By Jason Wang, CEO of TrueVault
The European Union’s General Data Protection Regulation (GDPR) is starting to show its teeth as regulators evaluate penalties for Facebook after a high-profile security breach of user data.
If Facebook is found to be in violation of GDPR, the technology company could be facing more than $1 billion (roughly four percent of its global annual turnover) in fines after approximately 30 million accounts were compromised by a cybersecurity hack.
If the events of today and the past are any indication, giant technology companies, including Facebook, have proven that self-policing is inadequate when it comes to data security.
Prior to the implementation of GDPR, Facebook was slow to admit the data harvesting activities by Cambridge Analytica. The social media platform first learned the misuse of user data by Cambridge Analytica in 2015, but didn’t acknowledge the situation to the public until spring of 2018.
Comparatively, the most recent breach was reportedly discovered by Facebook on September 25, and was first announced three days later on September 28. What changed between March and September 2018? In May, GDPR went into effect. The law demands public disclosure of a data breach no more than 72 hours after a breach is discovered. Based on previous evidence, we believe it is unlikely that Facebook would have announced the breach to the public so soon after it was discovered had GDPR not already been implemented.
GDPR: Refereeing tech on behalf of consumers
The recent Facebook breach is significant, but the importance of this breach goes beyond the obvious. Hundreds of articles have been written about the breach, what it means, and Facebook’s role in society. But what hasn’t been discussed and what might actually be more important in the long run is that GDPR seems to be working, with this breach establishing new standards around how personal data is secured and breaches disclosed.
Technology companies have largely been operating with limited regulatory oversight and missteps have occurred that compromised the security of consumer data. As cybersecurity expert Bruce Schneider noted recently to the New York Times: “I can think of no industry in the past 100 years that has improved its safety and security without being compelled to do so by government.”
It seems to be the case that GDPR is pushing tech giants in the right direction when it comes to implementing better security policies for consumers. We recognize that achieving and maintaining compliance with consumer privacy laws, such as GDPR, and the upcoming California Consumer Privacy Act (CCPA) is arduous, but there are existing solutions that allow companies to achieve full compliance with data privacy laws while also going a few steps further to secure consumer data.
While self-policing has been the norm among technology companies their efforts have been inadequate. We urge a culture shift in the industry where companies become proactive, not reactive when it comes to securing personal data.
For example, instead of collecting as much data about a consumer as possible, the scope should be limited to the product or services provided. At this point, breach attempts ought to be expected. Companies like Google and Facebook must be hyper-vigilant about testing their platform for vulnerabilities to try and limit their risk. And, when breaches do happen, public disclosure must be swift. It’s time to learn from Facebook’s mistakes by anticipating the worst and securing consumer data to the highest caliber, or risk the consequences.