Facebook Data Breach
March 27, 2018: MSCI has downgraded Facebook to BB on a AAA-CCC scale as of March 27, 2018. The previous rating of BBB highlighted our long standing concerns (since 2012) with Facebook’s handling of privacy and data security issues, which has consistently lagged industry peers. The downgrade, in light of this controversy, is driven by our analysis that Facebook exhibited lax oversight of not only handling data but sharing data with third parties, as well as heightened exposure to regulatory scrutiny and erosion of customer trust.
Facebook Inc. has never been a constituent of the MSCI ACWI ESG Leaders Index or MSCI USA ESG Leaders Index, which include securities of companies with the highest MSCI ESG Ratings representing 50% of the market capitalization in each sector and region of their respective parent Index. Since 2012, when MSCI ESG Research initiated coverage of Facebook Inc., we have called attention to the firm’s poor privacy and data security management practices, scoring poorly on management indicators with regard to controls over user data sharing with third parties, data collection minimization practices and audit oversight. As of March 2018, Facebook remains in the bottom quartile on Privacy and Data Security Key Issue compared to industry peers (Software and Services companies constituents of the MSCI ACWI Index). The Cambridge Analytica controversy, assessed as Very Severe by the MSCI ESG Controversies, allege nefarious operations at the firm, but also emphasized the shortcomings in Facebook’s user data oversight controls flagged by MSCI ESG Research and accentuated the implications of such practices.
The MSCI ESG Rating of Facebook is based on our assessment of the company’s exposure to and management of the following ESG risks: Human Capital Development, Corporate Governance, Carbon Emissions, Privacy & Data Security as well as Corruption & Instability. Among those five ESG issues, privacy and data security remains the most significant ESG risk for Facebook in our analysis. The Privacy and Data Security Key Issue in the MSCI ESG Ratings model evaluates the extent to which companies may face regulatory risks, cost increases or reputational damage from a data breach or controversial use of personal data. Scores are based on involvement in handling sensitive personal data and exposure to evolving regulations; strength of policies and practices to control data collection and usage, strength of data security management systems based on evaluating the company’s publicly disclosed information; and involvement in data breaches and controversies.
MSCI ESG Research is actively monitoring further developments regarding this issue as part of our established and ongoing process for monitoring the ESG impact of key corporate developments for our entire coverage universe.