The past few weeks offer a study in contrasts regarding the handling of social media data breaches at social networking firms. On September 28, news broke of a security vulnerability at Facebook that exposed the personal information of nearly 50 million users. Last week, Google announced that it was shutting down its failing Google+ social networking service after a breach exposed information belonging to about 500,000 people.
The Facebook and Google breaches share much in common. They both exploited flaws in the way that the social media platforms handle authentication for user accounts. They also both made major national news during a time that social media cybersecurity is already under intense public scrutiny.
These similarities end, however, when you turn your attention to how the two firms handled the aftermath of the breaches. Facebook CEO Mark Zuckerberg publicly announced the breach on his own Facebook page, and the company followed up with additional details on the incident and the company’s response. Predictably, Facebook took a drubbing in the media, but the incident quickly slipped off the public’s radar, lost amid the many data breach announcements that occur each month.
We only learned of the Google breach, on the other hand, when the Wall Street Journal broke the story. Google quickly rushed out an announcement of security upgrades, but only after they had been publicly shamed. But it gets worse. The Journal’s reporting uncovered evidence that Google executives had known about the breach for six months and had intentionally covered up the breach, acknowledging that it would attract “immediate regulatory interest.” The decision to hide this breach from the public was made by an internal committee and reviewed by Google CEO Sundar Pichai.
Facebook and Google faced remarkably similar circumstances and reacted in strikingly different ways. Facebook owned up to the problem and quickly notified their users of the breach. Google fixed the problem behind the scenes and deliberately concealed the issue to avoid public embarrassment. While reasonable people might disagree on whether the breaches were preventable, it’s pretty clear that Facebook responded in an ethical and responsible manner while Google failed to act in the public interest.
Fortunately, society has a mechanism to deal with irresponsible and unethical behavior: the law. You might assume that Google’s behavior would have run afoul of a federal or state statute. That assumption would be incorrect, at least as far as the United States is concerned.
The current state of data breach notification laws in our nation is abysmal. At the federal level, we have a patchwork of laws and regulations that cover very specific situations. If your doctor loses your medical records, the Health Insurance Portability and Accountability Act (HIPAA) requires her to notify you within 60 days. If your credit card number is stolen, the Payment Card Industry Data Security Standard (PCI DSS) requires prompt notification of law enforcement. There is, however, no broad federal statute with a simple requirement that anyone losing your personal information must notify you of that fact.
While the federal government has so far failed to provide this protection, the states have stepped up to fill in the gap. On March 28, the Alabama state legislature became the fiftieth state to pass a data breach notification law. These laws, however, are narrow in scope. Most of them follow the same model legislation and only require the notification of consumers when thieves walk away with credit card numbers, drivers license numbers, passwords, or other specific pieces of sensitive information. Neither the Facebook nor the Google+ breach tripped any of those triggers.
Senators Amy Klobuchar (D-Minnesota) and John Kennedy (R-Louisiana) introduced the Social Media Privacy and Consumer Rights Act in the Senate earlier this year. This bill would require that social media platforms notify consumers of a breach of personal information within 72 hours of the breach. Their bipartisan effort is commendable but adopting another narrowly tailored law is not the right solution. Writing a bill specifically to cover social media sites would simply add another patch to the flimsy quilt of U.S. privacy law.
The European Union recently adopted the General Data Protection Regulation (GDPR), a sweeping privacy law governing the ways that private businesses handle personal information belonging to EU residents. They broadly define personal information as “any information concerning an identified or identifiable natural person.” Under GDPR, organizations suffering a breach of personal information have 72 hours to report the breach to notify government privacy officials.
We need similarly broad data breach notification legislation in the United States. While it might not be politically feasible to pass a sweeping privacy regulation modeled after GDPR, there shouldn’t be any reasonable objection to a broad data breach notification requirement. Congress should take up legislation requiring that any organization, regardless of industry, suffering a breach of personal information notify affected individuals within 72 hours.
This is the only feasible solution to the problem. Without broad federal legislation, companies like Google will be able to slip through the legal loopholes in our current regulatory patchwork and continue to conceal breaches of personal information. The public has a right to know when their information is stolen and Congress must act now to protect that right.