Of Facebook, mantras and compliance

There have been a lot of negative stories on Facebook recently (privacy concerns, the IPO). So, when I came across this story in Technology Review about What Facebook Knows, I thought that this is one of the more useful (and positive when considered against the backdrop of recent negative press) articles out there about Facebook, and the potential of the uses (beyond just marketing) for the personal information that it collects. It is a good article and I think it is worth a read on a weekend.

At one point, the article describes the mantra of the software engineers within the company as:

"Move fast and break things."

This of course comes from Mark Zuckerberg's letter to potential investors: "We have a saying: “Move fast and break things.” The idea is that if you never break anything, you’re probably not moving fast enough."

This isn't too far from one of Google's slogans as cited in the Huffington Post:

"Launch and iterate"

In fast moving markets, it is crucial to be up there in front of the pack, innovating and delivering new products and services constantly so that the user experience stays relevant and fresh.  However, as lawyers, we know that this need must be balanced well as there are significant risks (legal, financial and reputational) if the product development and management process does not include sufficient legal and compliance input. Even if it is finally decided that the benefits outweigh the risks, one must consider the potential for miscalculations of that risk (given the propensity of some within the business to exude over-confidence, which gives rise to the illusion of control) and prepare for the potential consequences of such miscalculations.

Here are some examples of where a focus on development and product functionality did not serve the company well from a privacy perspective:

• The "launch and iterate" process probably didn't help Google when its product engineer decided to write code to allow the capture and storage of payload data transmitted via unencrypted Wi-Fi networks. 
• Path did not get the consent of users when it uploaded their address books onto Path servers, and the CEO had to issue an apology, and according to Bloomberg, was on the receiving end of a grilling from Tim Cook.

One final word here since we are on mantras and slogans.

We lawyers also have a mantra of our own:

"Tone at the Top"

This basically means that the compliance culture and profile of a company is usually set by the actions and words of senior management within the company. Everyone takes their marking from senior management. If senior management encourages you to "break things", well ... that is their prerogative to say these things (although I think as a company continues to grow up, they would usually want to ditch that sort of messaging). However, if I am an employee or an investor, I would want to know whether there are sufficient checks in their development, operational, sales and marketing processes to minimise risks as best as possible, or whether the culture is one of unmanaged risk-taking. I would want to know this because breakages usually have consequences, and as they say in the Fine China shop:

"Once Broken, Considered Sold".