Facebook’s slow and incomplete response to the revelations surrounding Cambridge Analytica’s access to and use of Facebook consumer data has sparked a fervor in both lawmakers and the public. In fact, we appear to be witnessing a cultural paradigm shift around data protection, both in terms of consumer expectations and state and federal regulation – and business leaders must take heed in terms of reputational risk assessment and crisis response.
As Facebook CEO Mark Zuckerberg prepares to testify before Congress this week, these are a few things we think Facebook and other companies should keep in mind moving forward.
It is practically inevitable today that consumer data will at times fall into the hands of bad actors, or be exposed or exploited in ways that make consumers uncomfortable and distrustful. As Facebook’s Cambridge Analytica scandal has sharpened the public spotlight on company practices around personal data collection, use and access, consumers, reporters and elected officials are quickly becoming sensitized to the concept of data privacy in a way we have not seen before.
Cybersecurity policy in the U.S. has continued to lag behind exponential advances in data mining, meaning that companies like Facebook may not currently face a strenuous legal mandate for protecting consumer data. More stringent regulation is likely on the horizon, which companies should be preparing for. But in advance of and beyond legal necessity, company executives, alongside communications personnel and outside advisers, should carefully re-assess the reputational risk posed by company privacy policies and any potential misuse of its data as perceived by customers, investors, the media and other stakeholders. It may become necessary during these exercises to consider whether policy changes above and beyond the current law are warranted in order to bolster current corporate positioning and to help inoculate the enterprise in case of a breach or misuse incident. If your company’s data-management practices were to suddenly become a topic of public conversation – and in today’s environment, that may now be more likely – how would it affect consumer, investor, regulator, partner and employee confidence in your business?
Nor should this data policy and communications review be a one-time event: in a world where data may be collected long before a product, service or company is developed that could take advantage of it, companies should continually review and update their data protection policies and crisis response plans, particularly in light of regulatory changes and mishaps at other enterprises that further shape public opinion and expectations.
Under the new data protection paradigm we see forming, consumers will hold companies like Facebook responsible for strictly controlling who has access to their data and how it can be used, and for clearly communicating this information to customers. Companies should also proactively consider whether, when, and how to communicate to all key stakeholders if they discover or suspect that data in their possession has been misused. Keeping in mind that the first story often sets the public narrative – a forced revelation, such as a media leak, could do far more reputational damage than a proactive statement on the company’s terms and timeline.
In our observation, Facebook made two crucial missteps in its response to allegations of data mishandling. First, it was extremely slow to respond, letting increasingly damaging information dribble out over the course of weeks, which kept the story in the limelight and gave the impression Facebook had something to hide. And it clearly struggled to find and appoint an appropriate spokesperson. Until recently, Facebook has infamously deployed anyone but Zuckerberg to address criticism, including lawyers, security experts and Sheryl Sandberg. But only after the Cambridge Analytica scandal had already ballooned did Zuckerberg step into the line of fire. The CEO’s name is nearly as famous as the brand itself, and he has a duty to be responsive to users and lawmakers about a major development at one of the world’s most widely-used social platforms.
Eventually, Zuckerberg did appear in an interview on CNN. The interview, in which he highlighted his role as an engineer and a father, portrayed Zuckerberg as a weak leader, acting only in response to public outcry. Since then, Facebook has begun correcting course: over the past several days, Zuckerberg and Sandberg have blanketed the media with interviews and announcements of an array of new privacy policies and security updates. This will serve Zuckerberg well during his upcoming congressional testimony, and offer him ammunition for some of the tough questions he’ll face. But in terms of public opinion and the company’s reputation, this campaign could have had far more impact if Zuckerberg had set the initial narrative, rather than tried to play catch-up.
Companies learning from Facebook’s experience can take multiple steps to avoid a similar outcome – beginning by preparing to face increased scrutiny of data handling practices from both lawmakers and consumers. By outlining stricter internal protocols for protecting data and addressing breaches or misuses, companies may ready themselves to address concerns clearly, systematically, and effectively. Timely and clear communication from an appropriate figurehead can also make the difference between acute and chronic crises, which can have company-ending results.
In the wake of Zuckerberg’s congressional testimony, KARV will be keeping a close eye on new regulatory developments, consumer expectations, and media trends around this issue.