The scandal of Facebook and Cambridge Analytica could go down any number of rabbit holes, many of them lost in the legal technicalities of whether Facebook did or did not suffer a breach of its users’ personal data.
Ethics and compliance officers should keep focus on the larger issue. And no story within this story speaks to that larger issue better than the tale of Alex Stamos — Facebook’s chief information security officer, so alarmed with how the company handled this mess that he decided to resign.
The details of Stamos’ departure were chronicled last week in a New York Times article that’s well worth your time to read. Let’s recap the timeline here.
- June 2016: Stamos suspected Russian interests are trying to exploit Facebook; assembles team to investigate;
- November 2016: Stamos’ team knows Russians were placing propaganda on Facebook;
- January 2017: Stamos writes detailed memo identifying Russian exploits;
- April 2017: Facebook publishes blog post about how a foreign adversary might weaponize Facebook to influence U.S. elections, but omits all references to Russia and efforts actually used against Hillary Clinton in 2016;
- December 2017: Stamos proposes that he report directly to Facebook senior executives, such as chief operating officer Sheryl Sandberg or CEO Mark Zuckerberg — because he reports to the general counsel.
Yeah, I made a face at that last part, too.
Any ethics & compliance professional could guess the rest of the story from there. Stamos argued for more disclosure to the public, while Facebook’s legal and communications teams argued for disclosing as little as necessary.
As that nonsense unfolded in Facebook’s management officers, the rest of the world discovered the truth: that Cambridge Analytica had taken the personal data of 50 million Americans, almost all of them with no clue what Cambridge Analytica was or that it would use their data to orchestrate Donald Trump’s capture of the presidency.
Facebook finally admitted as much on March 17. In the following week, the company lost trust, support, a few advertisers, more than a few users, and $74.6 billion in market cap. And word came on March 20 that Stamos has decide to leave Facebook by August.
Ethics, Values, and Disclosure
Let’s not sugarcoat the issue here. Facebook allowed its too-clever-by-half business model to become a weapon Russia used to undermine American democracy. Once Facebook executives grasped the full extent of that assault, and the harm to Facebook reputation that would inevitably follow, they tried to hide behind legal department technicalities rather than admit the company’s complicity in the most serious attack on American government since the Civil War.
And Facebook took that action because it could — because the legal department was in charge, and therefore empowered to subordinate ethical concerns to the constant, seductive urge of avoiding liability.
Compliance officers encounter this all the time: you see misconduct and inform superiors that “doing the right thing” might incur costs or litigation risk; and then the legal department puts your concerns in the deep freeze. Earlier this month I heard that exact tale from a compliance professional in the medical world. Last month I heard it from one of you on Wall Street. I’ll hear the same from other compliance officers again and again.
Perhaps it’s some comfort to know the IT security function gets the same treatment, but the fundamental problem is the same. The legal department evaluates corporate problems with logic alone, and that’s no longer enough.
We can’t fault corporate lawyers for evaluating difficult questions based on logic of the law and facts at hand. That’s their job. Many of them do it quite well. But when legal analyses bring us to these results — conclusions that are legally defensible but offend common sensibilities — corporations shouldn’t be surprised that the public holds them in such low regard.
Recall the Edelman Trust Barometer from earlier this year. According to the 2018 report, only 48 percent of the American public trusts business to act responsibly (compared to 52 percent worldwide, although that’s not much better). Trust in institutions crashed in the United States last year. That seems largely due to the arrival of the Trump Administration, since trust in government plummeted more than any other type of institution.
That shouldn’t catch anyone by surprise. If corporations simply talk a good game about supporting ethical values, and then head for the hills of legalese protection as soon as a difficult problem or mistake emerges — well, what else should we expect to happen? Trust will fall.
If preserving brand value is so intertwined with preserving trust, and trust is based on a set of shared core values that guide everyone’s behavior — then the foundation of preserving brand value is the protection of those shared core values.
If Corporate America is serious about building organizations around strong ethical values, then let me posit a radical idea.
Legal should report to ethics and compliance.
I know, I know. I heard you snickering right through the Internet. I have no illusions this dream will ever come to pass. Still, you can’t easily dismiss the logic of the idea. If we are entering a world where preserving brand value is so intertwined with preserving trust, and trust is based on a set of shared core values that guide everyone’s behavior amid unanticipated future circumstances — then the foundation of preserving brand value is the protection of those shared core values.
Who protects core values? The ethics and compliance function.
We should never dismiss the importance of a strong legal function. Good corporate lawyers are crucial to help the company understand what it can do, plus the risks, costs, and opportunities that any particular course of action might bring. For example, I am all for a fierce corporate lawyer who can argue that disclosing an FCPA violation will probably cost more money than it saves.
Then the lawyer needs to stop talking, while the people charged with deciding what the company should do debate that very question. What you should do depends on your ethical principles, and the chief ethics & compliance officer is the person charged with upholding those. (For the record, I am also all for disclosing the FCPA violation anyway, because my ethical value is to disclose a mistake rather than cover it up. I’m not perfect at it, but I try; and I believe most people are the same.)
Facebook’s disaster is exactly this situation, except we’re talking about security reporting into the general counsel rather than the ethics and compliance function. Imagine how different Facebook’s news would be today, if the passions and ethical impulses Stamos had weren’t thwarted by the legal department’s fears of liability. Imagine what we’d be saying about Facebook today if fears of legal liability and been subordinate to Stamos wanting to raise alarms about Russian exploitation, financial consequences be damned.
Now, like I said, I have no illusions this dream will come to pass. But as the modern business landscape continues to become more volatile, fickle, interdependent, and beholden to the finicky tastes of public whim — more and more companies will find success by acting like it has.