Facebook did things right in its S-1 disclosures relating to data protection and privacy as it relates to business risk. Among other things, the myriad disclosures warn investors of risks related to unfavorable media coverage of its privacy practices and concerns about privacy, sharing and security. They also note that unauthorized access to or improper use of user information could damage Facebook’s reputation and result in legal or regulatory action, which could be expensive and require Facebook to modify its business practices. (This has happened before, as the disclosures point out: last year a 20-year settlement agreement with the Federal Trade Commission required the company to establish and refine policies related to user data and privacy settings, submit to privacy audits every two years and take other measures.) The company says complex, evolving laws and regulations for privacy and data protection could harm its business.

This seems to be as it should be—at least for the SEC, which last fall issued disclosure guidance on cybersecurity risk that all public companies should be aware of (private companies should take note too). But while Facebook followed this disclosure guidance, these disclosures are aimed protecting investors; they reveal the potential effects of problems after the fact. That’s not reassuring to Facebook users.

As more and more data moves online and into the cloud, companies need to actively protect their customer data. Cyber attacks happen with increasing frequency, and only the big cases (like Zappos.com last month) are publicized. It’s critical: our finances, medical records, credit cards, employment, passwords and other aspects of our personal lives are online. Companies that don’t take data protection and cyber security seriously are gambling with risks that may be very expensive or change how they do business.

At least some relief may be in the works. The Federal Trade Commission will soon release its final staff report of recommended controls and standards for the online protection of consumers’ privacy. The report is expected to expand the scope of what may constitute consumer data and propose sweeping new standards.

It’s unlikely, however, that U.S. regulations will be as stringent as the proposed Data Protection Directive issued Jan. 25 for the European Union. Those regulations would apply to anyone processing data in the EU—including those outside Europe who offer goods or services to EU citizens. Key points include:

  • Significant fines for organizations that don’t follow basic knowledge/consent obligations or requirements to adopt good policies and procedures
  • A requirement to appoint a data protection officer who must ensure that the organization adopts good data governance policies and procedures
  • Regular data protection audits and privacy impact assessments
  • A requirement to notify data protection authorities within 24 hours of a data breach

We’ll be watching to see if the FTC grasps the severity of problem and fully addresses the need to protect consumer information.

Whether it does or not, companies should pay full attention to both their privacy and data protection measures and their disclosures around it. Building customer trust and goodwill takes a lot of corporate resources; losing that trust can have a significant adverse impact to any business. With better protections in place, transparency and disclosure will follow more easily—and those companies will be trusted more by customers and investors alike.

Speaking as someone who’s been engaged with tons of IPO filings, Facebook’s was the most interesting S-1 read ever. IPOs, in general, typically provide a high-energy, exciting, positive environment, but this one is special—the theme throughout seems to emanate “we’re here for the greater good.”

Here’s a summary of the highlights:

  • Making business decisions over financial results: Perhaps one of the reasons Facebook stayed private as long as it did, and continues to maintain significant ownership by the executive team (a focus of today’s press coverage), is that it maintains a focus on what’s best for the business. That, in turn, does not always result in short-term financial performance. In its S-1 filing, Facebook states: “Our culture emphasizes rapid innovation and prioritizes user engagement over short-term financial results.”
  • Control: Not only is CEO Mark Zuckerberg going to maintain significant ownership in Facebook post-IPO, but he will also own a majority of the voting power. That means Facebook will qualify as a “controlled company,” which will allow it to keep the board closely held (no independent directors).
  • Letter from Zuckerberg: In a new twist to IPO filings, at the end of the MD&A (page 67) is a letter from the CEO explaining his mission, vision and so on. Nice touch! In his letter, Zuckerberg says, “Simply put: we don’t build services to make money; we make money to build better services.” It’s a refreshing focus.
  • Culture disclosures: Companies are required to disclose certain information about employee headcount and related information, and as an added bonus, Facebook discloses a description of its corporate culture. The company stresses the importance of its culture, calling it a “hacker culture” defined as “a work environment that rewards creative problem solving and rapid decision making.” Perhaps this should be a new SEC disclosure requirement!
  • Focus on the future: SEC filings are usually based mainly on historical results, which are not always indicative of future performance. Not Facebook. It is clearly focused on the future, and its filing says, “We also have posted the phrase ‘this journey is 1% finished’ across many of our office walls, to remind employees that we believe that we have only begun fulfilling our mission to make the world more open and connected.”
  • Mark takes a pay cut! In Q1 2012, Facebook’s comp committee discussed and approved Zuckerberg’s request to reduce his base salary to $1 per year, effective Jan. 1, 2013. And he was the only named executive officer who did not receive stock-based comp in 2011.

Read the filing for yourself at the SEC website.