Those days, much of my research consists in reading the tech giants 10-K filings to the SEC.
10-Ks have an informative section called”Risk Factors” (Item 1A). This section conveys the reporting firm’s perception of the risks it faces in its daily business. Firms often report on competitive, technological or regulatory threats. Information found in 10-Ks is trustworthy because it is against the law to make misrepresentations to public authorities and investors.
Facebook’s filings provide non contemporaneous information on Cambridge Analytica-type issues. Already in 2012, we see that FaceBook has an acute understanding of the problem. Facebook point out to a risk that “Improper access to or disclosure of our users’ information, or violation of our terms of service or policies, could harm our reputation and adversely affect our business”
The discussion of the problem is even more informative.
Our efforts to protect the information that our users have chosen to share using Facebook may be unsuccessful due to the actions of third parties, software bugs or other technical malfunctions, employee error or malfeasance, or other factors. In addition, third parties may attempt to fraudulently induce employees or users to disclose information in order to gain access to our data or our users’ data. If
any of these events occur, our users’ information could be accessed or disclosed improperly. Our Data Use Policy governs the use of information that users have chosen to share using Facebook and how that information may be used by us and third parties. Some Platform developers may store information provided by our users through apps on the Facebook Platform or websites integrated with Facebook. If these third parties or Platform developers fail to adopt or adhere to adequate data security practices or fail to comply with our terms and policies, or in the event of a breach of their networks, our users’ data may be improperly accessed or disclosed.
Any incidents involving unauthorized access to or improper use of the information of our users or incidents involving violation of our terms of service or policies, including our Data Use Policy, could damage our reputation and our brand and diminish our competitive position. In addition, the affected users or government authorities could initiate legal or regulatory action against us in connection with such incidents, which could cause us to incur significant expense and liability or result in orders or consent decrees forcing us to modify our business practices. Any of these events could have a material and adverse effect on our business, reputation, or financial results
Moreover, Facebook describes this risk factor (“RF”) as an increasing concern over the years. I have tracked the progression of this RF between 2012 and 2017 (see table above). The change is not huge, but this RF still moves from position 12 to 9 in Facebooks’ 10Ks.
Take away: the Cambridge Analytica scandal was a scenario that FB had anticipated as early as 2012.
So was Facebook negligent? This would be a precipitous conclusion to draw. In a large ecosystem, it is easier for rogue players to hide. True, Facebook knew that there was a risk. But the “whether risk” question and the “where risk”/”when risk” questions are different issues. And the larger the company, the more difficult the answer to the second one.