Data breach notification shouldn’t take several years. Considering the latest Facebook data debacle, here’s why the GDPR and data breach notification is more important than ever.
A lag in data breach notification has been one of the more complicated aspects of managing a data breach for companies. It can be a hugely time-intensive process to figure out the extent of a data breach and let customers know in a reasonable time frame.
Recently it was revealed that Cambridge Analytica, a research firm with ties to national political campaigns, harvested the information of more than 50 million Facebook user accounts. The social media giant remained mum on the “breach”, which occurred in 2014 under the umbrella of a university research project that scraped private information from profiles, then sold them to Cambridge Analytica without authorization.
Although not a data breach in the technical sense, under current data breach notification laws Facebook could face penalties in the United Kingdom and in several American states for the failure to notify users of the data harvest and for failure to verify how information on its platform gets used. Additionally, an FTC violation may lead to millions of dollars in fines. News of the harvest already caused Facebook’s stock to drop more than six percent, shaving about 37 billion dollars off the value of the company and erasing all of its 2018 gains.
These types of incidents are about to become more heavily scrutinized and regulated with the GDPR going into effect in May. And even though the data collection and subsequent sale to a research firm may not be considered illegal, it does raise a few questions: How should enterprises handle subject data? How do they explain what kind of data they process, and how do they explain to the customer what data is accessible (i.e., sold) to third parties?
With seemingly little oversight and transparency, it seems that Facebook and similar companies have lost control of the massive data farming processes they helped create. Companies, no matter their size, are going to be held accountable to increasingly stricter data privacy regulations for how their platforms are used, especially as data breaches continue to escalate in size and impact.
And that’s where the General Data Protection Regulation (GDPR) comes in. Set to affect data privacy laws globally in May, the GDPR grants consumers more rights and penalizes companies like Facebook for failing to disclose how subject data is gathered, stored, and used. Depending on the situation, severe infractions can result in financial damages to the tune of four percent of an organization’s global annual turnover or up to 20 million Euros, whichever is higher.
Assuming the sale of Facebook user data to Cambridge Analytica qualified as a data breach, under the GDPR this incident would qualify as a disaster. According to the GDPR requirements, organizations must abide by a data breach notification and alert authorities and customers of breaches within 72 hours and without undue delay; Facebook notified no one after several years and initially denied any breach took place.
As part of the data breach notification, organizations will also be required to provide contact details, information about the type and number of data records concerned, a description of the nature of the breach, consequences of the breach, and measures the organization has taken to address the breach.
Under the GDPR, customers will also have the right to delete their data upon asking. Or, if they want, they could request their data to see exactly what is being collected. Facebook allows for the permanent deletion of user accounts, and users can download what they posted, but the company still holds onto any data already submitted.
Most importantly for this story, companies must classify and protect the data they store, especially if it’s sensitive information that is health-related or political in nature, and specify what that data will be used for, and whether it’s shared with third party organizations, such as Cambridge Analytica.
There are many layers to this developing story, but here’s one takeaway: It shouldn’t take years to notify the world of the misuse of subject data, and companies need to get into the habit of complying with data breach notifications that are part of more comprehensive data privacy policy regulations such as the GDPR.
Recommended for You
Enterprises Should Investigate Risks For Data Breaches When Using Third Party Cloud Data Processors
