Organizations need to view government demands as the floor rather than the ceiling when it comes to protecting consumer data
By Jacob Serpa, researcher, Bitglass
While Facebook’s $5 billion settlement stands as the largest fine in the history of the Federal Trade Commission (FTC), one must take into consideration that not every company is going to be on the same scale when it comes to penalties for mishandling consumer data. In Q2 2019, Facebook boasted 2.41 billion worldwide monthly active users on its platform, not including Instagram, WhatsApp, or Facebook Messenger users. Additionally, the company is reported to have collected $16.9 billion in revenue for the three months ending in June 2019, representing a 28% increase over the same period last year.
Regardless of the massive scale, this settlement highlights the growing importance of data privacy moving forward. Companies will be held more accountable for securing user data and will need to demonstrate how they are using it. However, instead of viewing government demands as a ceiling and seeking to meet the minimum security requirements that they detail, organizations should view complying with government demands as a floor for security and go beyond them to ensure the highest level of comprehensive, proactive protection for user data – otherwise, they may find themselves faced with similar penalties as Facebook.
The fact that Facebook was fined should come as no surprise. The social media giant has been under fire for several data privacy incidents for some time. Consider, for example, the Cambridge Analytica scandal wherein Facebook’s lax data controls were exploited in order to harvest user data (the debacle also violated a 2012 settlement between the FTC and Facebook). Despite this, the amount that Facebook was fined is fairly surprising. While the company can afford the $5 billion settlement (which represents one month’s revenue), others are unlikely to be able to survive fines of this scale. Additionally, the cost of a data breach typically involves a number of factors, including fines, cleanup and incident response costs, reparations for customers exposed, and litigation expenses.
In light of the above (as well as other issues such as damage to brand reputation), it is not abnormal for enterprises to declare bankruptcy after suffering data breaches. In fact, the Retrieval-Masters Creditors Bureau, the parent company of the American Medical Collection Agency (AMCA), filed for Chapter 11 protection after an eight-month-long breach exposed the personally identifiable information (PII) of 20 million Quest Diagnostics, LabCorp and BioReference patients. The company spent $3.8 million mailing notices to individual breach victims, and another $400,000 on the consultants and IT professionals that were hired to assist with responding to the breach. In other words, there is no way that the AMCA could have afforded a settlement that amounted to one month’s revenue.
Fines are supposed to have a material impact upon the companies against which they are issued; however, they are not necessarily supposed to drive them out of business entirely. This fine will serve as a warning to Facebook that mishandling users’ data in the future will have even more severe repercussions. Facebook and other companies that deal with massive amounts of user data should take this settlement as a lesson and proactively improve their cybersecurity efforts so that they are doing more than just complying with regulations or trying to stay out of trouble.
The key to protecting customer data is to treat compliance as the floor for security rather than treating it like the ceiling. By simply adhering to government demands, organizations may maintain compliance; however, they are unlikely to be seen as champions of data protection, customer privacy, and corporate social responsibility. As such, proactively securing users’ data, being transparent about how it’s used and who it may be shared with, as well as allowing users the right to be forgotten, will help establish any company as a leading, trustworthy organization. As the U.S. begins to think more about regulations at a state level, ensuring a robust cybersecurity posture will be the most effective way to ensure universal compliance.
About the Author
Jacob Serpa works for Bitglass, the next-gen CASB company. Serpa is passionate about helping others protect their personally identifiable information (PII) and earned his MBA at San Jose State University, where he graduated at the top of his class.