In a recent settled enforcement action, the SEC provided an important lesson on required public disclosures. The SEC charged that Facebook disclosed misuse of its user data as a potential or hypothetical risk even though the company knew that user data had actually been misused.
According to the SEC’s complaint, Cambridge Analytica paid an academic researcher to illegally collect personal data from Facebook for use in targeted political advertising. The complaint said that Facebook discovered the misuse of the information, but instead of promptly issuing corrective disclosure, Facebook waited more than two years before taking action.
The complaint alleged that, during that two-year period, Facebook had no specific policies or procedures in place to assess the results of their internal investigations for the purposes of making accurate disclosures in the company’s public filings. The SEC’s press release said that “[p]ublic companies must have procedures in place to make accurate disclosures about material business risks.” This suggests that, while Facebook did have a policy for vetting its disclosures, that policy did not result in developments in internal investigations being presented to its disclosure team or committee for consideration.
Although presenting certain risks as hypothetical may be appropriate, companies need to be alert to changing their disclosures when those risks become reality. More broadly, companies should regularly review their risk factors disclosures and forward looking statement disclaimers and update them as the risks evolve. Moreover, companies should consider enhancing their disclosure policies and procedures to ensure that those writing disclosures about material business risks have accurate information about the reality of those risks.
 Without admitting guilt, Facebook agreed to pay a $100.0 million penalty and is permanently enjoined from violating Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933, Section 13(a) of the Securities Exchange Act of 1934 and Rules 12b-20, 13a-1, 13a-13, and 13a-15(a) thereunder.