Last week, thanks to investigative reporting, we learned that Facebook discovered in January that it was storing millions of users’ passwords in plain text format, making them fully readable for thousands of its employees. Facebook has acknowledged that this was a serious security error and privacy breach on its side, as its systems, ideally, “are designed to mask passwords using techniques that make them unreadable”, and promised that it “will be notifying everyone whose passwords we have found were stored in this way.” There is no evidence that any of the thousand employees with access to these unencrypted passwords actually accessed them, but Facebook’s decision to remain mum reveals an important lesson for the overarching privacy and security policy debate. Importantly, data security incidents are a widespread problem that goes well beyond Facebook.
First, we don’t understand why Facebook took so long to come clean on this incident, and are looking forward to hearing what European data privacy regulators have to say about it, as the General Data Protection Regulation (GDPR) has both data security and data breach notification requirements.
Second, we believe that what this latest scandal illustrates is that in absence of comprehensive privacy legislation with specific data security and data breach notification requirements, Facebook’s response is all American consumers can expect in companies’ behavior: corporate reassurance that nothing went wrong, and a promise to do better in the future. Obviously, we think that Americans deserve more and Congress should act.
Why we need security and data breach notification
Since the infamous Equifax data breach scandal, the Federal Trade Commission has opened an investigation, and members of Congress have introduced several bills proposing federal data security and breach notification regimes.
As we wrote before, one of the issues up for debate on Capitol Hill is whether entities that maintain our personal information will be required to tell us when they experience a data breach, or when our data are exposed or accessed in an unauthorized way, under what’s called a harm standard or under an occurrence standard. The harm standard, which the industry favors, only requires an entity to disclose a data breach or unauthorized access or data exposure when there is good reason to believe that that access has resulted in or will result in legally cognizable harm (think financial loss or physical injury). By contrast, the occurrence standard requires entities to disclose a breach or unauthorized access or exposure when it occurs.
The occurrence standard is the more consumer-friendly standard, because it permits consumers to take measures to prevent harm from the breach, exposure, or unauthorized access. Furthermore, it accounts for harms that may not be legally cognizable, but that are no less real – such as embarrassment, re-endangering a domestic violence victim, or Cambridge Analytica-style “psychographics.”
In contrast, codifying the harm standard would simply allow the entity that has already failed to sufficiently protect private information to determine, in its sole discretion – when it has every financial incentive to keep a data breach, exposure, or unauthorized access secret – whether or not consumers have been or will be harmed and thus whether or not consumers should be informed of the breach, exposure, or unauthorized access. The Facebook password case illustrates the problem with this proposition. It is likely that Facebook thought there was no evidence that consumers had been or would be harmed and thus declined to inform the million users whose private information was implicated about the vulnerability.
Our personal information is just that – personal. We should know when that information is breached, accessed, exposed, or vulnerable so that we can take measures – and make product choices – to protect ourselves. Because history has shown that we cannot count on companies to do the right thing on their own, it is imperative that Congress require them to do the right thing by mandating a baseline of security practices in the handling of personal data codifying the occurrence standard in any comprehensive privacy law.
Simply put: a comprehensive privacy law without security and data breach notification requirements is not a good enough law for the data economy and what Americans’ deserve.
Tell Congress to pass comprehensive privacy reform legislation at publicknowledge.org/DataProtection.