The September Facebook data breach affecting 30 million users will be the first significant test of the European Union’s new General Data
Protection Regulation (GDPR) that went into effect last May. If you’re in the online business world, you’ve likely spent hours poring over the regulation to make sure your business is in compliance. The EU implemented the strict privacy regulation to give individuals greater control over their personal data. It’s limited to individuals in the EU, but all organizations that handle data originating in the EU are required to comply, giving the GDPR a wide-reaching effect.
As we discussed in a recent post, The GDPR in action, many businesses are struggling with interpretations of the regulation and concerned about the threat of fines as high as 4 percent of annual revenue. The recent Facebook breach will hopefully answer some of the biggest questions and give us a better idea of how to proceed under the GDPR. In today’s post, we’ll highlight a few of these critical issues.
When is a company held accountable for a privacy breach?
Breaches happen, but when should a company be held accountable? This is one of the most pressing questions that could be answered by the Facebook breach. First reported on Sept. 28, Facebook disclosed that a cyber attacker had taken advantage of a vulnerability in the “View As” mode that allows users to see what their profile looks like to other Facebook users. This vulnerability allowed the attacker to steal the login access tokens of 50 million (later corrected as 30 million) users. An estimated 3 million of these accounts are European.
The Irish Data Protection Commission is investigating the details of the breach. Here’s what they’ll be looking for:
- Did Facebook report the breach within 72 hours of discovery? Right now, it seems they did. Facebook claims to have discovered the breach on Sept. 25 and reported it on Sept. 28.
- Were adequate protections in place to prevent such a breach from occurring? Adequate protections means using firewalls and encryption to protect data. Not having these protections in place is a pretty clear indication of negligence. Adequate protections also means running a new application through rigorous testing before making it available to the public. However, what is considered rigorous?
- Did Facebook do enough? Although Facebook claims to have conducted rigorous testing of the "View As" feature, experts have noted that thorough testing would have been difficult without dynamic testing while the feature was live. Was there a way Facebook could have tested the feature even more rigorously than they did? Clearly, testing can’t continue into perpetuity. Where is the line that designates a feature as secure and ready?
As we watch the Facebook story unfold, more of these questions will be answered. Perhaps the question we’ll end up asking ourselves is “what should Facebook have done?”
How will large fines affect European business?
The Facebook breach also gives rise to a question that’s been on many of our minds since learning of the significant fines set forth by the GDPR. What happens when the company found in violation is as large as Facebook and employs thousands of Europeans?
A possible fine of $1.5 billion or more could end up hurting the economy, especially if companies begin to leave under the threat of unmanageable fines. This consideration may prompt the EU to require a combination of corrective security measures and fines large enough to motivate greater security but not so significant as to deter future business.
Getting used to the GDPR
The GDPR isn’t going away any time soon although it may eventually give way to a new regulation as we adapt to the ever-changing world of privacy protection. For now, it makes sense to observe the GDPR in action and apply the lessons from each breach to how we’re conducting our businesses.
The advice we give to businesses handling European data is to keep the big picture in mind. The intent of the GDPR is to give control of personal data back to the individual. Organizations should collect data only with active consent, use the data for clearly stated purposes, delete the data upon request, and notify all affected individuals in the case of a security breach.
By keeping these guiding principles always top of mind, you should find GDPR compliance no different than meeting the industry-specific standards you already adhere to as part of common sense good business practice.
We will be watching the development of this story and report more once we learn the outcome. Hushmail continues to support GDPR standards to protect individuals’ privacy, as this value is embedded in the very nature of everything we do.