Andrea Danti - Fotolia

Facebook GDPR fate uncertain following data breach

Facebook's GDPR consequences are still up in the air following a data breach, as Irish regulators are waiting on more information before determining if the social network will face a fine.

Facebook reported its recent data breach quickly, per the European Union's General Data Protection Regulation requirements. But the lack of details in the disclosure has people wondering if the social network might be facing a hefty fine.

The Data Protection Commission (DPC) of Ireland is responsible for investigating Facebook's GDPR liability for the recent data breach, which affected at least 50 million accounts. Facebook reported the breach within 72 hours, meaning the company would not be penalized under the GDPR rule mandating prompt breach disclosure.

Under GDPR, the penalty for failing to disclose a breach promptly is pegged at the higher of 20 million euros or 2% of the offending business's global revenue. However, it is still unclear if regulators will find Facebook negligent from a security perspective, which would carry a maximum fine of 4% of the company's global revenue for the previous year -- $1.63 billion.

The DPC announced on Twitter that it was waiting for more information from Facebook so it could "properly assess the nature of the breach and risk to users." While the DPC has been cautious about saying too much regarding Facebook's GDPR liability, Věra Jourová, commissioner for justice, consumers and gender equality for the European Commission, has been more vocal about her concern.

Experts like Alex Stamos, former CISO at Facebook and current adjunct professor at Stanford University, noted that the uncertainty surrounding Facebook's GDPR liability is partially due to the GDPR rules themselves.

Jake Williams, founder and CEO of Rendition Infosec, based in Augusta, Ga., agreed on Twitter and said the uncertainty is an unintended consequence of GDPR.

Lukasz Olejnik, a security and privacy researcher, wrote on Twitter that, given the current information regarding the Facebook GDPR investigation, there's no guarantee there will be a fine.

Jourová added that the Facebook GDPR case will be important for the data protection rules. And Peter Tran, vice president of global cyber defense and security strategy at Worldpay Inc., based in Cincinnati, agreed this case will set an important precedent for GDPR.

"Where it gets tricky is there hasn't been precedent set yet with a case this big, so the question would be: Is this the opportunity for regulators to be able to show the teeth GDPR really has to set the pace where others fall in line?" Tran asked via Twitter direct message. "Four percent of global revenue is rough, and until it's imposed, will GDPR be taken seriously?"

Tran added that Facebook's GDPR liability will depend heavily on the details of the investigation.

"I'm not convinced that Facebook will be taken to the woodshed on this one, particularly given how much they are publicly saying they are doing for security and privacy, as well as the recent testimony on the hill. But details are yet to be disclosed on this latest, and I'm not convinced that 50 million is the true number," Tran said.

He noted the details on what data was exposed via the stolen Facebook tokens -- like that of connected apps -- would be important, as well.

"I think that if there's definitive evidence for that level of risk exposure, regulators would likely seriously assess the impact and weigh the penalty accordingly. This would be the first ever for GDPR, so it's going to be telling if it does happen," he said.

Dana Simberkoff, chief risk, privacy and information security officer at AvePoint, based in Jersey City, N.J., said the potential Facebook GDPR fine is dependent on Facebook's security.

"The largest fines under GDPR are reserved for companies that have not taken reasonable measures to prevent a data breach from happening -- and for those that arguably should have been able to do more to prevent the breach from occurring," Simberkoff wrote via email. "Facebook makes an extraordinary amount of money based on its collection of its users' personal information. Additionally, because Facebook has had so many privacy and security challenges in recent months, this could impact how their efforts are perceived by regulators."

"This incident may become a notorious milestone of GDPR enforcement by the EU regulators," said Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge, based in Geneva.

"It is almost impossible to say how harsh and severe monetary sanctions will be. Usually, courts have broad discretion to impose a penalty proportional to the incident and fault. Facebook will probably invoke the complicated nature of the vulnerabilities and economical impossibility to totally prevent such flaws," Kolochenko wrote via email.

"However, regardless of the colorful defense arguments, Facebook may be used as a scapegoat to serve as a deterrent to others. Public policy and social aspects are often involved in judiciary decisions, making them less predictable and more uncertain," Kolochenko continued. "Last, but not least, Facebook has a right to settle and to appeal the decision; thus, this story can last for a while."

Dig Deeper on Data security and privacy

Enterprise Desktop
Cloud Computing