Facebook Shows Why We Need to Rethink Data Security And Breach Notifications
We all remember the infamous Facebook data breach incident that took place last year. Almost 50 million user accounts were rendered vulnerable. And executives kept stating that investigation into the matter was pending.
Well, Facebook made headlines again this year. And this time it was for storing millions of user account passwords in plain text format. It was discovered that user passwords were searchable and accessible by the employees at Facebook. But no one was found to have abused this access.
Even though Facebook promises that their employees didn’t misuse these passwords, this incident brings light to many data security issues companies face today. It shows that there’s always a risk when we put confidential information on the internet. And while social media channels like Facebook have always assured us of our privacy, we can never be too cautious when protecting our data online.
Data Breaches On The Rise
Of course, this is not the first time that we’ve seen a major breach of user information. In the first half of 2018 alone, approximately 291 records were stolen or exposed every single second.
With this increase in data breaches, users are counting on platforms to do a better job at least notifying them if their data has been compromised. And it’s not just because it’s the right thing to do. The General Data Protection Regulation requires that they do. It has clear security and data breach notification requirements.
As per the GDPR enacted last May in the European Union, companies have a 72 hour notification period. It requires that they inform the people promptly from “awareness” about a breach.
However, it does not state a “perfect’ notice. This essentially means that they will have to tell their customers about the issue. But they won’t be obliged to fill in the details. The purpose is to simply inform users so that they can resort to protecting themselves.
In most cases, the details of data breach incidents need more time to be uncovered. 72 hours is usually not enough time for investigation, which is why the law only requires that users be notified of the progress in phases. And many a time, the phases drag on for too long. This could explain why we only got to know of the Facebook incident now. It has clearly been going on for years. And the officials have not spoken a word about it.
Well, now the flaws of the regulation are starting to show face. After having suffered the vulnerability, all the users got is an assurance. An assurance that nothing went wrong. And a promise to prevent such a thing in the future.
I think we can all agree now that we absolutely need more comprehensive data security and breach notification requirements. Thanks to Facebook!
What’s Currently Under Consideration?
Thankfully, governments are not sitting still on the matter. Several Congress members have proposed bills to improve data security notification programs. And two possible standards are being considered — a harm standard and an occurrence standard.
According to the harm standard, the companies are only required to notify users if the data breach has or will lead to “cognizable harm.” What this is means that they don’t have to say anything unless they think it might lead to answerable issues.
The occurrence standard, on the other hand, requires companies to notify the users, right when the breach occurs. In effect, the occurrence standard seems friendlier for the users. It gives them the chance to prepare and protect themselves. Perhaps before anything bad happens.
The harm standard, which of course the industry favors, is more hostile. It effectively leaves it to the companies to decide whether or not they need to rat themselves out. They don’t have to say anything until something significant happens. What’s more, they get to decide if they even have to.
We know now that we can’t completely trust companies to keep their word. So here’s to hoping that the Congress bills might do something solid for us in the matter. Ideally, we need properly spelled out security practices for companies to follow. Ones that favors the privacy of the users as much as it does large companies.
The good news is you can be proactive in protecting our data to a great extent. Contact us today to know your options.