Ireland’s Data Protection Commission launches investigation into Facebook’s data breach
On 28 September, Facebook disclosed that hackers had stolen keys that allowed them to access up to 50m user accounts with the potential for a further 40m which may have been compromised. The hack allowed the hackers to use the accounts as their own, reading and writing private messages and posts.
Facebook said that the vulnerability had been present on the platform since July 2017 and that they are unaware of how long the hackers have been able to exploit the vulnerability, though say that the flaw was discovered and rectified within two days. The breach was then reported to the Irish Data Protection Commission (DPC) the next day.
This is Facebook’s largest ever data breach and its first since the GDPR came into force in May 2018 and will therefore be Ireland’s first real test of its enforcement capabilities under the GDPR. Facebook find themselves exposed to fines of up to $1.6bn.
A statement confirming the Irish DPC’s formal investigation came on 3 October and stated that “the investigation will examine Facebook’s compliance with its obligation under the General Data Protection Regulation (GDPR) to implement appropriate technical and organisational measures to ensure the security and safeguarding of the personal data it processes”. This is known as the ‘security principle’ which provides an obligation for organisations to ensure that personal data is kept safe.
The outcome of the investigation is not yet known but a point of interest will be that Facebook is alleged to have had vulnerabilities in its system since July 2017 and, again allegedly, steps were not taken to rectify this until over a year later. Whether Facebook took reasonable steps to discover this vulnerability including whether the flaw would have been discovered through regular system testing will inevitably determine whether they had complied with the security principle forming the centre of the DPC’s investigation.
Why is this important?
Ensuring personal data is kept safe is of paramount importance under the GDPR. It is important to take into account the security principle when controlling and processing personal data to prevent being exposed to fines of up to €20m or 4% of an organisation’s global turnover. Whilst the financial implications are vast, the reputational damage that can be done from reporting a breach of any magnitude can be irreparable.
Considerations should be made with regard to the security principle and a party’s obligation to take appropriate technical and organisational measures at all times.
Any practical tips?
To comply with the security principle, parties should consider using encryption or psuedonymisation to protect personal data in the event of a breach. Other measures include implementing an information security policy and providing training to those processing personal data, conducting regular risk analysis of storage and processing methods and undertaking system improvements where necessary.