By Lisa Lambert and Paresh Dave
WASHINGTON (Reuters) - The attorney general for Washington, D.C., said on Wednesday the U.S. capital city had sued Facebook Inc for allegedly misleading users about how it safeguarded their personal data, in the latest fallout from the Cambridge Analytica scandal.
The case joins several legal and regulatory proceedings that threaten to hit Facebook with significant penalties and increase its operating costs.
Authorities and consumer advocates have questioned whether Facebook's efforts on security, content moderation and cultural diversity have kept pace with the social responsibility it should have for its services, including WhatsApp and Instagram, which are essential communication tools for more than 2 billion people each month.
The world's largest social media company has drawn global scrutiny since disclosing earlier this year that a third-party personality quiz distributed on Facebook gathered profile information on 87 million users worldwide and sold the data to British political consulting firm Cambridge Analytica.
Washington, D.C., Attorney General Karl Racine said Facebook misled users because it had known about the incident for two years before disclosing it. The company had told users it vetted third-party apps, yet made few checks, Racine said.
"This continues a year of bad publicity and significant issues for [Facebook], making it more likely that the U.S. government will take action to penalize and/or regulate" it, said financial analyst Scott Kessler of CFRA Research. "Yet, we still see its fundamentals as healthy and valuation as attractive."
Facebook shares suffered their biggest drop since July 26, closing down more than 7 percent at $133.24 on Wednesday, extending a roughly five-month stretch since the company warned that profit margins would erode in coming years because of consumer and government pressure to better guard data and suppress objectionable content.
"Facebook could have prevented third parties from misusing its consumers' data had it implemented and maintained reasonable oversight of third-party applications," according to the lawsuit filed in the Superior Court of Washington, D.C., on Wednesday.
Facebook said in a statement, "We're reviewing the complaint and look forward to continuing our discussions with attorneys general in D.C. and elsewhere."
The court could award unspecified damages and impose a civil penalty of up to $5,000 per violation of the district's consumer protection law, or potentially close to $1.7 billion, if penalized for each consumer affected as is typical. The lawsuit alleges the quiz software had data on 340,000 D.C. residents, though just 852 users had directly engaged with it.
Facebook offered separate privacy settings around 2013 to control what friends on the network could see and what data could be accessed by apps, enabling the quiz and other services to collect details about their users' Facebook friends without many of them realizing it, according to the lawsuit.
It further alleges Facebook misled users by allowing several partners, including mobile software maker BlackBerry, "to override Facebook consumers' privacy settings and access their information without their knowledge or consent."
The New York Times reported new details on Tuesday about the user data that remained available to such partners years after they had shut down the features that required them. Facebook acknowledged the lapse, but said that it has not found evidence of wrongdoing by those partners.
Racine criticized Facebook's "lax oversight and confusing privacy settings," telling reporters that Facebook had tried to settle the case before he filed suit, as is common during investigations of large companies.
He said that a lawsuit was necessary "to expedite change" at the Silicon Valley company.
Britain's data protection authority in July fined Facebook 500,000 pounds for the breaches of data in the Cambridge Analytica incident.
Since then, Facebook has disclosed a pair of security breaches involving profile data and posts of up to 29 million users and 6.8 million users, respectively.
At least six U.S. states have ongoing investigations into Facebook, according to state officials.
In March, a bipartisan coalition of 37 state attorneys wrote to the company, demanding to know more about the Cambridge Analytica data and its possible links to U.S. President Donald Trump's election campaign.
At the same time, the Federal Trade Commission took the unusual step of announcing an investigation into whether Facebook had violated a 2011 consent decree, exposing the company to a multi-billion dollar fine.
State attorneys general have found some success taking on technology companies over data privacy. Uber Technologies Inc [UBER.UL] in September agreed to pay $148 million as part of a settlement with 50 U.S. states and Washington, D.C., which investigated a data breach that exposed personal data from 57 million Uber accounts.
Agnieszka McPeak, a professor at Duquesne University School of Law, said states will likely make claims similar to those of D.C., pressuring Facebook into a settlement that involves both a monetary fine and modified business practices.
"If a company faces 51 separate actions around the country for deceptive practices, that can have a real impact," McPeak said.
(Reporting by Lisa Lambert in Washington, D.C., and Paresh Dave in San Francisco; Additional reporting by David Shepardson and Jan Wolfe in Washington; editing by Rosalba O'Brien and Phil Berlowitz)