Facebook GDPR fate uncertain following data breach

Facebook reported its recent data breach quickly, per the European Union's General Data Protection Regulation requirements. But the lack of details in the disclosure has people wondering if the social network might be facing a hefty fine.

The Data Protection Commission (DPC) of Ireland is responsible for investigating Facebook's GDPR liability for the recent data breach, which affected at least 50 million accounts. Facebook reported the breach within 72 hours, meaning the company would not be penalized under the GDPR rule mandating prompt breach disclosure.

Under GDPR, the penalty for failing to disclose a breach promptly is pegged at the higher of 20 million euros or 2% of the offending business's global revenue. However, it is still unclear if regulators will find Facebook negligent from a security perspective, which would carry a maximum fine of 4% of the company's global revenue for the previous year -- $1.63 billion.

The DPC announced on Twitter that it was waiting for more information from Facebook so it could "properly assess the nature of the breach and risk to users." While the DPC has been cautious about saying too much regarding Facebook's GDPR liability, Věra Jourová, commissioner for justice, consumers and gender equality for the European Commission, has been more vocal about her concern.

Around 5 mln EU accounts affected by Facebook data breach! This is really worrying news. While we are expecting more details as soon as possible here is a recap of comapny’s obligations in case of data breach https://t.co/1bZ6IJdJ4B https://t.co/l8yUlHln3Q

— Věra Jourová (@VeraJourova) October 1, 2018

Experts like Alex Stamos, former CISO at Facebook and current adjunct professor at Stanford University, noted that the uncertainty surrounding Facebook's GDPR liability is partially due to the GDPR rules themselves.

Interesting impact of the GDPR 72-hour deadline: companies announcing breaches before investigations are complete.

1) Announce & cop to max possible impacted users.
2) Everybody is confused on actual impact, lots of rumors.
3) A month later truth is included in official filing. https://t.co/VSCVfYB8om

— Alex Stamos (@alexstamos) October 1, 2018

Jake Williams, founder and CEO of Rendition Infosec, based in Augusta, Ga., agreed on Twitter and said the uncertainty is an unintended consequence of GDPR.

I doubt we'll never know the full impact of the Facebook access token breach. I seriously doubt Facebook has enough logging for third party sites to reach back to mid-2017 when the vulnerable feature was deployed.

— Jake Williams (@MalwareJake) October 1, 2018

Lukasz Olejnik, a security and privacy researcher, wrote on Twitter that, given the current information regarding the Facebook GDPR investigation, there's no guarantee there will be a fine.

Please stop the FUD. So far, based on the data we have, Facebook did not breach #GDPR - notification made on time. The rest is dependant on when the possible weakness has been introduced, how, how it was detected, etc. Do not say there is a certain fine. https://t.co/SAjiurOhEI

— Lukasz Olejnik (@lukOlejnik) September 29, 2018

Jourová added that the Facebook GDPR case will be important for the data protection rules. And Peter Tran, vice president of global cyber defense and security strategy at Worldpay Inc., based in Cincinnati, agreed this case will set an important precedent for GDPR.

"Where it gets tricky is there hasn't been precedent set yet with a case this big, so the question would be: Is this the opportunity for regulators to be able to show the teeth GDPR really has to set the pace where others fall in line?" Tran asked via Twitter direct message. "Four percent of global revenue is rough, and until it's imposed, will GDPR be taken seriously?"

Tran added that Facebook's GDPR liability will depend heavily on the details of the investigation.

"I'm not convinced that Facebook will be taken to the woodshed on this one, particularly given how much they are publicly saying they are doing for security and privacy, as well as the recent testimony on the hill. But details are yet to be disclosed on this latest, and I'm not convinced that 50 million is the true number," Tran said.

He noted the details on what data was exposed via the stolen Facebook tokens -- like that of connected apps -- would be important, as well.

"I think that if there's definitive evidence for that level of risk exposure, regulators would likely seriously assess the impact and weigh the penalty accordingly. This would be the first ever for GDPR, so it's going to be telling if it does happen," he said.

Dana Simberkoff, chief risk, privacy and information security officer at AvePoint, based in Jersey City, N.J., said the potential Facebook GDPR fine is dependent on Facebook's security.

"The largest fines under GDPR are reserved for companies that have not taken reasonable measures to prevent a data breach from happening -- and for those that arguably should have been able to do more to prevent the breach from occurring," Simberkoff wrote via email. "Facebook makes an extraordinary amount of money based on its collection of its users' personal information. Additionally, because Facebook has had so many privacy and security challenges in recent months, this could impact how their efforts are perceived by regulators."

"This incident may become a notorious milestone of GDPR enforcement by the EU regulators," said Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge, based in Geneva.

"It is almost impossible to say how harsh and severe monetary sanctions will be. Usually, courts have broad discretion to impose a penalty proportional to the incident and fault. Facebook will probably invoke the complicated nature of the vulnerabilities and economical impossibility to totally prevent such flaws," Kolochenko wrote via email.

"However, regardless of the colorful defense arguments, Facebook may be used as a scapegoat to serve as a deterrent to others. Public policy and social aspects are often involved in judiciary decisions, making them less predictable and more uncertain," Kolochenko continued. "Last, but not least, Facebook has a right to settle and to appeal the decision; thus, this story can last for a while."