On March 26, 2018, a bipartisan coalition of 37 state Attorneys General sent a letter to Facebook CEO Mark Zuckerberg demanding answers about the company’s business practices and privacy protections. Led by Pennsylvania Attorney General Josh Shapiro, the National Association of Attorneys General is taking issue with Facebook’s relationship with app developers, its efforts to protect and inform Facebook users, and seeking clear answers as to when Facebook first learned that users’ privacy had been compromised by a third-party app developer.
The letter from the Attorneys General to Mr. Zuckerberg is in response to press interviews conducted last week with Mr. Zuckerberg and others from Facebook acknowledging that, in 2013, a Cambridge University researcher developed an online quiz app and used it to access and export Facebook user data. The researcher later shared user data with Cambridge Analytica, a data analytics company now under intense scrutiny for allegedly microtargeting US voters.
Mr. Zuckerberg has described the situation as “a major breach of trust,” but so far Facebook has not agreed to call it a “data breach.” In an effort to assure all Facebook users, Mr. Zuckerberg promised to investigate the matter in order “to make sure there aren’t any other Cambridge Analyticas out there . . . or folks who have improperly accessed data.”
Best estimates predict that at least 50 million Facebook users may be affected, comprised mostly of Americans, but also likely to include many EU citizens. Coincidentally, beginning in May 2018, EU citizens will be able to exercise their “right to be forgotten” under the soon-to-be in effect General Data Protection Regulation (GDPR), requiring EU companies, and any non-EU companies doing business with an EU company, to erase all user data for an individual EU citizen upon request. In order to do so, however, a company must first know who has accessed or extracted its data and where it is stored.
Data sharing arrangements with third-party vendors, associates and app developers, such as the ones that allegedly purloined Facebook’s data, may prove to be extremely challenging for GDPR covered entities unless proactive measures are utilized to limit both the amount of data retained and access to it. Companies not covered by EU regulations may want to adopt similar measures as best practices to protect against improper acquisition of protected or otherwise sensitive data, which can cause tremendous reputational and financial harm, even if there are no existing statutory constraints requiring such measures.
It remains an open question as to whether the university researcher’s harvesting of Facebook data and subsequent sharing of that data with Cambridge Analytica constitutes a data breach. News reporting has steered away from describing it as such because user profile data was not actually hacked into and users ostensibly agreed to terms of service allowing app developers to access their data. The quiz app researcher not only siphoned off individual user data for those who took the online quiz, however; he also collected a treasure trove of user data from their Facebook friends.
While “data harvesting” sounds benign, it could nevertheless constitute a breach under certain circumstances. Federal regulators and state attorneys general are now working to find out exactly what happened, how and when. In the end, federal and state government officials may conclude that Facebook did not suffer a data breach under existing laws. Nevertheless, efforts to strengthen state and federal laws to better protect online data will surely follow.
Every state in the US (with the exception of Alabama) has enacted a data protection or breach notification law. A reportable breach is generally defined as the unauthorized access or acquisition of non-encrypted, or unredacted electronic files, computerized information, media or data that compromises the security, confidentiality, or integrity of personal information maintained by the person or entity. State notification laws all identify the types of personal information protected by statute, but they may vary slightly from state to state. A few states also require evidence of identity theft or fraud to render a suspected breach actionable.
Covered entities (those who hold or own the data) may also be required (either by statute or contract) to monitor business associates who have access to protected data. Such requirements exist to further guard against third-party data breaches and to ensure compliance with state notification requirements should a breach occur.
The Federal Trade Commission (FTC) has now confirmed opening its own investigation of Facebook’s data privacy practices. The FTC review will likely include examination of whether Facebook violated its 2011 consent decree with the FTC. The FTC press release announcing its investigation, however, does not clearly state whether it will extend to Facebook privacy practices in general.
Facebook may face further scrutiny from the US Securities and Exchange Commission (SEC), which recently announced its updated cybersecurity guidance on disclosure requirements for publicly traded companies. The stock market’s swift and strong reaction to the Facebook revelations has not gone unnoticed by investors. Facebook may have to account for representations made, or not made, in SEC filings concerning known cybersecurity risks related to data harvesting practices by third parties. The SEC’s investigation would likely delve into what was communicated internally at Facebook to its corporate officers and what action, if any, was taken.
In the end, the fallout from Facebook’s business relationship with a third-party app developer may lead to more stringent standards and laws governing the way companies, across many industries, conduct business and share electronic information in the future.
