Facebook – Compliance Building

“May” May Not Be Adequate Disclosure

I’m sure you heard that Facebook is paying a $5 billion fine for privacy violations to the Federal Trade Commission. You may not have heard that the Securities and Exchange Commission decided to pile on and fine Facebook another $100 million for disclosure failures.

As Matt Levine of Bloomberg says “Everything is securities fraud.”

[T]he Risk Factor disclosures in its Form 10-Q filed on October 30, 2014, Facebook cautioned that “Improper access to or disclosure of user information, or violation of our terms of service or policies, could harm our reputation and adversely affect our business.” In the same Form 10-Q, the company advised that if developers “fail to comply with our terms and policies . . . our users’ data may be improperly accessed or disclosed.” This, the company acknowledged, “could have a material and adverse effect on our business, reputation, or financial results.”
My emphasis and the emphasis of the SEC in its press release

The problem was that Facebook knew that the users’ data had in fact been improperly accessed and disclosed. The SEC is taking the position that this phrasing of a risk creates a false impression that it is merely hypothetical and not actually happening.

The SEC had this fight over “may” in the Robare case. That ended up being a bad strategy for that case. If you remember, Robare’s disclosure was that it may be earning other fees, when it was always earning those fees. One court overturned the SEC. But it had a long history after the case and the SEC ended up winning anyhow.

In the Facebook case, the company made press releases that were incorrect or misleading because they failed to disclose the Cambridge Analytica problem.

The SEC tops this off by pointing out that the Facebook stock price fell from $185 to $159 after the Cambridge Analytica problem was disclosed to the public. That reinforces that the problem was material and should have been disclosed.

Sources:

Facebook, Capital and Liquidity

There have been many stories written about the Goldman Sachs investment in Facebook. On one hand, there is the chatter about the investment placing the valuation at $50 billion. On the other, there hand there is the talk about how this affects a possible IPO by Facebook.

There are two main reasons for an public offering of stock: liquidity and capital.

If you need capital, a public offering of common stock is merely one of many ways to raise capital. The benefit of this option is that the capital does not need to be repaid. A bank loan, a bond offering, venture capital or private capital will generally need to be repaid at some point. Each source of capital has a price and repayment terms that you need to align with the company’s needs and business plan.

It sounds like Facebook has ready access to capital in many forms. So an initial public offering may not be the best or the cheapest source of capital.

The liquidity of public stock is useful for rewarding employees and cashing out earlier sources of capital. Employee stock is great, but in a private company is very illiquid. It does you very little good to be a millionaire on paper if you can’t access the wealth. Early round investors, like venture capital funds, want to be cashed out at some point. They need to return capital to their investors. It sounds like some of the private trading of Facebook stock is being done by employees and early investors.

The third reason for a public offering stock was the reason faced by Google. Once you have more than 499 investors, you need to start making reports public. So you may as well get the benefits of liquidity in the stock.

The cash from a public offering does not need to repaid, but there are costs to the capital. That means complying with Sarbanes-Oxley. The CEO and CFO has potential criminal liability for false reporting. The board of directors will now need to include independent directors. The company will be subject to shareholder lawsuits. There are lots of costs.

To me it sounds like Facebook and Goldman have come up with an ingenious solution to the address the capital needs for Facebook and to avoid a public offering of stock. I assume the Goldman investment and its new fund will be used to provide some capital for expansion and growth. I also suspect that some of it will be used to cash out early investors, purchase employee stock, and repurchase stock that has been privately traded. Gobbling up the stock would be an opportunity to keep the number of investors well below the 499 trigger point. Early investors may take their money and run.

Assuming Goldman can provide $2 billion and charge its investors a 4% fee for investing, they have already made $80 million on their $450 million investment.

Sources:

No Accountability: Goldman Sachs Wants You To Invest In Facebook by Francine McKenna
Why Facebook won’t go public by Felix Salmon
Read Goldman Sachs’ Secret Facebook Pitch Memo in WSJ.com’s Dealbook

Social Networking Malware as Affinity Fraud

Panda Security released its first annual Social Media Risk Index for small- and medium-sized businesses. They surveyed 315 US SMBs with up to 1,000 employees during the month of July.

33 percent of these companies had experienced a malware or virus infection from social networks

23 percent citing employee privacy violations resulting in the loss of sensitive data from social networks

Panda concluded that Facebook provided the majority of the reported malware and privacy violations. That should not be a surprise since Facebook is the most widely used social media site.

I was surprised to see how high Twitter was in list of sources causing problems. Yes, Twitter was half of Facebook. But Twitter’s popularity is much less than half of Facebook. I would pin the responsibility on the widespread use of URL shorteners in Twitter. If a friend sent a link from nytimes.com, I would be much more likely to click on that link than one from nigerianmoneymakingtips.com. When the link is hidden behind the URL shortener (http://bit.ly/aBzaiB), you do not know the destination. (Tell me you didn’t click on that link?) Yes, there are many tools that will expose the URL, but that is not the default for the services.

I think the vast majority of people realize that the Nigerian banker does not really have the millions of dollars promised to you. We are more likely to click on a link sent from a friend or a stranger saying they have money for us.

That is the increased danger from social network sites. They are a type of affinity fraud, preying on those in a similar social circle. Instead of looking directly for money, they are looking indirectly for passwords and account information.

Affinity frauds exploit the trust and friendship that exist in groups of people who have something in common. They usually enlist respected community leaders from within a group to spread the word about the scheme.

Taking this to social networking sites, the relationship are exposed through the connections memorialized in the site. The leaders are those with the most connections.

By spreading the message from compromised account to compromised account, the malware is piggy-backing on the social connections. The better infections make it look like the message is from the person and the link is tied to something of interest, like the Most Hilarious Video.

The leaders for a social networking site end up being the leaders because the message gets sent to the most people. If I mistakenly send a malware url on Twitter, only a few thousand people will be potential targets. If Chris Brogan sent the message, it would be seen by over 150,000 people. If Kim Kardashian was the sender, then over 4 million people would be on the receiving end.

I don’t think that the malware and privacy concerns should deter businesses from using these tools. You just need to recognize the additional threats. We have become better at spotting the email scams and blocking malicious emails. We just need to improve the technology and increase employee knowledge to reduce the likelihood of social network malware infections.

Sources:

1st Annual Social Media Risk Index for Small to Medium Sized Businesses by Panda Security
Panda Security Publishes Findings from First Annual Social Media Risk Index for SMBs
Facebook poses malware danger, report says by Jan Norman in the Orange County Register
Affinity Fraud: How To Avoid Investment Scams That Target Groups from the SEC

Active Privacy Defense by Geek and Poke

Are Facebook and MySpace Messages Subject to Discovery?

In the recent case of Crispin v. Audigier, a California judge ruled that Facebook and MySpace messages that aren’t publicly available are protected information under the Stored Communications Act, and therefore can’t be subpoenaed for use in civil litigation.

Buckley Crispin sued clothing maker Christian Audigier for copyright infringement, alleging that Audigier used his artistic material outside the scope of a license agreement. Audigier issued a subpoena to Facebook, MySpace, and two other third parties seeking communications by Crispin about Audigier.

Crispin’s lawyers argued that such communications fell under the Stored Communications Act, which prevents providers of communication services from divulging private communications to certain entities and individuals. A magistrate judge rejected the argument and found that Facebook and MySpace were not Electronic Communications Services and therefore not subject to the protections of the Stored Communications Act. Because the magistrate judge thought the websites’ messaging services are used solely for public display, he found that they did not meet this definition.

Judge Morrow of the US District Court for the Central District of California disagreed and laid out some thoughts about the use of the sites and how they relate to civil litigation. (Law enforcement can always use a warrant to get the information, assuming it is related to a crime.)

The Judge noted that the Stored Communications Act distinguishes between a remote computing service and an electronic communications service.

“electronic communication service” means any service which provides to users thereof the ability to send or receive wire or electronic communications (18 U.S.C. § 2510(15)) With certain enumerated exceptions, the Stored Communications Act prohibits an electronic communication service provider from “knowingly divulg[ing] to any person or entity the contents of a communication while in electronic storage by that service.” (18 U.S.C. §§ 2702(a)(1), (b))

“remote computing service” means the provision to the public of computer storage or processing services by means of an electronic communications system (18 U.S.C. § 2711(2)) The Stored Communications Act prohibits an remote computing service provider from “knowingly divulg[ing] to any person or entity the contents of any communication which is carried or maintained on that service.” (18 U.S.C. §§ 2702(a)(2)).

In the end, the decision about whether a particular message is subject to disclosure is dependent on security settings. Different messages in Facebook and MySpace (and other web 2.0 sites) will be subject to different standards.

The judge found that webmail and private messages are inherently private and quashed the subpoena for those messages. With respect to the subpoenas seeking Facebook wall postings and MySpace comments, the decision will be dependent on the person’s privacy settings and the extent of access allowed. If the general public had access to plaintiff’s Facebook wall and MySpace comments then presumably they are subject to discovery in civil litigation.

The Stored Communications Act was passed as part of the Electronic Communications Privacy Act in 1986. This was obviously well before the development of the current internet applications and technology. Courts, including the one in this Crispin case, have found that the application of this nearly 25-year-old statute presents challenges in application to the current use of the internet.

As Facebook changes the privacy settings in its platform, those changes will affect the discoverability of messages in civil litigation.

Sources:

Crispin v. Audigier Judge Buckley’s Order. 2:09-cv-09509, in the U.S. District Court for the Central District of
California (hosted on JD Supra)
Stored Communications Act 18 U.S.C. § 2701
Electronic Communications Privacy Act 18 U.S.C. § 2510
e-Discovery Challenges of Social Media by Jaclyn Jaeger in Compliance Week
The Stored Communications Act: District Court Issues First Opinion on Privacy Protection for Information on Social Networking and Web Hosting Sites an eData lawflash from Morgan Lewis

Implementing Compliance Practices for Social Media

I was in the audience for FINRA’s latest educational Program: Implementing Compliance Practices for Social Media.

This program addressed implementation of new guidance that FINRA recently issued in Regulatory Notice 10-06, concerning social media.

Resources and Supplementary Material (.pdf)
Slide deck (.pdf)
These are my notes, live from the program (& riddled with typos):

Introduction

Tom Pappas

FINRA does not endorse any particular practice and each firm will have to do things differently. The views in this webinar will not provide a safe harbor.

Summary of FINRA Regulatory Notice 10-06, Guidance on Blogs and Social Networking Web Sites

Joseph Savage

Regulatory Notice 10-06 addresses five different areas:

Recording-Keeping. You need to keep copies of the information you publish, regardless of the form. FINRA is aware that it’s not easy to capture this information when using third-party sites like Facebook. (Tough. Deal with it). You can file screenshots with FINRA.

Suitability responsibilities (Notice to Members 01-23). You are better off not recommending any specific investments.

Types of interactive electronic forums. Generally, postings will be considered advertisement, but interactive postings are a public appearance (so you do not need principal approval). They felt that Twitter posts and Facebook updates would be interactive electronic forums.

Supervision of social media sites (Regulatory Notice 07-59). This should be a risk-based review.

Third-party posts (“Adoption” and “Entanglement”). Generally, third party content is out of your control. But if you arrange for third party content or endorses it, then you may be deemed to have adopted that content and treat it as if you adopted it directly.

The notice is just guidance, not a rule. FINRA is looking at a new rule. See Regulatory Notice 09-55.

Firms’ Perspectives: Is Social Media Right for Your Firm?

Doug Preston & Joanne Rodgers

Doug pointed out the tremendous growth of social media. Regardless of the form and how it works, you need to use the sites in compliance with rules. (The rules are not going to adapt to social media.)

Joanne is doing a pilot with a vendor to help with compliance. They had lots of requests from recruiting and sales to use the tools.

If you use a social media site for personal purposes, can you still list that you work for the financial services company? You can have a “business card rule.” Just post the information on your business card, with no call to action or specific information.

Is this a growth area or just customer pressure? They have no data. Sales really want to use the tools to generate business. They view it more as a lead generation instead of a sales tool. Recruiting is an avid user of social media sites, especially LinkedIn.

Nobody has much data on the cost/benefit of using social media sites.

Firms’ Perspectives: Developing Social Media Pilot Programs

Doug Preston & Joanne Rodgers

Joanne has just finished a pilot for 25 agents and 25 recruiters. She saw that most of the agents participated in Facebook, more personal than business. The recruiters mostly used LinkedIn. (She did not want to disclose the vendor she used.)

Doug has not opened up the broker side to social media. The bank side does use it. They using some of that learning to build a system for the broker side.

One issue is the level of activity and the additional resources needed to review activity. The tools may be free, but they require people resources and time.

The key is the ability to obtain and retrieve the records and to move the records into your email surveillance program. It’s also important to be able to shut off some of the functionality on social media sites.

Firms’ Perspectives: Compliance Practices Concerning Social Media

Doug Preston & Joanne Rodgers

There are lots of risks. You need to draw a line between sites you control and those run by third parties. You can stuff on a blog you host that you can’t do on a third party blog platform.

You will need new processes and policies. You will need lots of training.

FINRA is ahead of the curve compared to some other regulators in the financial services industry. Insurance regulators have not addressed the use of social media.

One of the big risks is brand/reputation risk. Each of the registered representatives becomes a brand ambassador. If they say some thing bad or embarrassing it affects the company as well as themselves.

What is FINRA looking for? If you are using social media, they will want to see: written procedures, actual supervision, records and procedures.

They did not like LinkedIn recommendations. Registered representatives should not accept the recommendations.

The static versus interactive categories is the toughest one to deal with.

Third-Party Postings

Joseph Savage, Doug Preston, Joanne Rodgers, & Joseph Savage

Questions 8, 9 & 10 in Regulatory Notice 10-06 address the issue of third party posts. You probably should put in a disclaimer if you let third party posts on your site. You should monitor them to make sure there is no inappropriate material (porn, copyright). You also need to monitor complaints.

A reg. rep. “favoriting” something or “liking” something could be considered adopting that third party statement.

Program Summary

The session should be available online in a few weeks.

FACULTY

Tom Pappas (Moderator) is Vice President and Director of FINRA’s Advertising Regulation Department. The department regulates the advertisements, sales literature and correspondence used by FINRA firms. His responsibilities include rule development, management of the filing and surveillance programs and related enforcement activities. He served in the same role at NASD before its 2007 consolidation with NYSE Member Regulation, which resulted in the formation of FINRA. He joined NASD in 1984 and was previously with Davenport & Company LLC. He received a bachelor’s degree from The University of Richmond and an M.B.A. from Virginia Commonwealth University.

Douglas Preston is a Senior Vice President and Compliance Executive at Bank of America Merrill Lynch (BAML), as well as Chief Compliance Officer for Merrill Lynch Professional Clearing Corporation, the firm’s prime brokerage arm. He is also responsible for a number of other compliance areas at the firm, including serving as the Chairman of the firm’s Enterprise Electronic Communications & Media Governance Committee, and leading BAML’s Global Banking & Markets Electronic Communications & Media Compliance team, among other responsibilities. Prior to BAML, Mr. Preston was Senior Special Counsel at NYSE Regulation. In his role at the NYSER, Mr. Preston helped develop and interpret various NYSE rules. He has worked on several major regulatory initiatives, including Regulation SHO, gifts and entertainment and electronic communications (NYSE 07-59), among others. Before joining NYSE, Mr. Preston was the General Counsel and Chief Compliance Officer (CCO) for Santander Investment, SA’s New York investment bank. He was also the CCO of the investment banking arm of the Bank of Nova Scotia, and Associate General Counsel for the Securities Industry Association (now SIFMA). Prior to SIFMA, he worked in private practice, representing financial services entities. Mr. Preston received his J.D. from Fordham University School of Law. He is a member of the Bar of New York, New Jersey, Washington, DC and the U.S. Supreme Court.

Joanne Rodgers is a Vice President of Compliance at New York Life Insurance Company (NYL). She is responsible for managing the sales material review unit, field review unit and market surveillance. Ms. Rodgers has worked at NYL in various roles of compliance for the past 15 years. Prior to joining NYL, she worked as an examiner at NASD. She is a graduate of Franklin & Marshall College with a B.A. in Business Administration.

Joseph P. Savage is a Vice President in FINRA’s Investment Companies Regulation Department. Mr. Savage specializes in a broad range of securities regulatory matters, including investment management, investment company, advertising and broker-dealer issues, and regularly appears at conferences regarding these issues. Prior to joining FINRA, he was an Associate Counsel with the Investment Company Institute and an attorney with the law firms of Morrison & Foerster LLP and Hunton & Williams. Mr. Savage also served as a judicial law clerk for United States District Judge John P. Vukasin of the Northern District of California. Mr. Savage holds a bachelor’s degree from the University of Virginia, a master’s degree from the University of California, Berkeley, and a J.D. from the University of California, Hastings College of the Law, where he served as Note Editor of the Hastings Law Journal.

Compliance Bits and Pieces for December 11

Here are some interesting stories from the past week.

Tis the Season! Where are the gifts from vendors?? from Kathleen Edmond, Best Buy’s Chief Ethics Officer

This time every year we send out reminders to our employees that we do not accept gifts from vendors. At the same time we send letters to our vendors asking that they don’t send our employees any gifts. I usually get questions from employees, and even some vendors, about why we we have this policy.

Second Circuit Defines Employers’ Obligations in Sexual Harassment Claim by Daniel Schwartz on the Connecticut Employment Law Blog

The Second Circuit’s decision in Duch v. Jakubek (decided on Friday, December 4th)… discusses what to do with a supervisor who purposely ignores evidence of sexual harassment. And the court concludes that the supervisor should have known that a female subordinate was being sexually harassed and should’ve done something about it.

Magyar’s Magnum Opus from the FCPA Blog

Magyar Telekom’s SEC disclosure last week about its internal investigation into fraudulent contracting practices could have been short and bland and very ordinary. A typical corporate blank wall. Instead it was abundant in length and detail — one of the most rewarding public disclosures about an internal investigation we’ve ever read. It appeared in the company’s SEC Form 6-K, Report of Foreign Private Issuer, filed December 3, 2009 here.

Did An FCPA Enforcement Action Contribute to a Foreign Coup? by Mike Koehler in the FCPA Professor

In April 2009, DOJ announced (see here) that Latin Node, Inc. (a privately-held telecommunication services company headquartered in Miami) pled guilty to violating the FCPA’s anti-bribery provisions in connection with improper payments made to officials in Honduras and Yemen in order to obtain and retain business. The criminal information (see here) details Latin Node’s efforts to obtain and retain business with Hondutel (the Honduran government-owned telecommunications company) and charges that despite recognized “financial weaknesses” in Latin Node’s proposal, Hondutel ultimately selected Latin Node for the agreement because of various improper payments Latin Node made or authorized to various Honduran “foreign officials.”

FCPA Ending its ‘Most Dynamic Single Year’ With a Bang By Dionne Searcey for The Wall Street Journal Law Blog

Two Florida executives of a Miami-Dade County-based telecommunications company, the president of Florida-based Telecom Consulting Services Corp., and two former Haitian government officials were charged in an indictment unsealed yesterday for their alleged roles in a foreign bribery, wire fraud and money laundering scheme, DOJ has announced.

Why You Shouldn’t Take it Hard If a Judge Rejects Your Friend Request by Ashby Jones on the Wall Street Journal Law Blog

Late last month, the Florida Judicial Ethics Advisory Committee issued an advisory opinion on the use of social networking sites by Florida judges. (Hat tip: Legal Profession Blog.) This little rhetorical appears early in the opinion:

Whether a judge may add lawyers who may appear before the judge as “friends” on a social networking site, and permit such lawyers to add the judge as their “friend.”

ANSWER: No.

The Social, Mobile Web: Business Productivity in an Era of Twitter, Facebook, and Unified Communications

I’m attending the Enterprise 2.0 Conference in San Francisco. I’m sharing my notes from this session. Clara Shih,founder and CEO of Hearsay Labs, which develops web applications to track brand engagement and accelerate sales on Facebook and Twitter. She is also the author of The Facebook Era: Tapping Online Social Networks to Build Better Products, Reach New Audiences, and Sell More Stuff.

Facebook is CRM, its the way to manage your contacts and stay in touch. She makes the argument that email is dead.

(I think this is a losing argument. You will lose just about everyone if you make this statement. So what if college students are not using email. They are not working inside a business organization.)

Companies are investing more time and money on social media as part of their marketing strategy.

She put forth that Facebook is the template for online identity. It has become socially acceptable to share photos, interests and demographic information. You can get to know people more quickly. Now you also have the layering in the real-time identity.

The transaction costs of communication are being reduced. Email was cheaper than phone calls. Facebook and Twitter allow you to reach an even broader audience even cheaper. Especially, keeping in touch with weak ties.

She showed the tool she made called Faceconnector (originally called FaceForce) that pulled Facebook information into Salesforce. Essentially enhancing that CRM system.

One in Two U.K. Companies Block Social Networking Web Sites

Fulbright & Jaworski, the international law firm, just published their 6th Annual Litigation Trends Survey Report. It is an independent survey of senior corporate counsel from a wide range of industry sectors.

About half of the respondents (52% of U.K. and 46% of U.S.) claim to block employees from accessing social networking Web sites. Two in five of all corporates (42%) block the most popular personal social networking sites (such as Facebook, MySpace and Bebo) and 30% block business-related networking sites (LinkedIn and Plaxo). The YouTube web site is also blocked by more than a third of companies (37%).

Only 1/3 of the companies reported that they have no restrictions on access. Technology companies are the least likely to block social networking sites, with 56% of all tech companies saying they have no restrictions on such sites.

I found it interesting that 18% of U.K. companies have been asked to produce electronic information from such web sites as part of an electronic discovery request in legal proceedings.

Melanie Ryan, a Fulbright partner, commented, “For some businesses, networking sites can provide an efficient platform for keeping up-to-date with the latest developments and maintaining a profile in their industry. For those businesses that block access, such benefits are outweighed by the possible legal risks, including the inadvertent disclosure of confidential or proprietary information and the resulting claims or fines imposed by their regulators – not to mention, the security threat to their IT systems.”

But do they have a policy in place to let employees know what they should not be doing on these sites? Or are employees just doing those bad things at home or on their iPhone?

Blocking is not an effective policy.

Available Through Facebook

Become a Fan of Compliance Building on Facebook and receive updates in your Facebook news feed.

Facebook, Twitter, LinkedIn and Compliance: What Are Companies Doing?

The Society of Corporate Compliance and Ethics and the Health Care Compliance Association conducted a survey among compliance and ethics professionals in late August 2009 to see what employers are doing about the use of these sites by their employees.

They got back almost 800 responses from their members using an online survey tool.

50% of respondents reported that their company does not have a policy for employee online activity outside of the workplace
Of those companies that do have a policy, 34% include it in a general policy on online usage
Of those companies that do have a policy, just 10% specifically address the use of social network sites

“While the data indicates that many organizations have had to discipline employees for improper activity online, the fears may outweigh the actual risks. A survey asking about discipline regarding improper email usage would likely yield much higher numbers.”

Facebook, Twitter, LinkedIn and Compliance: What Are Companies Doing?