In my recent post about the Facebook and Cambridge Analytica debacle, I shared that 50 million Facebook users’ personal data was sold to Cambridge Analytica without the consent of the user. Well… earlier this week, Facebook increased that user count to over 80 million users. Then, this past Wednesday, Facebook revealed that potentially every Facebook users personal data was misused in one way or another.
Facebook dropped another bombshell on its users by admitting that all of its 2.2 billion users should assume malicious third-party scrapers have compromised their public profile information.
This is a very disappointing reveal… because it conveys that for about a decade either Facebook was completely asleep at the wheel and culturally negligent, or that they knowingly and willingly facilitated the misuse of personal data to occur as a function of their business model: to make billions from personal data with no regard for its protection or usage consent.
The sequence of reveals this week, after being outed by several ex-employee whistleblowers involved in Cambridge Analytica and others, gives me a creepy feeling that Facebook is slowly bringing forward the real truth of the situation: that all Facebook users personal data is affected and the misuse of personal data by Facebook is completely out of control. The truth may reveal that this has gone on for maybe a decade or more, as evidenced by the fact that Facebook has essentially blown off the Federal Consent Decree that the FTC imposed on Facebook in 2011. To validate my opinion on this, I found a very interesting interview between NPR and Jessica Rich, a former FTC official who helped shape this very FTC consent decree back in 2011.
Jessica Rich: “Well, like many people, my reaction was are you kidding? The facts here of allowing third parties to have unfettered access to user data and not exercising the kind of care for Facebook users that they should were the exact same facts that drove us to take action against them in 2011 and that led to the order they’re now under.”
Three key issues immediately come to mind:
- Any business that collects your personal data has the responsibility (an obligation) to safeguard it. Security must be Designed In, By Default
- Any business that intends to make money from your personal data, must get your consent before doing so using clear and easy to understand language so that you are properly informed about how and where your data will be used. Not an Opt-Out, but rather a revocable Opt-In.
- Any business that compromises or causes breach to your personal data or violates your right to privacy must notify you within a reasonable period of time, not sit on this news or claim ignorance to their responsibilities. We should all know that “ignorance of the law is not an excuse”.
ignorantia legis neminem excusat
In the first item, this requires that the business has an effective security program to detect, protect, alert, response and remediate any intrusions to sensitive data, most critically personal data. Once a business determines that it collects personal data, it needs to control where that data flows, restrict access to only those who need it for job function, and implement technical and non-technical controls that protect that data at rest, in motion, in use.
In the second item, this falls squarely into the reason that the European Union said, “enough!”, and created the General Data Protection Regulation which is centered around all three of the items (above), but puts first and foremost the rights and freedoms of EU citizens’ rights to privacy and control of their personal information. In GDPR, any business that collects, uses and/or processes any EU citizen’s personal data must have a legitimate, legal reason for using it, and they must explain to you how your data is to be used (for each and every purpose), they must explain who its going to be shared with (and re-ask for your explicit consent for each and every time that it’s shared with another party), they must allow you unrestricted access to update your info, remove it (right to be forgotten), to deny use of it (at any time), and to obtain complete copies of your data and know clearly where your data has traveled (who has it, how long, how it’s been used, etc.).
Anyone who’s both a privacy advocate and a governance professional must stand and applaud the care and focus that has gone into GDPR, since it puts the rights of the individual first and the business interests second, with considerable teeth for enforcement when its violated.
GDPR indeed has teeth – where infractions can result in substantial regulatory fines and litigation for damages to individuals. Technically, GDPR brings about two levels of fines as follows (for reference, check the law):
Lower level
Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:
- Controllers and processors under Articles 8, 11, 25-39, 42, 43
- Certification body under Articles 42, 43
- Monitoring body under Article 41(4)
Upper level
Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:
- The basic principles for processing, including conditions for consent, under Articles 5, 6, 7, and 9
- The data subjects’ rights under Articles 12-22
- The transfer of personal data to a recipient in a third country or an international organisation under Articles 44-49
- Any obligations pursuant to Member State law adopted under Chapter IX
- Any non-compliance with an order by a supervisory authority (83.6)
You can do the math on how these fines would impact Facebook. In my previous blog, I noted that the US Federal Trade Commission (FTC) could fine Facebook $40,000 per each infraction of using a persons PII without first obtaining their consent. At 50 million users, the potential amount could be $2 trillion. Many skeptics doubt that the FTC will do anything substantial by way of fines. But if they do find that Facebook violated the decree and they execute on the infractions, then the potential fines would be astronomic.
Relative to the news that 2.2 billion persons personal info was used without their consent, the adjusted equation would be:
$40,000 (FTC consent decree fine) * 2,200,000,000 (consent decree infractions) = $88 trillion (a “yeah right” amount)
That’s just the FTC fines. The FTC decree is very clearly written including the per infraction fines that could be levied against Facebook. With GDPR, the fines have a lot more significance in both the amount and the reality that they’ll actually be followed through. The FTC or GDPR (either of them) could bankrupt Facebook if they’re guilty and the fines are carried out to the letter of the law. But, we’ll see how this plays out in reality.
The third item, requires that misuse and breach of personal data must bring about notifications to authorities and the public (if the scale is significant) within a reasonable period of time. With GDPR, this notification is within 72 hours and extremely aggressive by any standard. In the case of Facebook, if they are found to have known about the misuse of 2.2 billion people’s data for many years (per the FTC Consent Decree in 2011) then they are already way behind reasonable. With GDPR, they are thousands of hours behind on the 72-hour notification requirement.
What should you do…
There are many basic steps a business (any business small or large) can do to fulfill their obligations to protect the personal data that they collect, use and store. This all starts with some core fundamentals:
- An effective data protection policy,
- Controls that govern the use of the data,
- Controls and tools that detect intrusions and identify potential compromises of data (sensitive data, or otherwise),
- Incident Response Process (policy, plans and crucially, the effort to use it) in order to act quickly in the event of a breach,
- Controls that enable rapid containment of an intrusion, to isolate and limit the extent of damage,
- Remediation, Restoration and Improvement to fix the problem, recover from damage, prevent reoccurrence, and learn from the incident, and
- An effective notification process to expediently and appropriately notify authorities and victims when their data has been stolen or misused.
While the guidance above may seem sophomorically simple to most, I wonder why even the mega-businesses are having such problems with protecting the data they collect. Is it money? Is it willful neglect? Is it competing priorities? Is it competence? It is very tough to speculate on “why”. In the case of Facebook, this issue wasn’t a malware breach or some sophisticated hacker scheme. Rather, this incident is the result of failure on the part of their business model (a governance issue) to honor their obligation to protect their users information. I have a strong suspicion that come May 25th, Facebook will be the GDPR poster-child for personal data protection, consent, notification, and possibly significant execution of fines. Facebook isn’t alone. There have been equally significant issues with Equifax, Under Armour, and several others.
Until next time,
Ed