Facebook has been hit this week with another massive data breach which has rocked both its share price and its reputation. The hack saw sophisticated attackers combine three bugs in Facebook's profile, privacy and video uploading features to steal the access tokens of 50 million users. These access tokens could allow the attackers to take over user accounts and act as them on Facebook, Instagram, Oculus and other sites that rely on Facebook's login system.
Facebook has a European HQ based in Dublin that brings into play the new EU GDPR rules around data protection. It is thought that less than 10% of the 50 million users compromised in the latest breach live in the EU. But Facebook still could be liable for up to $1.63 billion in fines, or 4% of its $40.7 billion in annual global revenue for the prior financial year, if the EU determines it didn't do enough to protect the security of its users.
Facebook alerted regulators and the public to the breach last Friday morning after discovering it the previous Tuesday afternoon. That is important because it came under the 72-hour deadline for announcing hacks that can trigger an additional fine of up to 2% of a company's global revenue if not met.
This latest mega breach highlights once again the vital importance for companies of any size to have not only adequate cyber security protection in place for its customers and staff, but also a robust and immediate procedure for notifying stakeholders of a breach once it has been confirmed.
That is why here at Crises Control we have developed our own Compliance Reporting Solution to notify, confirm and record your compliance event to avoid regulatory compliance issues just like massive potential GDPR fine that Facebook is facing. Facebook could have been looking at a fine of up to $3.2 billion, rather than $1.6 billion, if it had failed to meet the 72-hour notification deadline.
The Crises Control Compliance Reporting Solution will ensure that you can notify your response team, customers, investors, insurers, suppliers and the regulators of a data protection, or health and safety incident, quickly and reliably. And it will require recipients to acknowledge delivery of your message and the accompanying documents.
The platform will use these records to automatically create a detailed audit trail of your actions, messages and documents and who has received them. This will provide detailed documentation for you to use with regulators in the event of an investigation such as the one that Facebook is now expecting.
If you are not worried about GDPR and data protection breaches then you should be! Our white paper "Keep your business safe from regulatory fines" offers advice on how an incident notification solution can help you to avoid fines and other sanctions from regulators following an information security or health and safety breach. Download the white paper.
Managing Director, Crises Control