Security
Headlines
HeadlinesLatestCVEs

Headline

Facebook Asks Supreme Court to Dismiss Cambridge Analytica Lawsuit

Meta has maintained that Facebook did not mislead investors by not including mention of the Cambridge Analytica scandal in its forward-looking risk disclosures, but the plaintiffs say it was a glaring omission.

DARKReading
#auth

Souce: AlexanddraPopova via Shutterstock

The US Supreme Court will soon decide whether to allow a longstanding shareholder lawsuit against Meta’s Facebook to proceed or to dismiss it as lawyers for the social media giant have asked.

The lawsuit involves a 2015 incident in which UK-based consultancy Cambridge Analytica obtained Facebook user data from a third-party firm and used it to create granular profiles for targeting users during political campaigns, on behalf of the Trump campaign. News of the data misuse surfaced in 2018 and provoked considerable concern in the US and elsewhere over privacy violations, data protection, and the role of social media in influencing politics.

The Cambridge Analytica Fiasco

Facebook faced intense scrutiny from US government and regulatory bodies over the incident. In July 2019, the US Federal Trade Commission (FTC) hit the company with a massive $5 billion fine in addition to new requirements for greater transparency and accountability for the company’s data security and privacy practices.

Separately, a class of Facebook shareholders represented by Amalgamated Bank sued the company for, among other things, not disclosing the breach to shareholders and the public in a timely manner, thereby leading to a loss in shareholder value. The crux of their argument was that Facebook’s legally obligated, forward-looking statements about risks to its business made no mention of the Cambridge Analytica breach or its impact on Facebook users. They argued that the company misled investors and others in phrasing the risks to data as hypothetical when, in fact, a breach had already happened.

The US Court of Appeals for the Ninth Circuit — the last to hear the case — allowed the Amalgamated lawsuit to proceed, overturning a District Court ruling on the matter.

Ignoring Cambridge Analytica Scandal Not Misleading?

In the US Supreme Court hearing on the case this week, Facebook legal counsel Kannon Shanmugam said the Ninth Circuit had got it wrong in holding that a risk disclosure can be misleading simply because it did not disclose that the stated risk had already materialized in the past.

“A risk disclosure warrants that a type of event may cause harm in the future. It usually makes no representation that the event had never previously occurred,” he said in the hearing.

“Just as a statement that ‘the road may be flooded if it rains’ cannot be misleading simply because it rained yesterday, a typical risk disclosure cannot be misleading simply because the triggering event had occurred in the past,” he argued.

Kevin Russell, representing the plaintiffs for Amalgamated Bank in the case, used similar analogies to argue for the case to proceed. “Facebook admits that if a student tells his parents that there no a risk he may fail an exam when he’s already done so, that is misleading,” Russell noted. "[The statement] implies it’s impossible that he won’t, when that isn’t true. The same is true of many risk factor statements, including the ones at issue in this case."

In his argument, Russell conceded that companies should not be obligated to disclose every past material risk incident in their forward-looking risk disclosures. However, there is an obligation for organizations not to mislead people into thinking that a major omitted risk event had not happened, he said.

When asked how Facebook should have phrased its risk disclosure instead, Russell noted the company should have included a mention of Cambridge Analytica incident. “I think that they could have said what they said and then said something like: Such improper disclosure or misuse of user data has occurred in the past, including recently on a substantial scale.” Such a disclosure would eliminate any potential misimpression that the risks Facebook was referring to in its disclosure were purely hypothetical, Russell said.

Supreme Court Justices: Data Risk Is All About Context

In responding to Shanmugam’s argument, Justice Elena Kagan said a lot depends on the context in which a forward-looking risk statement is made. She used a hypothetical example of a fire at a production plant that damages operations substantially, and a risk statement that merely notes fire as a potential risk to the business without actually mentioning such an accident had already happened.

“The typical investor would think it’s kind of misleading for you to make this statement that’s framed entirely in a hypothetical if, in fact, there’s no more plant and no more production capacity,” she noted.

Justice Samuel Alito used the same example to echo a similar sentiment. “A statement that simply blandly says that there’s a possibility of a risk can, in context, be extremely misleading if there is a high probability of the risk materializing,” he noted. Depending on the context, “the fact that something has happened in the past very often sheds light on the risk of a recurrence.”

About the Author

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master’s degree in Statistics and lives in Naperville, Ill.

DARKReading: Latest News

Microsoft Pulls Exchange Patches Amid Mail Flow Issues