July 25, 2019

SEC Enforcement: Facebook Tagged for Risk Factor Disclosures

There’s a great quote from the 5th Circuit’s 1981 decision in Huddleston v. Herman & MacLean that says that “to warn that the untoward may occur when the event is contingent is prudent; to caution that it is only possible for the unfavorable events to happen when they have already occurred is deceit.”  That quote pretty much sums up the basis for the SEC’s enforcement proceeding against Facebook that was announced yesterday.  Here’s an excerpt from the SEC’s press release:

The Securities and Exchange Commission today announced charges against Facebook Inc. for making misleading disclosures regarding the risk of misuse of Facebook user data. For more than two years, Facebook’s public disclosures presented the risk of misuse of user data as merely hypothetical when Facebook knew that a third-party developer had actually misused Facebook user data. Public companies must identify and consider the material risks to their business and have procedures designed to make disclosures that are accurate in all material respects, including not continuing to describe a risk as hypothetical when it has in fact happened.

The misleading disclosures arose out of Cambridge Analytica’s unauthorized use of Facebook user data. Facebook allegedly found out about Cambridge Analytica’s antics in 2015, but didn’t revise its disclosure until two years later. Facebook consented to a “neither admit nor deny” settlement that, among other things, enjoins it from future violations of Section 17(a)(2) and (3) of the Securities Act and Section 13(a) of the Exchange Act & various rules thereunder.

The company also agreed to pay $100 million to settle the charges, which sounds like a lot, but is chump change to Facebook. After all, the company also agreed yesterday to pay a $5 billion fine to settle FTC charges arising out of customer data privacy lapses. Still, it seems to me that the real elephant in the room may not be the size of the settlement, but the fact that no individuals were named.

The SEC almost always names individuals in corporate disclosure cases, although it didn’t do so in last year’s high-profile data privacy case against Altaba (Yahoo!).  In any event, there’s nothing in the press release to suggest that actions against any individuals are contemplated – despite language in the complaint to the effect that “more than 30 Facebook employees in different corporate groups including senior managers in Facebook’s communications, legal, operations, policy, and privacy groups” were aware that Cambridge Analytica had improperly been provided with user data.

The FTC Gives Facebook a New Board Committee!

Speaking of that FTC settlement, Bloomberg’s Matt Levine points out in his column that it has imposed some interesting governance obligations on Facebook that may curb some of Mark Zuckerberg’s power. One of the conditions imposed under the terms of the settlement is a new board privacy committee that is intended to be difficult for Zuckerberg to mess with. Here’s an excerpt from the FTC’s statement on the settlement:

The order creates greater accountability at the board of directors level. It establishes an independent privacy committee of Facebook’s board of directors, removing unfettered control by Facebook’s CEO Mark Zuckerberg over decisions affecting user privacy. Members of the privacy committee must be independent and will be appointed by an independent nominating committee. Members can only be fired by a supermajority of the Facebook board of directors.

Here’s Matt’s take on the independent privacy committee requirement:

The upshot is … look, it is not entirely clear to me what the upshot is; we’ll see what happens. But my rough analysis is that if Zuckerberg wanted to do a bad privacy thing, and the independent privacy directors told him not to, he’d have a tough time of doing it. He couldn’t remove the independent privacy directors from their posts.

Perhaps he could remove them from the board, but he’d have a hard time replacing them, because the independent nominating committee has “the sole authority” to pick new directors. I suppose he could replace the nominating committee too. These provisions aren’t ironclad. But surely their purpose really is to take the final authority over one aspect of Facebook out of the hands of Zuckerberg.

BlackRock: “Move Along – Nothing to See Here. . .”

According to this recent Harvard Governance Blog from its Vice Chair, BlackRock would like you to know that it & the rest of the Big 3 are really small players in the grand scheme of things:

As index funds are currently growing more quickly than actively managed funds, some critics have expressed concern about increasing concentration of public company ownership in the hands of index fund managers. While it is true that assets under management (or “AUM”) in index portfolios have grown, index funds and ETFs represent less than 10% of global equity assets. Further, equity investors, and hence public company shareholders, are dispersed across a diverse range of asset owners and asset managers.

As of year-end 2017, Vanguard, BlackRock, and State Street manage $3.5 trillion, $3.3 trillion, and $1.8 trillion in global equity assets, respectively. These investors represent a minority position in the $83 trillion global equity market. As shown in Exhibit 1, the combined AUM of these three managers represents just over 10% of global equity assets.

Umm, gee – isn’t 10% of all the equity assets in the world kind of a lot? I don’t know why we’re supposed to take a lot of comfort from that number – particularly since the Big 3 reportedly control 25% of the stock in the S&P 500 and are on course to increase that stake to more than 40% over the next two decades. These numbers aren’t small.

The blog also says that those AUM numbers are misleading, because they represent “a variety of investment strategies, each with different investment objectives, constraints, and time horizons. For example, BlackRock has more than 50 equity portfolio management teams managing nearly 2,000 equity portfolios.” That’s great – but when Larry Fink comes out with annual letters telling boards of portfolio companies “how things are gonna be,” those 2,000 equity portfolios look pretty monolithic.

By the way, if this “50 portfolio managers/2,000 portfolios” pitch sounds familiar to you, it may be because at some point you heard the same pitch from one of the Big 3 when it was lobbying your client to allow it to go over a poison pill threshold. At least that’s where I first heard it.

John Jenkins