3500 Lacey Road, Suite 100
Downers Grove, IL 60515
Could the latest big-name target of a cyberattack be the first real test for regulators charged with enforcing the EU’s recently enacted General Data Protection Regulation (GDPR)? Time will tell, but when Facebook officials announced last week that cybercriminals hacked their system and collected 50 million user access tokens ‒ essentially digital keys to its users’ accounts and other platforms ‒ that outcome became a distinct possibility.
The potential financial liabilities resulting from this single incident are enormous. The maximum fine for violating GDPR regulations is €20 million or 4 percent of Facebook’s global revenue for violating GDPR regulations, and a company with the breadth and deep pockets of Facebook could face billions of dollars in lawsuits.
Regulators already indicated Facebook’s data breach notification was inadequate, suggests Ian Trump, Head of Cyber Security for AmTrust International and a member of CompTIA UK Channel Community. “This incident falls under GDPR in several different ways, including the disclosure that a breach occurred within a 72-hour reporting deadline,” he said. “Facebook fumbled the ball.”
In its defense, Trump suggests regulators may be lenient since this was the first time the company had to deal with a breach under GDPR.
The incident puts the regulatory authority in unchartered territory. “This could be the first big breach that demonstrates whether the legislation actually has teeth,” emphasizes IT industry consultant Richard Tubb, a member of CompTIA UK Channel Community. While he suggests it’s unlikely that Facebook fines will reach $4 billion, as some have predicted, the company must face significant sanctions or the GDPR’s enforcement powers will appear quite weak.
Additional scrutiny may be placed on the company based on its previous security issues as well, according to Tracy Pound, Managing Director of MaximITy Ltd, an MSP based in the UK, a member of CompTIA UK Channel Community and CompTIA’s 2016 Member of the Year. “Facebook has already been fined £500,000 this year by the ICO over the Cambridge Analytica scandal for two data breaches, not safeguarding its users’ information and failing to be transparent about how that data was harvested by others,” she said. Organizations with a history of prior mistakes and lax responses may be penalized more severely by GDPR regulators.
One perplexing problem for regulators involves companies that leverage Facebook’s access tokens in the single sign-on processes. That feature allows users to log on to other platforms using their social media credentials. Google, Twitter and Linked in offer similar options. The question for regulators and legal experts will be determining how much data exposure, if any, took place during the Facebook breach.
“Tinder is probably the biggest concern since it contains very sensitive personal data,” adds Trump, who suggested a number of other sites may be affected. “The difficult thing will be to determine if other platforms were also exploited and what demonstratable harm was caused.”
The size of the fines and which companies will be held liable will likely be determined by GDPR investigations, as well as years of litigation.
Click here to learn about how to best respond to a data breach and here to learn how to turn GDPR into a growth opportunity.