On June 29, 2018, Mark Zuckerberg, the founder, Chairman, and CEO of Facebook, had to determine how to address lawmakers' concerns about protecting users' privacy rights. On March 17, The New York Times' and The Guardian published the allegations of a whistleblower, Christopher Wylie, on how Facebook's lan policies allowed his former employer, Cambridge Analytica, to harvest Facebook users' private data. According to Wylie, in 2014, Cambridge Analytica hired an academic, Aleksandr Kogan, to collect the personal details of up to 87 million users through "This Is Your Digital Life" app. Cambridge Analytica exploited the data to develop personalized ads designed to influence the voting intentions of British and American people during the UK's Brexit referendum and in the 2016 U.S. presidential election. The privacy breach crisis caused an 18% drop in Facebook's stock prices. The company's major shareholders called for the CEO's resignation and/ or governance changes to replace Zuckerberg by an independent chairman. They also asked Facebook to hire new independent directors with expertise in data ethics to oversee privacy decisions of the leadership team." Zuckerberg was called to testify before the U.S. Senate and the House of Representatives on April 10 and 11. Operating in a relatively new industry, Facebook enjoyed a reasonable freedom from regulations for over ten years. The disclosure of privacy breach news, however, jeopardized Facebook's long-lived comfort by exposing the company to threats of receiving heavy fines and getting regulated, as warned by policymakers during the testimonies: We've seen the apology tours before... Your business model is to monetize user information to maximize profit, over privacy. And unless there are specific rules and requirements enforced by an outside agency, I have no assurance that these kinds of vague commutments are going to produce action. (Senator Richard Blumenthal, April 10, 2018. Zuckerberg's Testimony before the Senate) There's clearly tension... between your bottom line and what's best for your users. You've said. .. that Facebook's mission is to bring the world closer together, and. .. that you will never prioritize advertisers over that mission... But at the end of the day, your business model does prioritize advertisers over the mission. Facebook is a for-profit company, and as the CEO you have a legal duty to do what's best for your shareholders. (Senator Maggie Hassan, April 10, 2018. Zuckerberg's Testimony before the Senate) "Facebook's] shareholders are interested in maximizing profits. Privacy... may interfere with profits if you have to sacrifice your ad revenues because of privacy concerns. Would it not be appropriate for [lawmakers]... to assesscommittee would oversee an integrative risk management approach to proactively monitor the system, identify risks, and offer solutions for dealing with them, a risk oversight committee would also support the Board and the Executive Team In providing them with an overview of potential risks as well as the resource allocation needed to deal with such problems. 3Exhibit A - Facebook Inc., Share Price History $200.0 $150.0 $100.0 $50.0 2012 05-01 01-01 1 01 2012-09-01 2013-01-01 2013-05-01 2013-09-01 2014-05-01 2014-09-01 LADY DI 201 Source: Yahoo Finance. Facebook, Inc. (IB). NasdaqGS Real Time Pries Currency, in USD. Retrieved from: http::/ /finance yahoo.com/quote/FB/ history?pened1=3537(@&tried2= 1527 829200& interval= 1mo&filter-history&frequency=Img Facebook Leadership and Governance Leadership Team: Mark Zuckerberg Chief Executive Officer Sheryl Sandberg Chief Operating Officer David Wehner Cluef Financial Officer Mike Schroepfer Chief Technology Officer Alex Stamos Chief Security Officer Erin Egan Chief Privacy Officer Chris Cox Chief Product Officer Paul Grewal Vice president and Deputy General Counsel Board of Directors Mark Zuckerberg CEO & Chairman of Facebook Sheryl Sandberg Chief Operating Officer of Facebook Jeff Zienis CEO of Cranemere Marc L. Andreessen Co-founder of Andreessen Horowitz Kenneth I. Chenaple Chairman and Managing Director of General Catalyst Erskine B. Bowles President Emeritus of University of North Carolina Susan D. Desmond- CEO of Bill and Melinda Gates Foundation Hellmann Reed Hastings Chairman and CEO of Netflix jan Koum Founder of Whatsapp Peter A. Thiel Co-founder of Pay Pal, Palantir Technologies and Founders Fund ources Facebook, Inc. (2018). Governance Documents. Retrieved June 2018 from: tips //investor. fb.com/ corporate governance/defaultaspx & Facebook, Inc. 2018, May 08). Jeff Zients Joins Facebook Board of Directors. Retrieved June 2018Exhibit C- Christopher Wylie Background 2005 Wylie dropped out of his high school and does not attain a diploma with his class. 2007 2007 He moved to Ottawa, Canada, to work for the Opposition party. He connected with the Obama's national director of targeting while in On:wa 20 07 Relationship with Obama's national director opened up new connections with the Liberal 2010 Party of Canada. Wyle pitched various data harvesting kleas to the party, which were rejected. He moved to the UK and enrolled in the London School of Economics. His concentration was in law. 2013 He started his Ph. D. studies in fashion trend forecasting. At this time, Wylie developed an interest in understanding the historical patterns of the Liberal Democrats' electoral kisses, concluding that the there could be an opportunity for new voters. He shared his insight with the party but again faced rejection. 2013 Through the Liberal Democrats connections, he met with S C.J. Group and Nix. The meeting led to getting involved in developing the foundation of Cambridge Analytica. 2013 To join to Cambridge Analytica, Wylie was granted a "Tier 1 Exceptional Talent visa", a rare and highly coveted visa that is granted to only 200 people annually. 2013 He met Steve Bannon (the Editor in Chef at Breitbart, a far-right wing news network), Mercer (a prominent Republican party supporters, and Mercer's daughter, Rebekah, in New York 2013 To pitch his ideas on "political message targeting" to Mercer and Bannon, Wylie needed data To get access to data, he reached out to Global Science Research, a psychology research company owned by Kogan. 2014 Collected data through Kogan's "This Is Your Digital App" was used as "seeders" by Wylie for creating psychographic profiles of millions of Facebook users. 2014 Christopher Wylie left Cambridge 2018 Wylie disclosed the information regarding Cambridge Analytica's political persuasion operations. Source: Cadwalladr, C. (2018, March 18). 'I made Steve Bannon's psychological warfare tool": Meet the data war whistleblower. The Guardian. Retrieved February, 2019, from https:/ /www.theguardian.comews/2018/mar/17/ data-war whistleblower christopher wyhe-faceook ory-bannon-trumpfinancial penalties in a way that would sufficiently send a signal to the shareholders and to your employees ... that the privacy .. is a botton-ling issue at Facebook? (Congressman Scott Peters, April 11, 2018. Zuckerberg's Testimony before the House Committee) Following the testimonies, on June 29, 2018, Facebook provided the House of Representatives with a 752-page response document, "Questions for the Record Response" (Response document), which answered lawmakers questions about it's data-handling practices. To avoid the risk of penalties and regulations, Facebook's management team needed to develop and implement a feasibilityor protecting the privacy rights of users in the future. In doing so, however, Zuckerberg faced a major challenge in balancing two competing priorities: (1) minimizing the risk associated with a privacy breach in the company's operations, an. (2) meeting the expectations of Facebook sharehoklers by remaining profitable. FACEBOOK, INC. BACKGROUND In October 2003, Harvard undergraduate Zuckerberg hacked into the campus housing directory to compile students' pictures into his Facemash' website. The website displayed two female students' pictures and asked to vote for the more attractive one. Within few hours, Facemash attracted 450 visitors and 22,0010 votes. Zuckerberg was ordered to shut down the website and reprimanded by Harvard's Administrative Board for the privacy violation. After this incident, Zuckerberg told Harvard's daily students' newspaper, The Harrani Cristoor: "Issues about violating people's privacy don't seem to be surmountable."" A few months later, Zuckerberg came up with an idea for creating a similar but legitimate website, Facebook, to connect students on campus. By February 2004, Facebook extended the user base to dot edu (edu) email addresses. Starting in 2005, as the user base expanded to include users with any valid email domain, the company allowed users to restrict who could view their personal data by specifying their user groups fi.e, only friends, friends of friends, or the entire Work Wide Web). In 20106, Facebook's "default privacy setting" automatically limited the display of profiles to the users' colleges/ schools, plus their specified local area and other familiar communities." Users could change the default privacy setting and set their preferred privacy level? To encourage more people to join its social network, in 200%, Facebook opened its platform to third-party app developers, so they could offer their games, quizzes, dating apps, etcetera. Facebook took 301% payment for third-party apps, such as Zynga's Farn Ville, with the remaining 7(1% going to the app developers." This strategy did not result in substantial profits. " By 2007, the default privacy enabled searching for profiles by name across the Facebook network. As of 2009, it allowed viewing of other users' lists of friends, even if users had previously set their privacy to keep these lists private. Moreover, under Facebook's modified privacy policy, a large category of personal information including the users' names, profile photos, friend lists, liked pages/ events, gender, geographic region, and networks -became public, regardless of user preferences. The revised privacy policy also gave Facebook the right to allow third-party app developers and advertisers to extract personally-identifiable information when a user clicked on an advertisement or used a third-party app.'? By then, 50) personalized privacy settings offered about 150 privacy options!'Thus, as many as 7% of users preferred to stick to the default setting, which, in tum, placed the users at risk of inadvertentlyoversharing their personal data.4 In 2011, Facebook announced a new initiative, "Bug Bounty Program", to reward users who reported a security vulnerability. In November 201 1, the US. Federal Trade Commission (FTC) announced that Facebook's privacy practices were "unfair and deceptive" and comprised users privacy rights. The FTC issued an order requiring Facebook to seek users' "affirmative express consent" before overriding their privacy preferences. The order further required Facebook to "establish and maintain a comprehensive privacy prograin" and specified that the company would be audited every two years for 20 years. Independent third-party auditors were tasked with certifying that Facebook's privacy poles and practices "meet or exceed the requirements of the FTC onler, and ensure that the privacy of consumers' information is protected."16 Non-compliance would result in penalties of up to $41,484 per day, per offense.!? To increase the user base, in 201 1, Facebook developed a smartphone app for chat, called "Facebook Messenger". Prior to going public in February 2012 (see Exhibit A. Facebook's Share Price History), the company acquired the social media competitor, Instagram.18 In April 2013, a year prior to the acquisition of a virtual reality startup called "Oculus" and a mobile phone messaging service called "Whatsapp", Facebook announced that its new privacy program was all-pervasive and incorporated users' security in all aspects of its service provision." Despite their efforts to protect users data, Facebook retained one policy that rendered it vulnerable to potential data abusers, that of allowing their vendors (ie. third-party app developers and advertisers) to collect data from users' friends." By the time Facebook. changed this policy in 20114, Kogan already collected the data of users' friends via his personality app Facebook reportedly learned about the data breach at least two years prior is Wylie's expose and demanded that Kogan and Cambridge Analytica delete the users' data." Two FTC-mandated audits failed to detect the data harvest in both the 2015 and 201 7 audits. As the privacy shortcomings unfolded guadually, Facebook continued to increase, its access to new sources of data. For instance, Instagram had a unique feature that allows users to link their other social network accounts, such as Twitter, Vkontakte (a Russia-based social media), Mixi (a Japan based social media), Weibo (a China-based social media), etcetera.2 In pursuing these strategies, Facebook's primary objective was to diversify its sources of user base in order to increase revenue from "mobik advertising". With the acquisition of WhatsApp, Facebook's mobile advertising revenue rose to more than $3 billion and mobile advertising became the company's main source of revenue. By 2017, the revenues reached $40 billion, of which over $27 billion was generated through mobile advertising." Facebook's employee base also grew from approximately 4 300 in 2012 to over 361,090 in 2018." Within 14 years of operations, the firm:'s monthly active users reached 2.23 billion people, a figure which induried muluple accounts for a single user? By 2018, nearly 68% of the US population used Facebook services and users based outside of the US. comprised 85 90%% of the company's users. 25 FACEBOOK'S OPERATIONS Facebook developed into a complex supply network composed of billions of user and millions of vendors that were collectively engaged in the creation and consumption of Facebook services. Facebook's chains of co-creation and co-consumption developed annultaneously, beginning as the company created its raw apps fic, the desktop platforms and mobile apps of Facebook and Facebook Messenger, and acquiredcomplimentary apps (ie., Instagram and WhatsApp, all of which were designed to facilitate social interactions. By posting content on their profiles in Facebook's apps, users consumed the company's services while creating data on the online social media platforms, Users' profiles were composed of individuals' profiles and pages. Individuals profiles represented actual people in the online social realm and pages portrayed for-profit businesses (eg., Pet Smart), not-for-profit organizations (.g. UNICED, venis (c.g Yogathon), and groups (e-g., Cristiano Ronaldo's fan page ). According to Forbes, as of May 2018, five new Facebook profiles were created every second, 510/X10 comments were posted and 293,000 statuses were updated every minute, and over 31I millon photos were uploaded on Facebook's platform daily. > Instagrain users posted 46,740 photos every minute and photos posted to Facebook via Instagram received 23% more engagement (ie, shares, likes, and comments) than photos published on Facebook ? Vendors were composed of three categories. (1) thin!-party app developers (eg.. Zynga), (2) data brokers (eg., Acxiom), and (3) advertisers (eg, an MBA program) Vendors in the first two categories contributed to both content creation and consumption (data brokers did not create content). The value added by third party app developers derived from the services they offered in the form of apps, which were accessible to users via Facebook's apps. Examples of services offered to individuals via Facebook's platform included social entertainment apps leg., "Candy Crush Saga" for gaming), utility apps (eg., "Waze" for carpooling, productivity apps leg. "MapMyRun" exercise app), contribution apps leg, "Causes" for political/ moral causes), etcetera. By subscribing to third-party app services, users gave permission to collect and consume their personal data." Facebook also had access to data collected by third-party app developers, consuming this data to expand and improve its services. Data broker firms also contributed to Facebook's content co-creation, albeit in subtler and more hidden ways. After going public, Facebook formed extensive partnerships with leadray data broker firms such as Acxiom and Experian.As data mining organizations, chese data brokers collected consumer data from a variety of outside sources such as public records, store loyalty memberships, browser cookies and consumer surveys. Forming partnerships with these organizations allowed Facebook to collect additional forms of data-such as users' purchasing activities - that was not formerly accessible to the company. " Data brokers were the only category of Facebook vendors not directly involved in the consumption of Facebook apps. Advertisers also created content consumed by both Facebook and it's users. Advertisers ranged from individuals, to very small businesses (eg., a local pizzeria), to large multinational companies (eg., Pizza Hut) promoting their products or services. Individual or company advertising might be presented in various page-enabled promotions. For instance, Pizza Hut's Facebook page offered discount coupons or sweepstakes. Another common approach for advertising was through sponsored ads developed by advertising agencies on behalf of other companies. Facebook apps were known to be more effective than those of their competitors in the digital marketing arena, especially when it came to targeting and disguising sponsored ads.It Facebook's value proposition for advertisers came from its processes for collecting, encoding, and aggregating data. " Facebook collected user information in various forms.> User-created content (i.e. posts, shared content, messages with others and the third party app purchases or donation), as well as the attributes of the content (e.g., dates, locations, hashtags, tags, frequency, duration, etcetera) were collected. Facebook also harvested contact information (eg. the address book or text/ call bigs)if users chose to upload, import, or sync data on a mobile device." Facebook used other techniques to harvest data from users' behavior and activities within and outside Facebook products. For example, since most users logged into their Facebook or Instagram accounts on multiple devices, the company amassed data on (1) device attributes (e.g. operating system, battery level, network provider, crectera), (2) operations (e-g, mouse movement, first Facebook page visited by user, etcetera), (3) identifiers and settings (eg., login information, and camera settings), and (4)levice signals (eg. nearby Wi-Fi access points). Even on virtual reality devices (e g. Oculus), users' physical movements were stored in Facebook's databases." The next step in Facebook's data consumption process was encoding. During this process, all collected data from users, third-party app developers, and the data brokers, was consumed by Facebook to create a Social Graph representing interconnections." A Social Graph mapped two primary components: (1) objects, also known as nodes which included users and their content such as location or event and (2 connections, also known as edges, that represented the links between nodes.?Every user like" of a picture generated a new edge in the Social Graph, between that user's nede and the photo. Every action taken by a user (including likes, tags, shares, and comments), was an edge-generator in Facebook's encoding algorithm." Encoding and analyzing this data helped Facebook identify more than 50,100 user attributes, from homeschooling to political orientation.Facebook's data analysts then aggregated the encoded data into potentially meaningful sets of information at higher level of abstraction, with predictive power. Quantitatively grouping users iers differer I dimensions enabled Facebook to identify real-time correlative patterns Faced ook did not sell access to its users' collected data. " Instead, it drew on thisanalysis to help digital marketers xlentity and target specific consumer groups with high levels of preciskin. " Marketers could target users based on political views, ethnicity, age, sexual onentation, and hous hold composition. CAMBRIDGE ANALYTICA Cambridge Analytica, founded in 2013, provided research, marketing, and consulting services to governments, militaries, and companies." Its parent company, Strategic Communications Laboratories (SCL Group) did work for the US. State Department and various political clients in Afghanistan, Somalia, Trinidad, Nepal, and Mexico." SCL Group was specialized in collecting and analyzing data to identify social patterns, then developing and implementing communication strategies to influence social opinions." Alexander Nix, who joined SCL. Group as a director in 2003, developed a behavioral research subsidiary, SCI Elections, precursor to Cambridge Analytica, " an election consultancy firm whose mission was to use big data to identify "persuadable voters" and send them personalized messages."In 2013 Steve Bannon (Editor of Breitbart, an alt-right news network) met Canadian Christopher Wylie (see Exhibit B. for Wylie's background) and was intrigued by his klea to use military methodology- infomation warfare-to psychologically manipulate people's political views.+ Bannon persuaded Robert Mercer, a billionaire Republican, to sponsor an initiative to influence Puters during the UK's Brexit referendum and the 2016 US. presidential election. 5 For the US. election project, Wylie required an immense amount of data and meone to take ownership for developing the psychological framework Bin categorizing the profiles. At this point, Wylie was introduced to Kogan, the Cambridge University professor, who offered to collect the data for Wylies With the help of Wylie, "This Is Your Digital Life" app was born and used for collecting informationof Facebook's users. " Some were paid $3 to $4 to take a personality quiz, * These users gave the app permission to access their personal information, including their public profiles, "likes", birthdays, locations, and direct messages, Kogan also captured cat about these users' friends." Therefore, while only 305,01010 users installed the app, the personal information of up to 87 million people was compromised."Facebook claimed that the company's agreement with Kogan was limited to the use of data for academic purposes. Although Kogan admitted that he violated Facebook's developer policy, in an interview with CNN, he claimed that he was totally unaware of any "political consulting" intentions of Cambridge Amlytica. " Wylie and his colleagues then used Kogan's collected data to develop an algorithm that could send targeted advertisements to Facebook users based on users' scores on the "OCEAN" test of big five personality traits Openness, Conscientiousness, Extroversion, Agreeableness, Neuroticism." Cambridge Analytica then built a robust model which could correlate Facebook users' data with personality traits and sent them personalized ads designed to influence voters to favour a certain political viewpoint. Amid widespread concerns about Cambridge Analytica's operations in support of the Brexit Leave EU campaign as well as in support of Trump's 2016 presidential campaign, the firm quickly lost clients. Mounting legal fees caused the company to file for Chapter 7 bankruptcy in May of 2018 51 Although Cambridge Analytica continued to deny accusations regarding its use of pewhometrics for the purpose of swaying U.S. voters, the Daddy Telegraph reported that the company received nearly $6 million from Trump's campaign as well as $16 million from other Republican groups for its services.52 Additionally, Wyne pointed to legal documents-including letters from Facebook lawyers-that showed how profiles of Facebook users was illegitimately accessed between June and August of 2014,46 REACTIONS TO THE PRIVACY BREACH Subsequent to the widespread reporting of the privacy breach, Facebook immediately reacted by saspending Wylie, Kogan and his app, Cambridge Analytica and its parent company SCL Group from its platform.$3 The prolonged media attention caused by the Cambridge Analytica scandal also uncovered more revelations about how Facebook data was mishandled, thus increasing public anger against the company and its social networking services. For instance, the number of accounts affected by Logan's app was initially announced as 50 million,' however, Facebook's subsequent announcement increased that number to 87 million. " The controversy surrounding the privacy breach further escalated when it was also revealed that Cambridge Analytica collaborated with Palantir, a Silicon Valley data mining company co-founded by Peter "Thel, who was a board member of Facebook. " The allegations eventually resulted in many users leaving the Facebook's platform in protest against company's data mis handling. Martin Geddes, who joined the #DeleteFacebook tweeted: "Facebook's business model is identity harvesting. It is the antithesis of self-sovereign identity. As such, it is intrinsically disempowering of the individual & society. We should not be place." 55 looking to #DeleteFacebook; this business model should not be acceptable in the first Ironically, once an account was deleted, it could take up to 90 days for all the contents to be removed from Facebook's servers. "The boycott gained momentum when influential businesspeople such as Tesla founder, Elon Musk, and Apple co- founder, Steve Wozniak, joined the "# DeleteFacebook" campaign. To explain why he shut down his account, Wozniak stated: "[It's] a big hypocrisy not respecting myprivacy when Zuckerberg buys all the houses around his and all the lots around his in Hawaii for his own privacy. He knows the value of it, but he's not looking after mine." In its defense, Facebook countered that Kogan obtained users' permission before collecting their data, thus, there was no data breach. On March 17, 20118, immediately following Wylie's expose, Facebook's Vice-president and Deputy General Counsel, Paul Grewal, announced: "the claim that this is a data breach is completely Else. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingh provided their information." But in 2014, when Kogan collected the users' data, Facebook policy allowed app developers to collect data of users' friends. Facebook's "core principle" in their Privacy Policy specified that users should control who can access their information: "[users] own their information.. People should have the freedom to decide with whom they will share their information, and to set privacy controls to protect those choices."'s University of North Carolina Professor, Zcynep Tufekci, tweeted: "Facebook cannot simultaneously aspire to be the connective social fabric online (the platform era)) and have this business model which misaligns its interests with users' and be this muddled about privacy and shanna-and not have us wary of what happens with our data." Not long after Facebook began to experience financial repercussions. Major investors, such as socially responsible investment firm Calvert Research and Management, divested Facebook shares." Less than two weeks after the Cambridge Analytica affair came to light, Facebook's stock price dropped 18%%. In response, writer Kaleb Horton tweeted: "It makes my heart warm to watch Facebook's stock collapse under the weight of their own hubris. And it's hilarious that Mark Zuckerberg's genius idea for stalking people at Harvard was only useful for perpetrating a fascist uprising. It comprehensively damns technocrats." Questions were raised, by consumer activists. lawmakers, and privacy advocates (such as the Electronic Privacy Information Center), about the effectiveness of the 2011 FTC settlement and subsequent audits. While Facebook was not accused of malicious use of users' personal data, it was accused of failing to provkle safeguards against such abuse And, Zuckerberg was called to testify before the U.S. Senate and House Committees. TESTIMONY BEFORE THE U.S. SENATE AND THE U.S. HOUSE OF REPRESENTATIVE In his April 10, 2618 testimony Zuckerberg stated: "For the first 10 or 12 years of the company, I viewed our responsibility as primarily buikling tools that, if we coukl put those tools in people's hands, then that would empower people to do good things. ... Now ... we need to take a more proactive role and a broader view of our responsibility." In nearly 10 hours of hearings on April 10 and 11, lawmakers asked almost 600 questions. Interrogators asked Zuckerberg for information on Facebook's data inalyties and data protection. Congressman Paul D. Tonko argued, "the 87 million account extracted.. are just the beginning, with likely dozens of other third parties that have accessed this information. As far as we know, the dam is still broken. "The werall theme of questions posed by Congress members revolved around Facebook's data monetization business model and company's political agendas. When asked why Facebook did not disclose the misuse of its data to auditors, Zuckerberg answered that he did not believe a third-party app developer's violation ofFacebook policy equated to a Facebook violation of the FTC consent decree ? In Zuckerberg's defense, Republicans pointed out that it was not new for a political campaign to attempt to persuade voters to support their candidate out platter. Republican Senator Chuck Grassley stated that President Barack Obama's 2012 election campaign collected data from Facebook users' friends for sinular political purposes." Democrats retorted that Cambridge Analytica - a UK-based organization with foreigner managers and staff - violated US. federal election laws, which lan foreign nationals from participating in U.S. political campaigns, When asked about his company's plans to protect user privacy going forward, Zuckerberg replied: We believe that the ads model is the right one for us, because it aligns with our social mission of trying to connect everyone and bring the world closer together... a number of people suggest that we should offer a version where people cannot have ads if they pay a monthly subscription, and certainly we consider ideas like that. I think that they'r reasonable ideas to think through. The hearings revealed that the UK Information Commissioner's Office (CO; fined Facebook f500,090 for failing to comply with the UK Data Protection Act." Zuckerberg repeatedly promised lawmakers that his staff would soon provide a more comprehensive response to their many questions. Following the heirings, the CEO of Calvert Research and Management, John Streur, raised concerns about Facebook's overreliance on advertising and its shareholders' limited power. He questioned the leadership team's ability to oversee privacy and security risks. The California State Teachers' Retirement System and New York City Retirement Systems proposed restricting Zuckerberg's power by replacing him with an independent Chairman,and other major investors criticized various other aspects of the company's governance structure (see Exhibit C. Faa book's Leadership Team and Board). In May, Domini Impact Investment sold all of its 1 10,000 Facebook shares following the allegations, and issued a statement explaining why: We made this decision in response to what we believe to be a crisis of governance and accountability at Facebook, with significant social ramifications... We do not view the company's business model as inherently problematic. The problem, we believe, lies in a governance structure and decision-making framework that is inadequate to provide appropriate checks on the strong incentives to monetize user data that are created by that model. Facebook's problems, we believe, are founded on a lack of sufficient attention to consumer privacy and data security, compounded by inadequate governance to ensure independent and effective oversight of decision-making, particularly when consumer privacy concerns, or the public interest more generally, may initially appear to present obstacles to growth." On June 8, 2018, Facebook provided the Senate Committee on the Judiciary with a 225-page document and the Senate Committee on Commerce, Science, and Transportation with a 229-page document On June 29, 2018, the company delivered a 752-page Response document to the House of Representatives. These documents provided detailed answers to lawmakers' acklitional questions (nearly 2010()) and a detailed overview of Facebook's data-handling practices and future plans. They also revealed that more than 60 app developers had access to users' friends' data, even after Facebook changed its 2014 policy."On March 26, 201 8 the FIG announced it would start a non-public investigation to determine whether Facebook's data handlingpractices violated the terms of the XI1 1 consent decree. If so, the penalty would be sevene. A WAY FORWARD Following the submissions of the Response document, Facebook took several corrective actions to protect its users' privacy and security. The company notified users whose data was compromised. It hired a digital forensics firm, Stree Friedben, to ardi Cambridge Analytica, Kogan, and Wylie, to ensure that all Facebook user data wa's deleted from their databases.?' In the Response document Facebook announced it planned to audit every app which had amassed users' data prior to policy changes in 2014. The company also revealed extensive plans for: (1) reducing the complexity of privacy setting (making it more visual and easier to find), (2) increasing transparency and accountability of political advertisers by labeling their ads as "Political Ad" or as "Paid for by", and (3) increasing authenticity and transparency of pages with large numbers of followers to prevent potential abuses." Facebook also announced it planned to wind down its partnership with third-party data brokers ? According to Facebook's newsroom, the company discontinued its "partner categories", which were previously one of the major sources of targeting for advertisers. The company also began to evaluate the option of offering a premium ad-free subscription alternative for privacy- and security conscious individuals. During hearings, when one Senator asked Zuckerberg about his company's plans for preventing similar privacy problems, he explained that, if necessary, Facebook might also consider offering monthly subscription options to its users, even though this was in conflict with the mission of the company. " The idea of a premium subscription for Facebook was not new within the industry. In 2013, Biz Stone, the co-founder of Twitter, suggested that a paid subsemption would be attractive to people like him who hardly ever had time to customize Facebook's privacy settings. " Yet, viability of this solution might be questionable because in 2018, 98% of Facebook's revenue was generated by ads. If the company tumed to an ad-free service or offered a combination of paid and free versions, the subscription cost might be prohibitive for many users. Some investors were concerned about the vulnerability resulting from overreliance of Facebook on advertising revenue. Other tech companies, such as Google and Amazon, successfully managed to reduce their business risk by extensive diversifying in hardware and software areas. Having taken those stem, what else should Facebook do? Some critics called for Zuckerberg to resign his Chairman role," resign his CEO role, ' or step down from both roles. Should he step down from one or both roles? As Chairman and CEO of Facebook, Zuckerberg exercised considerable voting power (53.3% of Facebook's shares*), which limited the effectiveness of the Board of Directors in risk oversight Competitors such as Twitter and Alphabet Inc. (Google's parent company), and many other tech companies such as Microsoft and Apple, separated the roles of their CLO and Chair to prevent an imbalance in voting power. In an earlier response to investor pressure to split the CEO and Chair roles, Facebook stated: "We do not believe that requiring the Chairman to be independent will provide appreciably better direction and performance, and instead could cause uncertainty, confusion, and inefficiency in board and management function and relations. "7 In addition to demanding changes in the company's governance structure, shareholders proposed that, to forestall future privacy challenges, Facebook shoukl institute a risk oversight committee. According to this proposal, a risk oversight