Facebook and other large media focused service providers have for too long been overly cavalier with customers' data, in particular with their personally identifiable information (PII). The attention being focused on this event shows they are no longer too large to be unaccountable. Indeed, with the advent of the new EU General Data Protection Regulation on 25th May, 2018, they will be fair game for being pursued by the regulator. It is high time they took a more pro-active approach to making serious attempts to safeguard data subjects' PII.
Events in recent years such as the loss of mass PII from Yahoo in 2013-14 (3 billion user accounts), Adult Friend Finder in 2016 (412 million user accounts), eBay in 2014 (145 million user accounts), Equifax in 2017 (143 million user accounts), and Heartland Payment Systems in 2008 (134 million credit card data exposed), give a brief idea of the scale of the problem. With the global jurisdiction of the GDPR, even these large US giants will not be immune to being pursued by the regulator.
There are really three initial areas of concern to contend with, firstly, there are the technology companies, such as Facebook, who have traditionally had a cavalier approach to the personally identifiable information (PII) of users of their systems. There has often been an attitude problem with these organisations who have frequently taken a poor attitude towards the security and privacy of their users' PII. Facebook are certainly far from alone in this regard. There are very few large corporates who do not subscribe to this corporate mind set. A part of this problem also arises through poor transparency of exactly which PII is being shared by default.
Second, we have to consider the all to frequent naivety of many users of these services, even highly intelligent users who should know better, who have themselves traditionally been cavalier about their own PII, with this attitude extending to poor attention to the use of strong passwords and lack of concern as to which data they are making public. This is often not helped by the complex default settings they subscribe to when they sign up for these systems. The fact that many of these large corporates deliberately make frequent policy changes to alter the privacy mechanisms certainly has a large part to play in confusing users as to what they have agreed to.
Third, the manner in which many of these large corporates have simply helped themselves to this PII without any recourse to their users, or any proper attempt to elicit proper approval from them. This is certainly one of the better elements of the GDPR which insists that explicit permission must now be obtained from every user of their services to agree to divulge their PII, rather than the use of permission by default, or by omission, or by simply helping themselves to all the PII without any direct permission, as was the case with the recent Facebook data problem.
Such practices by large corporates demonstrate a high level of contempt for their users and their users' PII. One might argue that this behaviour is also immoral and unethical, but after the GDPR comes into force, such behaviour will become criminal, albeit initially at a corporate level. This will at least mean that an improved level of corporate accountability should start to evolve. The GDPR will provide some good protection for the PII of users, and in the case of the UK, Prime minister May has indicated that after Brexit, not only will the UK continue to adopt the provisions of the GDPR, but plan to add additional safeguards for the better protection of individual users.
Looking back at past mass data breaches that have arisen throughout the developed world, it is clear that there has been little evidence of corporate responsibility in these organisations. Nor has there been much action taken to hold these corporate giants to account by regulators or legislators. Perhaps we are starting to see a long overdue move towards a sea change in attitudes will now take place, for the better good of all society.
Dr Robert Duncan is a senior lecturer in Accounting and Finance at the University of Aberdeen Business School and is co-Chair for the Enterprise Security Workshop at the IEEE/ACM International Conference on Utility and Cloud Computing, as well as being a member of the Advisory Committee for the CLOUD COMPUTING series.
