RESOLUTION
WHEREAS, as practically every aspect of private and public business is conducted and stored on virtual networks and warehouses, data breaches are occurring more frequently and with more potentially disastrous repercussions; and
WHEREAS, "hacks" and data breaches have a near constant stronghold on news headlines as cybercrime afflicts nations and industries throughout the globe; and
WHEREAS, for example, in 2013, the retail giant Target had its systems breached by a cyber-attack that affected more than 41 million customer payment card accounts, causing Target to pay out $18.5 million in settlement fees; and
WHEREAS, in 2014, Home Depot's systems were breached and 50 million cardholders were affected, resulting in Home Depot agreeing to pay at least $19.5 million to compensate those individuals; and
WHEREAS, in 2017 the credit reporting agency Equifax was exposed as having been the subject of one of the most extensive hacks of our time, exposing and then concealing the personal information of millions; and
WHEREAS, Facebook operates a social networking website that allows people to communicate with their family, friends, and coworkers; and
WHEREAS, the company develops technologies that facilitate the sharing of information based on their own specific criteria and has over 2.2 billion active users worldwide; and
WHEREAS, Facebook's mission statement is "to give people the power to build community and bring the world closer together," and notes that "[pjeople use Facebook to stay connected with friends and family, to discover what's going on in the world, and to share and express what matters to them;" and
WHEREAS, Cambridge Analytica is a privately held company that combines data mining and data analysis with strategic communication for the electoral process; and
WHEREAS, on March 17, 2018 both the New York Times and The Guardian reported that Cambridge Analytica used personal infonnation obtained from Facebook without permission, and under the pretext of collecting it for academic purposes; and
WHEREAS, reports revealed that Cambridge Analytica was a firm used by President Donald Trump's campaign to target voters online, using the data of 50 million people obtained from Facebook without proper disclosures or permission; and
WHEREAS, Cambridge Analytica fraudulently gathered this information by posting a survey application on Facebook called "MyDigitalLife" in 2014 which promised to help users better understand their own personalities; and
WHEREAS, approximately 270,000 people downloaded the application, giving Cambridge Analytica access to their data as well as all the data of their friends, because more than 50 million other users "had their privacy settings set to allow it:" and
WHEREAS, a whistleblower from Cambridge Analytica, Christopher Wylie, revealed that the data mining could build a personality profile on each person in order to target them with specific messages; and
WHEREAS, Sandy Parakilas, a former Facebook operations manager, also revealed that he warned key executives at the company that its relaxed approach to data protection risked a major breach because the company did not use enforcement mechanisms such as audits of external developers to ensure data was not misused; and
WHEREAS, instead, Facebook allowed its security to be vulnerable and in Mr. Parakilas's words, the company "felt that it was better not to know," rejecting its responsibility to audit its own rules limiting use of Facebook data by third parties; and
WHEREAS, Facebook acknowledged that Cambridge Analytica had taken users' information without their consent by obtaining it from the app "MyDigitalLife;" and
WHEREAS, additionally Facebook executives have known about this security breach for two years, but failed to alert or protect users, even though Facebook's general counsel stated "protecting people's information is at the heart of everything we do;" and
WHEREAS, personal consumer information compromised in the Facebook breach includes names, birthdates, hometowns, addresses, location, interests, relationships, email addresses, photos, and videos; and
WHEREAS, Facebook knew that this improper data aggregation was occurring, willfully ignored the risk, and failed to implement any action to prevent the breach; and
WHEREAS, to date, Facebook has not issued confirmation to any person that his or her information was compromised even though the Chief Executive Officer, Mark Zuckerberg, has stated that company would tell anyone whose data may have been improperly shared; and
WHEREAS, due to Facebook's conduct, Chicago residents are at an increased risk of identity theft and fraud, improper disclosure of private information, and confront the need to spend added time and money to monitor their financial records; and
WHEREAS, a civil class action lawsuit has been filed in the Northern District of California against Facebook and Cambridge Analytica claiming that the company violated California's
Unfair Competition Laws by engaging in unlawful and unfair business practices and negligence; and
WHEREAS, the Cook County State's Attorney has followed suit with a similar action in the Circuit Court of Cook County; and
WHEREAS, Facebook and this breach are now the subject of congressional hearings in Washington D.C.; and
WHEREAS, as these legal actions and investigations begin, Facebook's CEO has declared Facebook will investigate and audit applications showing "suspicious activity" and that the company will begin to restrict developer access to data; and
WHEREAS, the Facebook's CEO publicly apologized and declared that the company has a "basic responsibility to protect peoples' data;" and
WHEREAS, Facebook and Cambridge Analytica must face the legal consequences of failing to protect the interests of Chicagoans; and
WHEREAS, the Chicago City Council finds that Facebook and Cambridge Analytica must be held responsible for the failed oversight of business operations resulting in breaches and failure to safeguard personal information in violation of the deceptive business practice and consumer protection provisions of Section 2-25-090 of the Municipal Code of Chicago; and
WHEREAS, as it has done in such circumstances with respect to Equifax and Uber breaches, the City of Chicago has a responsibility to seek redress for these transgressions on behalf of its residents; and
WFIEREAS, the Facebook data breach, coupled with the massive breaches before it, have created an unprecedented vulnerability for nearly every Chicagoan; now, therefore,
BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF CHICAGO:
The Chicago City Council urges the Corporation Counsel to file a cause of action in a court of competent jurisdiction to hold Facebook and Cambridge Analytica liable for acts or omissions contributing to the 2018 Facebook data breach.
