If you take into account the many times Facebook officials have publicly apologized for too aggressively monetizing Facebook users’ sensitive data – only to launch still more invasive tricks, Mark Zuckerberg’s recent mea culpa before Congress feels like déjà vu all over again.
It remains to be seen what, if anything, our dysfunctional Congress can muster to break the now entrenched pattern of consumer privacy abuse highlighted by the Cambridge Analytica news, but that is by no means limited to Facebook. That said, it does seem like something very different is in the wind this time around–a scenario at once complicated and plausible. The Cambridge Analytics scandal was for sure the catalyst, and Facebook’s core business model could be irreparably harmed, but what happens next may be a boon for information privacy and data security across the board.
I’m referring to the interplay between rising cloud computing security concerns and the steady advance of compliance requirements for the handling of business data. I know it sounds like a granular topic for such a sweeping statement, but strong rules well written and closely observed really are the answer we’ve all be waiting for.
Colliding exposures
Businesses are embracing cloud computing services at an accelerated pace–and for good reason. By tapping hosted services, enterprises of all size, configuration and in all verticals are finding new, dynamic ways to engage with employees, suppliers, partners and customers.
However, as companies race to mix and match cloud-services delivered by the likes of Amazon Web Services, Microsoft Azure and Google Cloud, unforeseen gaps in classic network security systems are turning up. At the very same time, enterprising cyber criminals are poised to take advantage, pouncing on emergent cloud computing security flaws, something that has received a lot of attention from the cybersecurity community.
Less understood, however, is a more abstract issue that presents a similar risk profile: data security non-compliance. In the rush to move to the cloud, companies sometimes violate the matrix of industry standards and government regulations that touch on data handling and data privacy.
While the cost savings and agility gains achieved by using cloud services are a no-brainer for companies of all stripe, it has become much more difficult to setup security and compliance controls. And because cloud services are developed and deployed so quickly, simple misconfiguration errors can open up security gaps that hackers have been thus far quick to ferret out and exploit (just ask Uber or Tesla).
Compliance exposures
There are plenty of data handling standards and rules to trip over. Misconfigurations and lack of security controls can lay bare security vulnerabilities and trigger compliance violations. It’s a serious problem.
The Payment Card Industry Data Security Standard (PCI DSS,) for instance, imposes detailed requirements for tagging and encrypting transaction logs for any businesses conducting payment card transactions; the Health Insurance Portability and Accountability Act (HIPPA), mandates standardized record handling and strict privacy of medical records; the Sarbanes-Oxley Act sets forth data handling rules for public companies; and the Federal Information Security Management Act (FISMA) requires federal agencies to minimize the risk to data.
Meanwhile, New York state and Colorado are leading a charge by state officials to impose data handling rules on businesses. Next month, Europe will implement its revised General Data Protection Regulation (GDPR), imposing new data breach reporting rules and stronger consumer privacy protections, as well as potentially huge penalties for corporate violators.
Alarm bells
Here’s how the Cambridge Analytics disclosures exacerbate this already unstable information weather: use of Facebook in workplace settings exposes companies not just to phishing attacks and malware, but increasingly to compliance violations via Facebook’s lax attitude toward the data eco-system that “The Social Network” allows third parties to mine–all this at a time when data handling regulation is on the rise.
Some fifty-five percent of the 350 IT professions recently surveyed by network security vendor Barracuda said they trust Facebook less after the revelation. Meanwhile, twelve percent said they had deleted their corporate Facebook account since the news broke, and twenty-nine percent had beefed up policies on security and sharing settings.
Among respondents whose companies permit Facebook usage via the corporate network, eight percent said they were taking steps to blacklist Facebook, while seven percent said they would implement stricter controls on who had access to Facebook.
What’s more, another recent poll by the Digital Citizens Alliance shows rising distrust of Facebook in general. Thirty-nine percent of respondents agreed that Facebook irresponsibly puts profits ahead of doing the right thing; fifty-four percent said Facebook has had a negative influence on political discourse; and sixty-one percent believe Facebook has damaged American politics and enabled manipulation and falsehoods that polarize people.
So, will Congress let Mr. Zuckerberg get away with a slap on the wrist? Probably. Will the corporate sector, motivated by rising security and compliance issues, joined by private citizens aghast at how Facebook has been fostering political manipulation mete out more immediate sanctions, by boycotting the social media giant en masse? Perhaps. My bet is that the latter scenario is keeping him up at night.