Facebook would have had a rough year no matter what, given all of the problems that came to light.
Over and over, it made its breaches and missteps worse by waiting to disclose privacy issues to the public, David writes. The company also frequently failed to get ahead of questions it inevitably faced after damaging stories broke.
Why it matters: Experts advise institutions facing public crises to respond fully and fast, to make potentially damaging revelations all at once, and to avoid drip-drip-drip scenarios that erode credibility. Facebook has often taken the opposite path, multiplying the damage its controversies have dealt to its reputation and its business.
1. The latest instance came Friday, when the company revealed a bug exposing unposted photos of millions of users — one that it had identified and fixed back in September.
2. The Cambridge Analytica data leak happened in 2015 but wasn't made public until March, when reporters at newspapers on both sides of the Atlantic found out about it. The company then went silent for days, allowing the crisis to fester.
3. The opposition research scandal broke out in November, when reporters learned that a right-leaning consulting firm employed by Facebook had pitched opposition research trying to tie Facebook's critics to the liberal billionaire George Soros — but it was another week before it disclosed key details.
- This included the fact that COO Sheryl Sandberg had received emails that mentioned the consulting firm, despite initially saying she wasn't aware of the firm's hiring.
Be smart: A new sweeping privacy law in Europe has been forcing Facebook to be more forthcoming about privacy-related scandals.
- Facebook reported the latest incident, made public on Friday, to the Irish Data Protection Commissioner (IDPC) on Nov. 22, once the company realized the breach met a reporting threshold in the European privacy law, called GDPR.
Yes, but: Facebook says it waited more than 3 weeks to tell the public, citing the work it took to notify users of the incident and translate notifications into different languages.
- In the past, the company has cited work with law enforcement as a reason for delays in disclosing information surrounding breaches and leaks.
- "We notified the IDPC as soon as we established it was considered a reportable breach under GDPR," said a spokesperson for Facebook. "We had to investigate in order to make that conclusion. And once we did, we let our regulator know within the 72-hour timeframe.”
The bottom line: Facebook's halting responses to crisis or controversy has been a defining quality of the company this year, and often made bad situations worse.