John Reed Stark, a cybersecurity consultant and former SEC enforcement attorney, said the way Facebook reported the incident could raise a red flag for the SEC if Facebook earned revenue from contracts with third-party vendors that misused private member data yet failed to disclose that the contracts potentially violate global and U.S. privacy laws as well as Facebook’s terms of use.
via SEC Probes Why Facebook Didn’t Warn Sooner on Privacy Lapse – WSJ.