Latest Facebook Breach Reinforces Need for Strong Data Protection, Breach Notification Laws

Experts

Director, Consumer Privacy and Technology Policy
Associate Director, Strategic Communications

September 28, 2018

WASHINGTON, D.C. — Facebook today announced that a security breach has compromised the data of an estimated 50 million user accounts. The company is in the early stages of investigating the breach to determine additional details.

Consumers Union, the advocacy division of Consumer Reports, pointed to this breach — the most recent in a string of notable breaches — as yet another example of the need for  consumer-first data security protection and expanded data breach notification legislation. Consumers Union also called upon Facebook to commit to stop misusing information that consumers provide for security purposes.

“Facebook appears to have moved quickly to alert the public about this security vulnerability. Now they need to conduct a thorough analysis in order to notify specific consumers if there is evidence their accounts were accessed or misused,” said Justin Brookman, Director of Consumer Privacy and Technology Policy for Consumers Union. “Yet again, we’re faced with a situation where millions of consumers’ personal information has been hacked. In the wake of each one of these breaches — Equifax, Cambridge Analytica, Target and numerous others — we hear promises to better protect consumer data, with little follow through. Existing consumer protection law provides few clear obligations for companies to safeguard sensitive data. And most state notification laws don’t cover social media accounts, so companies don’t have an obligation to tell you when your data has been exposed. Consumers deserve comprehensive data security and data breach notification laws that make protecting their personal information the top priority.”

Consumers Union also pointed to a Gizmodo article earlier this week that revealed that Facebook is using phone numbers that users provide for two-factor authentication for ad targeting purposes.

“Facebook is abusing user trust by targeting ads based on data provided solely to authenticate logins,” added Brookman. “This misuse deters Facebook users from taking advantage of important security features, which makes the ecosystem less safe for everyone. Facebook needs to publicly commit to stop this practice, and to limit its use of phone numbers provided for two-factor authentication to that narrow purpose.”