Facebook’s Failure to Mitigate Cyber Risks Could Cost Billions
Steven Minsky | Nov. 14, 2018
In late September, Facebook announced that it had discovered a breach in its network that had exposed the personal data of nearly 50 million users to hackers.
The hackers exploited a feature in Facebook’s code to gain access to user accounts, potentially enabling them to take control of them. The breach was the largest in Facebook’s fourteen years of existence.
The fallout Facebook is facing from this breach is the latest example of the see-through economy at work. Since September 27, Facebook’s market value has dropped over 8%. However, the string of recent scandals that have occurred since July 20 of this year has reduced Facebook’s market value by nearly 25%. This is the financial cost of Facebook’s decision to reject an investor proposal for the company to create a separate and independent risk committee. Had Facebook headed this request, this breach would have been avoided.
Furthermore, Facebook could face a fine of as much as $1.63 billion in the European Union for the breach under the GDPR law that went into effect earlier in 2018. This is one of the first major tests of the GDPR. While there have been a number of other breaches, few if any have been on the scale of Facebook’s recent breach.
Under GDPR, companies are required to notify regulators within 72 hours of the breach occurring. Facebook could face a fine of up to $850 million if they were found to be outside of the 72-hour window. According to a report in The Wall Street Journal, it appears Facebook may have notified Ireland’s Data Protection Commission, the lead privacy regulator for Facebook in the EU, within the 72-hour timeline.
The Irish DPC, however, has said that Facebook’s notification “lacked detail.” If EU regulators determine that Facebook failed to take sufficient measures to secure user data prior to the breach, Facebook would face a maximum fine of €20 million ($23 million) or 4% of worldwide revenue, whichever is greater. Based on Facebook’s 2017 revenue, the latter amount would be $1.63 billion.
GDPR Readiness: How Do You Stack Up?
A Risk-Based Approach to GDPR
The GDPR is risk-based, which means that failing to take sufficient measures to mitigate a risk can result in greater penalties for companies. To avoid penalties, companies can use enterprise risk management software to document what the company did, when it did it, and which employees were responsible for the planning and execution. Proper operationalization of ERM software would have likely enabled Facebook to avoid most, if not all, the GDPR penalties.
Reputation risk is also a major factor for both customers and investors. For Facebook, the failure to quickly react to the breach and communicate how they were not negligent in managing data privacy prior to the incident, coupled with its post-breach reaction, is a considerable impediment to its efforts to regain user and investor trust after a series of privacy and security scandals.
Facebook Could Avoid Costly Fines with Enterprise Risk Management
Within an ERM platform like LogicManager, all of a company’s assets containing EU resident data are clearly documented. The company would be able to quickly determine whether or not EU resident data was compromised as a result of a breach and avoid the GDPR penalty by reporting the breach to EU authorities within 72 hours.
Furthermore, a company is able to demonstrate that its efforts to secure EU resident data is commercially reasonable and sufficient with ERM software. Our software aggregates and connects all the separate policy, risk, readiness standards, controls, and monitoring activities, enabling companies to provide authorities with evidence to back up their case. Our solution not only shows what was done but how comprehensive mitigation activities were, according to commercially responsible standards, enabling our customers to prove their GDPR compliance.
LogicManager is an ERM platform, which, in contrast to a GDPR solution, would also show all the federal and different state jurisdictions in which it has obligations in the United States to also meet those reporting requirements on time.
Facebook, Google, and other technology firms are aggressively opposed to regulators formalizing privacy risk management responsibilities. These companies would be in a much better position with robust ERM software cybersecurity and privacy governance because it would enable them to clearly demonstrate and support their accountability and existing capabilities for protecting their customers, users, and investors.