Welcome to the SecAware blog

I spy with my beady eye ...

20 Mar 2018

NBlog March 20½ - Facebook assures

Facebook is facing a crisis of confidence on stockmarkets already jittery about interest rates and over-priced tech stocks, thanks to a privacy breach with overtones of political interference:
"Facebook fell as much as 8.1 percent to $170.06 on Monday in New York, wiping out all of the year's gains so far. That marked the biggest intraday drop since August 2015. Facebook said Friday that the data mining company Cambridge Analytica improperly obtained data on some of its users, and that it had suspended Cambridge while it investigates. Facebook said the company obtained data from 270,000 people who downloaded a purported research app that was described as a personality test. The New York Times and the Guardian reported that Cambridge was able to tap the profiles of more than 50 million Facebook users without their permission. Facebook first learned of the breach more than two years ago but hadn't disclosed it. A British legislator said Facebook had misled officials while Senator Amy Klobuchar of Minnesota said Facebook CEO Mark Zuckerberg should testify before the Senate Judiciary Committee ... Daniel Ives, chief strategy officer and head of technology research for GBH Insights, said this is a crisis for Facebook, and it will have to work hard to reassure users, investors and governments."
[NZ Herald, 20th March 2018, emphasis added] 

Attempting to halt and ideally reverse the decline in the extent to which third-parties trust the organization following a major incident is tough, and expensive. Can anyone believe its claims and assurances in future? Will they inspire the same level of confidence that they might once have done? What additional hoops will they be expected to clear in future to reassure others? Will they ever rebuild their credibility and reputation, or is this incident going to haunt them in perpetuity? A lot depends on how the incident is handled.

Facebook and its management will, I guess, spend large to scrape through the crisis with the usual flurry of denials, excuses, explanations/justifications and apologies. Lawyers will profit. Heads may roll, and the suspended relationship with Cambridge Analytica will be 'strained', perhaps to breaking point.

But what of the ongoing relationship with "users, investors and governments"? I wonder if Facebook had a strategy in place to 'reassure' them following a privacy breach or some other major incident? Does it have a business continuity plan for this eventuality? We will see how it plays out over the next few days and weeks, perhaps months given the political and regulatory ramifications.

I'm looking forward to finding out, in due course, whether the controls imposed by GDPR would have helped avoid or mitigate this incident. It's an obvious line of inquiry. The first hints have already emerged with claims that it wasn't a theft of personal information since users gave their permission to share it - but was that a fully-informed free choice, or were they hoodwinked and pressured into it? 

Meanwhile I'm contemplating the lessons to be learned, and wondering if we might use this incident as well as, or instead of, dieselgate as a case study for April's assurance module.

No comments:

Post a Comment