In the days following the latest Facebook scandal, in which we learned that Cambridge Analytica collected and misused the personal data of potentially 50 million American Facebook users, we have seen:

• A large social media trend, #DeleteFacebook,
• Facebook’s estimated $50 billion net loss of shareholder value
• Initial attempts by Facebook executives to remain silent on the subject, followed by
• A “days too late” apology from Mark Zuckerburg (Facebook Founder/CEO) along with an admission that Facebook should likely be a regulated entity.

Facebook, like its peers and rivals, is in fact preparing for a new European Union – General Data Protection Regulation (GDPR). If you aren’t aware, GDPR is a new law (effective May 25, 2018) that aims to protect the privacy rights of EU residents. GDPR was created by the European Commission to protect against the marketing practices of companies like Google and Facebook, who use the personal data they collect about you to market to you in all kinds of ways.

• For instance, let’s say you search the Internet for a pair of boots. Then for the next month, you continue to see an ad from Zappos trying to sell you that pair of boots. You didn’t ask to see those ads, and you may find them to be a distraction. However, you may also end up buying the boots.
• In the Cambridge Analytica example, the company created a personality test app on Facebook to collect information about you, your preferences and your relationships. Approximately, 300,000 people took the personality test. Based on those responses, they were able to collect and analyze the preferences of up to 50 million Facebook users. The company then placed ads disguised as news, social media content or television ads that played on those people’s fears and preferences to influence their voting decisions … just like the nice new pair of boots you may or may not have needed.

GDPR is a revolutionary law that mandates significant improvements to security and data privacy practices, with huge fines for noncompliance – 4% of annual revenues, or €20 Million, whichever is larger. If GDPR had already been in place, in addition to the huge loss in value, European Union Regulators could conceivably fine Facebook an additional €1.31B (or $1.63B, based on 2017 revenues of $40.65B).¹

Ironically, Facebook appears to be taking GDPR preparation seriously, and has appropriately taken measures to inform the public of its preparation efforts. Under GDPR, Facebook operates as both a personal data ‘Controller’ and a ‘Processor.’ After the law comes into effect, Facebook management will have responsibility to monitor all ‘Processors’ of the personal data it shares. That means, Facebook will have to audit the security and data privacy practices of marketing companies like Cambridge Analytica.

If Facebook sees intentional, or even accidental misuse of these personal data, Facebook’s Data Privacy Officer (DPO) would be held accountable by EU regulators to report Cambridge Analytica’s violations within 72 hours of discovery; not years later and only after a whistleblower does it first. News outlets have been reporting about Cambridge Analytica’s sinister practices since its involvement in US politics prior to the 2014 mid-term elections. The shock and awe we are experiencing in March 2018 should have been first felt much, much sooner.

As it turns out, Cambridge Analytica has been mining and exploiting privacy data of people all over the world to influence the political courses in Nigeria, Kenya, the Czech Republic, India and Argentina. Cambridge Analytica even developed content to influence “persuadable” voters to support Brexit.²

While EU Regulators have promised to vigorously enforce GDPR around the world, the law only protects the privacy rights of EU residents. As American citizens, we aren’t granted the same protections, but our companies will be forced to implement security and data privacy controls to vigorously protect the personal data of EU residents, if they market or sell goods or services to EU residents. An estimated 57% of American companies will be impacted by GDPR regulations.³ It remains to be seen whether US companies will ensure privacy protection for US and EU citizens equally.

• The conservative approach recognizes that preparation for GDPR requires significant investments of time, money, process and human resources. If an organization implements mechanisms to protect the privacy of EU data subjects, and changes its business models to forgo its predatory marketing practices, it may make sense to reengineer all operations consistently. In this scenario, a company would protect ALL data subjects equally.
• The more likely approach is that companies will implement the privacy protections only for those data subjects residing in Europe. Companies will continue to market and manipulate all those data subjects in countries that don’t grant their citizens a high level of privacy rights.

And why shouldn’t companies like Cambridge Analytica and Facebook continue to exploit the personal data of American citizens? We have no omnibus privacy law like GDPR to protect us. Facebook has been conducting psychological experiments on its users for years, specifically placing ads in your line of site based on the information we give up. We don’t pay any money to use it, which means they have to make money selling targeted advertising they think we want to see. They alter the newsfeeds to influence our emotions.⁴ What once started as a dream to build a great online community has morphed into a great psychological weapon sellable to the richest buyer.

Let’s Protect US Residents

Where are our political leaders in all of this? Why doesn’t their response match the act? Americans deserve the same privacy rights as the Europeans.

With all of the talk about Identity Theft, protecting our personal data is made much more difficult by the fact that companies retain our personal data in their systems without our consent. Most of the time, we don’t know who has it or what they do with it. If a company holding your personal data is breached, you have to wait to find out if you were affected, or if they adequately protected your data. Did you receive a letter from Equifax in the last year informing you that your data was breached?

• Did you receive the notification shortly after it happened (May-July, 2018, 0 people notified)?
• Did you receive notification in September, 2017 (143M people notified)
• Did you find out in October, 2017 (another 2.5 million people notified)?
• Or did you just find out in February, 2018 (7.5 months after the breach, and another 2.4M people notified)?

Data Privacy Laws in the United States just don’t protect us sufficiently.

• HIPAA covers healthcare data. Security and Privacy protections don’t match GDPR requirements. The level of protection in most cases doesn’t match the potential impact to patients if the data is breached. The healthcare industry is notoriously behind the eight ball to bring its security up to par with current cyber threats.
• GLBA protects the privacy of consumer’s finances. Enforced by the Federal Trade Commission and 7 other Federal agencies, the law governs how institutions collect, process, disclose and protect your personal financial data.
• PCI DSS is a voluntary regulation implemented by the credit card firms. PCI DSS requires safeguards to protect credit/debit card information. While it is not ‘law,’ credit card companies may issue fines and/or prohibit violators from processing credit cards as payment.
• FERPA covers educational information. Probably the weakest protections of the bunch. Administered by the US Department of Education.

Conclusion

If you live in the US, there is no regulation that protects your purchasing, Internet surfing or consumption habits and preferences. We have no single omnibus law that protects our privacy. Instead, we have law enforcement officials claiming that privacy has gone too far, and that those laws get in the way of counterterrorism intelligence efforts.⁵ I am certainly not advocating that law enforcement should be precluded from reasonable means to investigate potential criminal or violent activity. However, that reasoning shouldn’t stop lawmakers from drafting bills to protect us from corporate predatory practices. As an advocate for Privacy, and as I consider all of the looming threats within the cyber sphere, I believe its time for the US to adopt a similar approach to privacy.

Its time to develop a GDPR for the rest of us!

References

1. Unfortunately, Cambridge Analytica keeps its revenue figures tightly held, so I was unable to approximate its potential fine under GDPR.
2. https://en.wikipedia.org/wiki/Cambridge_Analytica
3. https://community.spiceworks.com/research/gdpr-impact-on-it
4. https://www.bloomberg.com/view/articles/2018-03-22/facebook-s-chronic-evasions-must-end
5. https://nakedsecurity.sophos.com/2014/10/21/fbi-director-james-comey-says-apple-and-google-go-too-far-with-default-encryption/

Secure Compliance Solutions is the trusted security advisor for Chicagoland’s small-to-medium businesses. We offer a variety of services that promote a strengthened security posture and a culture of compliance. Our solutions include: risk advisory services, strategic cybersecurity planning, security and privacy awareness, regulatory guidance, penetration testing, and managed security services. We tailor our engagements and solutions to align with your cultural needs and business objectives; not the other way around. We keep your appetite for risk, budget constraints, and timeline in mind to define strategy and operational tactics that maximize your return on investment. At SCS, we help you navigate the course of your cybersecurity journey.