Well, NDAs/CDAs/licensing agreements/etc can make disclosure to non-authorized 3rd parties very painful for your customers/partners/etc to contravene your requirements for what they do with data, intellectual property, customer lists, etc.

This doesn't stop external attacks, of course, but it can reduce internal risks.

Facebook could have had more than zero control, if it had wanted.