Swahili, so the average American can understand it. That would be a start.”
For those of us who daily strive to improve and maintain a governance structure that includes compliance to laws, regulations, and corporate policies, listening to Zuckerberg’s responses had to be gut-wrenching. But for those with the same title as Zuckerberg, who were watching and/or listening, let’s hope these 2 days and 10 hours on the hot seat provided a wake-up call for valuing compliance.
For those of us accustomed to seeing Zuckerberg speak about Facebook’s technology and mission, it was indeed compelling theater to see the billionaire in this very uncomfortable setting. Each congressman took turns scrutinizing him for a myriad of abuses by his social platform. Congressional citations of both users’ abuses and Zuckerberg’s own organizational abuses included Russian propaganda, use of hate speech, election interference, private data being provided to Cambridge Analytica, along with claims of political censorship of conservative messaging. But one wonders how confident Zuckerberg felt responding to a few basic compliance-related questions. Zuckerberg’s inability to represent internal controls protecting his platform from privacy infiltration and propaganda peddling made him look ill-prepared, naïve, and borderline incompetent as CEO of a multibillion dollar concern. His narrative throughout both sessions was that users own their data and have control of their privacy settings. Obviously, this isn’t good enough, and if anything, this star chamber raised concerns that went beyond data privacy protection controls.
Senator Sheldon Whitehouse asked how Facebook looks behind shell companies to find out who is really posting content and who is the “beneficial owner of the site that is putting out the political material”?
Zuckerberg’s response was alarming, as he only could muster requiring a valid government identity location verification. “So, we’re going to do that so that way someone sitting in Russia, for example, couldn’t say that they’re in America and, therefore, [be] able to run an election ad,” offered Zuckerberg.
And to his credit, Senator Whitehouse countered, “But if they were running through a corporation domiciled in Delaware, you wouldn’t know that they were actually a Russian owner?”
“Senator, that’s—that’s correct,” Zuckerberg responded.
For those of us who understand third-party risk management, I could almost hear a collective, “AGGHHHHHH,” to the extent that made the comedian Sam Kinison famous. Did Facebook’s Chief Compliance Officer or Compliance team not brief Zuckerberg that Facebook has a Know Your Third Party program, or do they simply not have one?
Wouldn’t you expect a prepared CEO to rattle off a few third-party risk control activities, such as conducting initial vetting of third parties, certification of a supplier code of conduct, requiring satisfactory responses to a third-party questionnaire, and risk-based verification via desktop investigative due diligence using legal resources and media screens? It was a shame Zuckerberg could not name at least a few of these independent verifications, which should include corporate registry and verification of the third party’s corporate ownership structure, including identification of beneficiary owners, officers and board of directors, and capture of legal entanglements, restricted and or politically exposed parties, and yes, verification of location.
It’s understood that a CEO is not expected to know every detail of every program going on at their company, but shouldn’t key compliance controls be exceptions? Shouldn’t CEOs be armed with the vital controls that protect a company from regulatory and reputational harm? One would think a company’s responses to its top risks and its mitigation strategy would be top-of-mind, next to the proverbial elevator speech. If you are trying to avoid regulation, wouldn’t it make sense to represent how your company prevents susceptibility to fraud and corruption?
What is also becoming apparent is the EU model, now being unified to the highest standard by way of the General Data Protection Regulation (GDPR) and becoming official on May 25, may now give US companies and regulators some further food for thought. Should companies require customers to opt in to prove permission, require encryption of certain vitals (e.g., a person’s name, address, and other data points that enable a specific identity to be traced), have a complete handle on where personal data lies within its ecosystem, eliminate data when a user deletes or abandons their account, and ensure that the release of data to subcontractors has been approved and that the data will be equally and aptly protected? The GDPR has further requirements, but these principles seem to apply best to the Facebook/Cambridge Analytica fiasco and have a better chance of balancing privacy and free trade.
Finally, there were times Zuckerberg would indicate that certain senatorial claims, such as the censorship transpiring at Facebook, appeared to be at odds with his company’s mission. Interestingly, when testifying before the Energy and Commerce Committee of the House of Representatives, Zuckerberg admitted that the censorship of “Diamond and Silk” (pro-President Trump vloggers) was an “enforcement error.”
The point here is that if Zuckerberg believes repeated actions of a Facebook program or its employees are counter to its mission and principles, then clearly there is a compliance gap. This is yet another example of what a good compliance program would accomplish: ensuring the existence of a link among company objectives, policies, and employee and contractor behavior.
Two lessons that, hopefully, Mr. Zuckerberg and his fellow CEOs and boards take: (1) The importance of having a robust compliance program to help avert the kind of disaster that occurred at Facebook, and (2) the CEO shouldn’t go into the star chamber on Capitol Hill without first reviewing his/her revised elevator speech or being adequately briefed on the controls the company does have in place. Of course, if you have a robust compliance program, you might not ever have your stock lose 25% in a flash or have to visit Capitol Hill.