By: Albie Swartz, Senior Manager, IT Risk Advisory & Security

Facebook vs. Cambridge Analytica – Who’s To Blame?

In this blog post, we’ll explore the events still unfolding in this debacle, why businesses have a need for concern as it relates to privacy and security, and what your business can do to protect its assets and people. Risk management has never been more important as the cyber world continuously poses new challenges, even causing immense financial damages to companies and consumers alike.

What happened?

  • By now many people are aware that a popular Facebook app created by Cambridge Analytica collected personal data on over 50 million Facebook users. That personal data was then shared with third parties, ultimately being used for profiling and targeting during the 2016 presidential campaign. Contrary to some claims, this was not a situation where a security incident led to a data breach. In other words, nobody hacked into a database and clandestinely retrieved user records. Facebook users provided data about themselves and friends through an app.
  • The open question is was any of this illegal? If it was illegal, then technically it is a breach, although it’s more of a breach of contract involving data than what we see in the mainstream media being labeled a “data breach” or “hack”. The terms “data leak” and “improper disclosure” may be more appropriate.
  • There are at least three possibilities: users of the app were fooled by the terms and conditions, users didn’t read the terms and conditions, or the app owner (Cambridge) is in violation of formal agreements. First, it’s possible that the app’s terms either implied academic use or were ambiguous, yet still obtained permission to share user data. A second possibility is the terms and conditions stated data would be used at Cambridge’s discretion, in which case despite upsetting users sharing could be legal. And finally, it’s possible that Cambridge did actually violate terms or agreements by sharing the data.
  • The one thing that you should take away from yet another incident involving unwanted data disclosure: never, ever, EVER share your data (i.e. information about yourself) unless you have confidence that the receiving party will treat it using the golden rule of personal data – treating your data as you would want it to be treated. It’s unfortunate that we live in a time where proper care of data seems to be an exception rather than the norm.

What are Facebook’s policies and practices around data collection and use?

  • It’s fairly well-known that Facebook harvests user data to sell targeted ads. It also takes ownership of data. When you post a picture on Facebook it becomes property of Facebook, according to their policy. So what about data sharing? Facebook’s data policy indicates that it will only share non-personally identifiable information for advertising, measurement or analytics. Their policy also states that by downloading third-party apps and services you grant them access to your public profile, and “any information that you share with them.”Facebook policy states, “Information collected by these apps, websites or integrated services is subject to their own terms and policies.”
  • Despite claims by Facebook that protecting information is of the highest priority, it is selling user data all the time. How can it ensure that all third-party recipients of collected data follow contractual obligations? I’d argue that it cannot. Moreover, what assurance is there that third parties have instituted ample protections? There is a grey area in terms of legality regarding data security as it relates to privacy, which means contractual obligations primarily motivate securing private data rather than punitive legal action specifically for privacy events around improper disclosure.
  • What many people may not realize is often times user data gathered by companies, platforms, and third-party apps have almost certainly been shared without users being fully aware. It just so happens that in the case of Cambridge Analytica a prior employee blew the whistle.
  • Facebook has recently been under fire over offering a deceiving VPN service that reportedly captures and analyzes all user data rather providing anonymity of data, traffic, and location. You can read more about it in an upcoming blog from Clearview.

Did Cambridge or Facebook break the law?

  • At this point, the legality of action by either party has yet to be determined, and the debate will probably go on for several months. Facebook is pointing its finger at Cambridge, essentially stating that Cambridge was within its bound during the data gathering process, but by sharing that data Cambridge violated Facebook’s terms of use. Facebook claims it may take action to punish Cambridge, but it’s based mostly on contractual obligations. Facebook is also seeking the destruction of the data.
  • Cambridge claims innocence and will cooperate with any investigations. At present comments from the app developer indicate that the original terms of use described an academic purpose for collected data, but those terms were subsequently changed, which may amount to the misrepresentation of data use. Cambridge has said that only data collected after this change was shared.
  • The FTC reportedly will investigate if Facebook violated a consent decree from 2011 that arose from the company making privacy changes without informing users. Facebook denies violating it.
  • In the UK at least one investigation by the government is already underway to ascertain the legality of data acquisition and use. Facebook’s Mark Zuckerberg could very well be summoned by Congress.

What are the legal and privacy implications relative to business risk?

  • Contractual: Often times service agreements include security and privacy requirements. Financial penalties may or may not be explicit, but if a client suffers financially from a security event or data breach that was caused by a misstep on part of your business, you should expect some form of reaction towards your business as clients wish to recoup losses.
  • General Data Protection Regulation (GDPR): If this had happened under GDPR being in full effect Facebook and Cambridge would be in even hotter water. Financial penalties stipulated by GDPR, in this case, could be astronomical. While bearable for a behemoth like Facebook, most companies would suffer greatly from impacted revenue and profit.
  • More on GDPR: Companies in the United States that operate within the EU and possess data on EU citizens have a challenge in handling the new rights of data subjects as described by GDPR. Data subjects must be clearly informed about data collection and use. Subjects also can request to have their data destroyed, Data collectors must comply. Data subjects must be informed about their data being shared including with whom. Some rather bold language in the GDPR also implies that companies operating outside of the EU who offer services or goods to EU citizens, or even companies that observe their behavior by capturing it in the form of data, are included in the scope of GDPR.
  • United States: US privacy laws are scattered and provincial. States such as California and Massachusetts have passed laws around protecting personal data. It remains to be seen how they apply here, if at all. However, we may soon see a day where legislation similar to GDPR is passed, whether at the federal or state levels, so companies would do well to start preparing for that day.

How’s the outlook for consumers and businesses?

  • Not great. Suffice to say, companies are not only gathering data but selling, buying, trading and losing it, too. Data is becoming a new lifeblood to business. Information is power, and now that information can be easily shared with anyone in the world with a few clicks of a button, the stakes are even higher to protect it. Personal or corporate data could fall into the hands of someone on the other side of the world without you ever knowing about it.

How does this compare with Equifax?

  • It’s roughly 25-35% the number of records shared, containing Personally Identifiable Information (PII) that was supposed to be protected. It also contained what is being described as “psychographic” data, which sounds sensitive, though more investigation is needed.

What Are the key takeaways for your business?

  • Unfortunately, if you are an individual, your options are limited. If you are a business, you must exercise extreme diligence when it comes to internal, third party, and fourth party risk. You have to protect your computing environment, data, and in turn your employees and clients. A breach of contract, failure to comply with regulations, and even an incident where your employees are impacted can be devastating to your business. With wave after wave of cyber threats causing data breaches and service outages all too often, and new regulation such as GDPR doling out financial penalties, you need a trusted partner who understands the complexity of the cyber world and can help you navigate chartered and uncharted waters. Look no further than Clearview to be your guide.

How can Clearview help?

  • Technology is a boon for society yet it presents major challenges. Whereas historically operational and HR risks may have presented the greatest potential damage to your business and its reputation, now more vectors require attention and protection.  Businesses must establish key programs to protect themselves. Cybersecurity, third and fourth party risk management, and governance around data, processes, and people are critical areas needing improvement. A company’s Enterprise Risk Management practice must now encompass a broader set of domain areas in order to be effective.
  • Clearview uses cutting-edge technology to augment traditional assessments of programs, processes, and infrastructure. We build for our clients a profile of inherent cyber risks as well as risks associated with suppliers and partners, including fourth parties, identifying data flows and ensuring data governance. Clearview can help ensure you know exactly where your data is, who has access to it, and if it crosses boundaries that you don’t want it to. Once you are aware of your risk profile, you can take steps to protect yourself by properly managing your risk by establishing programs and process, implementing technical solutions, and providing training to employees.  While some needs are common, each business will have its own unique situation requiring custom-tailored objectives, solutions, and controls. No matter your current state or desired goals, Clearview will steer you in the direction that’s best for your business.

__________________________________________________________________________________________________________________________________

How to protect your business 

Are you now wondering where to go from here? No need to fret; Clearview has you covered. By having a short conversation with you, and answering your questions, we are able to address all the points below and design a custom approach to ensure you are managing every risk.

  • Social Media
    • Policy – companies should have social media policy. Restrictions on social media use. Don’t want employees sharing confidential company data or poorly representing the company on social media.
    • Technical controls – to limit actions of employees. Maybe viewing Facebook, LinkedIn, and Instagram on the corporate network is allowed, but posting/adding content is forcibly prohibited. We can help implement solutions that would block everyone but marketing from posting approved content to Facebook to reduce the chances of unwanted events.
  • Data Governance
    • Determining the who, what, when, where, why and how around data can be challenging, yet it’s the foundation upon which all other controls and processes around data must be built. Having a data governance committee, assigning data owners, and creating data security and data classification policies are the starting point.
  • Endpoint Security
    • Implementing an Enterprise Mobility Management strategy that includes BYOD is critical.
    • Installing an anti-virus engine and pushing out some technical controls from Group Policy no longer provides adequate protection. New solutions can provide far greater protection while integrating with network defense technologies, providing complete coverage of traffic whether devices are on-premises or at the local coffee shop.
  • Cybersecurity Controls and Testing
    • Vulnerability management and secure coding practices go a long way to eliminating a vast amount of cyber risk to your business. However, activities such as penetration testing, network, and systems auditing, access reviews, and assessing existing third-party tools and solutions are needed to tie up loose ends that can lead to security incidents.
  • Data Loss Prevention (DLP)
    • Companies need to start taking seriously the need for DLP technology. Policy and training can go a long way, but without detective and preventative controls working together, the risk of losing your data may still be too high. A good place to begin is blocking file-sharing services such as Dropbox, Box.com and similar services hosted by Apple and Google if they are not approved Yet again, without a full risk analysis, a business may be unaware that it is exposed to greater risk. Clearview can help you identify and implement the technology that is right for you.
  • Configuration Management and Change Management
    • Two very important processes, establishing configuration and change management reduce cyber risk and operational risk by ensuring that all changes are tested, approved, and authorized.
  • Asset Inventory
    • Identifying all assets as well as the criticality and risks for each asset is at the top of the list for effective cyber risk management.
  • Privileged Access Management 
    • Controlling and monitoring access to sensitive system and application functions can no longer be left to chance. Separation of duties and an auditable trail of access events are necessary.
  • Monitoring, Alerting, and Response 
    • Implementing central logging, monitoring, alerting and an accompanying Incident Response Process is key to detecting and responding to incidents. IT should coordinate with legal, privacy and compliance functions to identify internal and external channels of communication and a playbook for response.

 

Don’t be blindsided like companies in the past, reach out to Albie Swartz at aswartz@cviewllc.com or call 410-415-9700 and ask to speak with someone on the IT Risk Advisory team.

 

Sources used:

  1. O’Sullivan, D. (2018, March 19). Exclusive: Scientist at center of Facebook-Cambridge Analytica controversy speaks. Retrieved from http://money.cnn.com/2018/03/19/technology/cambridge-analytica-scientist-aleksandr-kogan/index.html
  2. Byers, D. (2018, March 19). Facebook is facing an existential crisis. Retrieved from http://money.cnn.com/2018/03/19/technology/business/facebook-data-privacy-crisis/index.html?iid=EL

  3. Merelli, A. (2018, March 17). Facebook knew Cambridge Analytica was misusing users’ data three years ago and only banned the company this week. Retrieved from https://qz.com/1231643/cambridge-analytica-illegally-obtained-data-from-50-million-facebook-users-to-run-trump-ads/
  4. Grewal, P. (n.d.). Suspending Cambridge Analytica and SCL Group from Facebook. Retrieved from https://newsroom.fb.com/news/2018/03/suspending-cambridge-analytica/
  5. Cadwalladr, C., & Graham-Harrison, E. (2018, March 17). Staff claim Cambridge Analytica ignored US ban on foreigners working on elections. Retrieved from https://www.theguardian.com/uk-news/2018/mar/17/cambridge-analytica-non-american-employees-political
  6. Jolly, I. (2017, July 01). Data protection in the United States: Overview. Retrieved from https://content.next.westlaw.com/6-502-0467?transitionType=Default&firstPage=true&bhcp=1&contextData=(sc.Default)
  7. Page, C. (2018, March 21). Cambridge Analytica CEO, er, nixed as WhatsApp co-founder joins #DeleteFacebook movement. Retrieved from https://www.theinquirer.net/inquirer/news/3028688/cambridge-analytica-ceo-nixed-as-whatsapp-cofounder-joins-deletefacebook-movement
  8. Wiley Rein LLP. (2017, May). The GDPR’s Reach: Material and Territorial Scope Under Articles 2 and 3. Retrieved from https://www.wileyrein.com/newsroom-newsletters-item-May_2017_PIF-The_GDPRs_Reach-Material_and_Territorial_Scope_Under_Articles_2_and_3.html
  9. Data Breach. (n.d.). Retrieved from https://en.wikipedia.org/wiki/Data_breach
  10. McLaughlin, D., Brody, B., & House, B. (2018, March 20). Facebook Draws Scrutiny From FTC, Congressional Committees. Retrieved from https://www.bloomberg.com/news/articles/2018-03-20/ftc-said-to-be-probing-facebook-for-use-of-personal-data
  11. Rosenberg, M., Confessore, N., & Cadwalladr, C. (n.d.). How Trump Consultants Exploited the Facebook Data of Millions. Retrieved from https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html

 

More in IT Risk Advisory & Security

Related Case Studies