Will Facebook’s $US5b punishment finally prompt other companies to act on privacy?

The laissez-faire attitude of many companies towards consumer privacy protections is catching up with them after a series of massive fines sent shockwaves through a business community already reeling from an escalating cybersecurity threat climate.

Shares in Facebook surged to record highs on news that the social-media behemoth had reached a $US5 billion ($A7.2b) agreement with the US Federal Trade Commission to settle an investigation into Facebook’s ill-fated sharing of personal information on 87m users with British firm Cambridge Analytica.

Facebook is also challenging a £500,000 ($A896,600) fine from UK regulators over the same saga – raising the ire of government officials who say the company is playing both sides by appealing government fines while CEO Mark Zuckerberg calls for more active government involvement in regulating social media.

The Facebook settlement dwarfs even the £99m ($A178m) fine handed down to hotel giant Marriott and a £183m ($A328m) fine handed down to British Airways after a massive hack of its website last year.

Despite its size, Facebook’s fine has been described as a “slap on the wrist” – yet even the Marriott fine was nearly twice the £56m ($A100.4m) in fines handed down during the first year of GDPR.

Spurring companies into action?

The climate of increasing fines is likely to have a chilling effect on smaller companies as the mounting fines for privacy violations confirm that authorities have lost their patience with companies that allow security breaches to compromise masses of personal information.

Yet commentator after commentator has noted that many companies remain strangely reluctant to invest enough to provide the level of privacy protection that regulators now expect.

Fully 43 percent of respondents to a recent GlobalData survey said they would be making a ‘major investment’ in cybersecurity technologies within the next three years, for example – leading the firm’s head of R&A, travel & tourism Nick Wyatt to ask companies “why wait?”

“The message [from regulators] is clear: Get serious about cybersecurity or face the consequences,” he said in a recent blog, noting that travel and tourism operators face particularly high privacy expectations given the volume of passports and other financial information they handle on a regular basis.

“These fines must serve as a wake-up call for other companies, many of whom are still highly vulnerable to cyberattacks themselves,” he added. “The consequences are clearly significant in financial terms, but there is also a somewhat intangible reputational impact.”

“Consumers’ faith in companies can be shaken – and companies need to act now and ensure that they are harnessing the latest technologies to protect their customers’ personal data.”

Still, inertia remains a powerful force – particularly as many companies “seem to be waiting to be pushed into” GDPR a year after it came into effect, Andrew White, ANZ country manager with compliance and transformation consultancy Signavio recently told CSO Australia before the latest round of fines. “It just feels like the urgency isn’t there.”

The administration of more than token fines will send a message to privacy laggards, White added: “People are incented by [the threat of big fines],” he explained. “It’s embarrassing, and nobody wants to be seen to be not up data standards. Even the average person understands that you need to be protecting their data.”