A recent cyber attack affecting 50 million Facebook accounts could trigger severe penalties under the General Data Protection Regulation (GDPR).
This latest attack is a timely reminder for companies worldwide (including in New Zealand) of the need to ensure a GDPR standard of security when operating in the EU or dealing with the personal data of individuals located in the EU.
New Zealand companies should also be aware that, while the New Zealand Privacy Act does not currently require mandatory notification of data breaches, this is a GDPR requirement. Mandatory notification has also been proposed in the Privacy Bill currently under examination.
Facebook's security breach involved the theft of "access tokens", which allow Facebook users to stay logged into their accounts across multiple sessions and log into third-party applications. The effect of the breach is that hackers could use the access tokens to take over not only Facebook accounts, but also Facebook-linked accounts such as Instagram.
While the attack is serious in itself, the legal implications for Facebook may be particularly serious if individuals in the EU are affected. The Data Protection Commission of Ireland has reported that less than 10 percent of the 50 million compromised accounts belonged to people in the EU. Facebook is yet to confirm the locations of the affected users but it is likely that a number will be in the EU.
If so, Facebook could be liable under the GDPR if it is found that it did not have adequate security protections in place, or otherwise failed to comply with the GDPR's requirements in relation to the incident.
Article 5 of the GDPR requires that personal data be "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures".
A breach of this requirement can result in fines of up to €20 million or 4 percent of annual global turnover for the previous year, whichever is higher. For Facebook, this could mean a fine as high as €1.63 billion (around NZD$2.86 billion).
Articles 33 and 34 also require notification of data breaches to the supervisory authority and, depending on the nature of the breach, to the individuals affected. Failure to comply may result in fines of up to €10 million or 2 percent of annual global turnover.
Facebook reported the incident within 72 hours of discovery and so it is most likely compliant in this respect. While this will certainly have negative PR impacts (Facebook shares fell after disclosure of the breach), Facebook's proactive response is likely to mitigate any regulatory sanction.
Less than 10 percent of the 50 million users attacked in Facebook’s recent breach lived in the European Union, tweeted the Irish Data Protection Commission, which oversees privacy in the region. However, Facebook still could be liable for up to $1.63 billion in fines, or 4 percent of its $40.7 billion in annual global revenue for the prior financial year, if the EU determines it didn’t do enough to protect the security of its users.