Illustration: Rebecca Zisser/Axios

This year Facebook made a habit of waiting to disclose privacy issues to the public or, after damaging stories broke, failing to get ahead of questions it would inevitably face.

Why it matters: Experts advise institutions facing public crises to respond fully and fast, make potentially damaging revelations all at once, and avoid drip-drip-drip scenarios that erode credibility. Facebook has often taken the opposite path, multiplying the damage its controversies have dealt to its reputation and its business.

  1. The latest instance came Friday, when the company revealed a bug exposing unposted photos of millions of users — one that it had identified and fixed back in September.
  2. The Cambridge Analytica scandal in March: The data leak linked to Cambridge Analytica happened in 2015, but wasn't made public until last spring, when reporters at newspapers on both sides of the Atlantic found out about it. The company then went silent for days, allowing the crisis to fester.
  3. The opposition research scandal in November: Last month news broke that a right-leaning consulting firm employed by Facebook had pitched opposition research trying to tie Facebook's critics to the liberal billionaire George Soros — but it was another week before it disclosed key details. That included the fact that COO Sheryl Sandberg had received emails that mentioned the consulting firms, despite initially saying she wasn't aware of the firm's hiring.

Be smart: A new sweeping privacy law in Europe has been forcing Facebook to be more forthcoming about privacy-related scandals.

  • Facebook reported the latest incident, made public on Friday, to Ireland's data protection regulator on November 22, once the company realized the breach met a reporting threshold in European privacy law.

Yes, but: Facebook says it waited more than three weeks to tell the public, citing the work it took to notify users of the incident and translate notifications into different languages.

  • In the past, the company has also cited work with law enforcement as a reason for delays in disclosing information surrounding breaches and leaks.
  • "We notified the IDPC as soon as we established it was considered a reportable breach under GDPR," said a spokesperson for Facebook. "We had to investigate in order to make that conclusion. And once we did, we let our regulator know within the 72-hour timeframe.”

The company's critics have highlighted Facebook's attempts to avoid public scrutiny — and its tactic of releasing bad news late on Fridays or holidays.

The bottom line: Facebook's halting responses to crisis or controversy has been a defining quality of the company this year, and often made bad situations worse.

Go deeper

Updated 55 mins ago - Politics & Policy

Coronavirus dashboard

Illustration: Aïda Amer/Axios

  1. Politics: Chris Christie: Wear a mask "or you may regret it — as I did" — Senate Democrats block vote on McConnell's targeted relief bill.
  2. Business: New state unemployment filings fall.
  3. Economy: Why the stimulus delay isn't a crisis (yet).
  4. Health: FDA approves Gilead's remdesivir as a coronavirus treatment How the pandemic might endMany U.S. deaths were avoidable.
  5. Education: Boston and Chicago send students back home for online learning.
  6. World: Spain and France exceed 1 million cases.

FBI: Russian hacking group stole data after targeting local governments

FBI Headquarters. Photo: Mark Wilson/Getty Images

Energetic Bear, a Russian state-sponsored hacking group, has stolen data from two servers after targeting state and federal government networks in the U.S. since at least September, the FBI and Cybersecurity and Infrastructure Security Agency said on Thursday.

Driving the news: Director of National Intelligence John Ratcliffe announced Wednesday that Iran and Russia had obtained voter registration information that could be used to undermine confidence in the U.S. election system.

FDA approves Gilead's remdesivir as a coronavirus treatment

A production line of Remdesivir. Photo: Fadel Dawood/picture alliance via Getty Images

Gilead Sciences on Thursday received approval from the Food and Drug Administration for remdesivir, an antiviral treatment that has shown modest results against treating COVID-19.

Why it matters: It's the first and only fully FDA-approved drug in the U.S. for treating the coronavirus.