Recently Facebook reported that over 50 million accounts were improperly accessed and victims of outside security breaches. The Facebook hacking incident was explained to be caused by a security breach that took advantage of Facebook’s “View As” feature, which allows users to see what their profiles would appear as when viewed as a different user.
Facebook Hacking Incident Due to Access Tokens
The Facebook “View As” feature inadvertently contained a vulnerability that allowed hackers to steal Facebook access tokens to then gain unauthorized access to accounts they did not own. These access tokens are generally intended to allow users to login to their accounts without having to enter their passwords each time, but such convenience clearly came with a price.
While Facebook has since shored up the breach, the Facebook hacking incident had to be made public and has again raised questions of whether or not technology giants are truly doing enough to safehouse users’ personal data.
With U.S. Regulations Lacking, EU’s GDPR Will Impact Companies Doing Business With Europe
The United States has still not passed significant sweeping regulation that covers or provides guidance to companies regarding how personal data should be protected. However, the General Data Protection Regulation (“GDPR”) recently passed by the European Union could end up costing Facebook as much as $1.63 billion dollars if Facebook is found to be in violation of its terms. Though this regulation is European Union law, any company doing business with its citizens must comply with the regulation.
The GDPR specifically states that a company may be fined as much as up to 4% of its annual revenue if found to be violating the regulation. Additionally, it requires that regulators be notified within 72 hours of any security breach. Ireland’s Data Protection Commission is already spearheading the investigation into whether or not the Facebook hacking incident was caused by Facebook improperly following the GDPR’s rules on protecting data and users’ personal information.
The Latest Facebook Hacking Incident May Help Push U.S. Lawmakers to Enact Federal Regulation
Data breaches are not new to the United States, and it appears consumers are not all satisfied with the typical offering of one free year of identity theft monitoring and simple disclosures by companies handling their private data. California recently passed a new privacy law that will take effect in 2020, and other legislators across the nation are calling for similar bills in their states as well as for national regulation. However, the California law is not without critics and the reason for the delay in taking effect is due to the huge burden of changes that will be necessary for companies to comply with the law.
U.S. lawmakers continue to work on creating stricter guidelines and requirements of transparency when it comes to how technology companies store, share, and use consumers’ personal information. Just last week, technology executives from companies such as Alphabet, Amazon, Apple, Twitter, AT&T, and Charter Communications all met with Senate committee members to discuss various initiatives to protect user privacy.
While many critics of both the GDPR and California law are concerned that the regulations are overreaching and/or vague, it appears that privacy advocates are getting more and more support to move toward broader regulation after Facebook’s latest blunder. Either way, it is important that law advocates as well as companies involved in handling private data stay abreast of any privacy regulation developments within their respective states and federal law, in addition to any foreign countries they do business with.
See our similar posts related to hacking and data privacy:
Klemchuk LLP is a litigation, intellectual property (IP) and transactional law firm, located in Dallas, TX. The firm offers comprehensive legal services including litigation and enforcement of all forms of IP as well as registration and licensing of patents, trademarks, trade dress, and copyrights. The firm also provides a wide range of technology, Internet, e-commerce, and business services including business planning, formation, and financing, mergers and acquisitions, business litigation, data privacy, and domain name dispute resolution. Additional information about the Technology & Data law firm and its Technology & Data attorneys may be found at www.klemchuk.com.
Klemchuk LLP hosts Culture Counts, a blog devoted to the discussion of law firm culture and corporate core values with frequent topics about positive work environment, conscious capitalism, entrepreneurial management, positive workplace culture, workplace productivity, and corporate core values.
Also published on Medium.