Impact Blog
A closer look at data security in the wake of Facebook

The views expressed in these posts are those of the authors and are current only through the date stated. These views are subject to change at any time based upon market or other conditions, and Calvert disclaims any responsibility to update such views. These views may not be relied upon as investment advice and, because investment decisions for Calvert are based on many factors, may not be relied upon as an indication of trading intent on behalf of any Calvert fund. References to individual companies for Engagement or Research purposes are provided for illustrative purposes only and may not be representative of the results of all of Calvert’s engagement efforts. The discussion herein is general in nature and is provided for informational purposes only. There is no guarantee as to its accuracy or completeness. Past performance is no guarantee of future results.

  • All Posts
  • More
      The article below is presented as a single post. Click here to view all posts.

      By Emma Doner, ESG Research Analyst, Calvert Research and Management

      Washington - Many aspects of our society's systems have become increasingly dependent on the acquisition, transmission, storage and use of all forms of data. The ability to maintain data security and data privacy have become material factors in business success - or failure. Through information that initially came to light through a whistleblower to the media, we have all learned that Facebook lost control of an enormous amount of data related to the personal profiles, including private messaging and web activity of up to 87 million users who have been using the Facebook platform, according to the company's own estimates.1

      As highlighted by the controversy at Cambridge Analytica (where the whistleblower was employed), Facebook's management did not maintain sufficient oversight of its customer data, particularly data acquired by third-party developers. This is not the first time the platform has been criticized over privacy concerns, and the company's response to these events must now be understood as inadequate. Calvert believes that such failures in privacy and security contribute to significant financial impacts and harm consumer trust.

      Understanding the risks

      For a company like Facebook, lack of sufficient oversight and controls around data privacy and security represents a material risk. Loss of sensitive information can impact a company's reputation, lowering consumer trust and possibly decreasing use of the service. There is also increasing regulatory risk, potentially resulting in financial liabilities or stricter operating controls. As such, data security and privacy is an area that Calvert examines closely.

      It's important to note that the role of companies and regulators in protecting privacy online is an emerging issue. In Europe, GDPR regulations will come into effect next month, which are considered to be the most stringent privacy regulations to date. In the US, the FTC has been investigating and prosecuting companies for large data breaches. However, these initiatives are relatively recent. Requirements, norms, and best practices around the issue are still evolving.

      These risks go beyond Facebook. Many companies' business models rely on gathering intense personal information to sell to advertisers and others. The ability of these companies to create a secure environment for people online is critical-- from users of the platform, to investors and regulators around the world.

      Calvert's view on Facebook

      The failings unveiled as part of the Cambridge Analytica scandal are severe and raise serious questions in our view. Facebook reached an agreement with the United States Federal Trade Commission (FTC) in 2011 and agreed to comply with the terms of an Order from the FTC related to data security, data privacy, related disclosures and policies. While we do not yet know if Facebook in in violation of the Order, we believe that Facebook has clearly violated user privacy, which we consider a fundamental human right. Therefore, the company is not meeting the Calvert Principles for Responsible Investment, we have eliminated the stock from the Calvert Indices and we are also evaluating a corporate engagement strategy.

      What changed our view of Facebook is that we now have clear evidence that it was not employing adequate controls to protect user privacy. This is demonstrated by the fact that a third party gained access to the data, without paying, for purposes which users didn't understand or consent to. Facebook confirmed the data was accessed by Cambridge Analytica, and admitted that it learned about the issue over a year ago. In addition to calling into question the company's ability to perform the essential data security and privacy requirements, it raises governance concerns. This is especially the case coming in the context of the FTC Order.

      As a result of having access to the data from Facebook, Cambridge Analytica was able to allow a firm with political motivations to send targeted messages to users designed specifically to alter individual perceptions and behavior. It is unclear if nation-states or advertisers targeting vulnerable groups have been able to use Facebook's platform in similar ways.

      Calvert's approach to privacy and security risk

      Calvert is continuing to monitor the Facebook situation, watching closely how regulators and users will respond. We intend to work with Facebook and other data driven companies, through engagement, to encourage better understanding of privacy and security risks and the implementation of effective controls.

      This Facebook/ Cambridge Analytica story is a call to action for the entire industry to tighten up controls, and Calvert intends to be active in discussions around how to effectively do that.

      Bottom line: In light of new information uncovered by this controversy, we believe all managers will evolve existing frameworks for assessing how well companies are positioned to manage privacy risks.