It's been a rough couple of weeks for Facebook. The company has lost $80 billion in market value (depending on what day you check the stock price). Its CEO has been repeatedly called on to testify before Congress regarding the company's data privacy practices. The attorneys general for 37 US states have asked the company for more details on how it monitors the way third-party developers handle customer data. The FTC has opened an investigation of the company. Some observers are even asking if this is the beginning of the end for Facebook.
All this bad news follows the revelation in a New York Times report that political analytics consulting firm Cambridge Analytica harvested and exploited the Facebook data of 50 million people without their permission. Cambridge Analytica used the improperly harvested data in its work as a consultant on the US presidential campaigns of Ted Cruz and then Donald Trump in 2016. Several other reports have followed, including one about how Facebook has been scraping call and text message data from Android users for years.
The news has been a wakeup call to many Facebook users. Some have threatened to delete their Facebook accounts, while others are following media-advised privacy audits on their Facebook accounts and downloading their Facebook data.
It's not the kind experience that any CEO or CIO ever wants. But what's to prevent your company from becoming the next Facebook, or your boss from being the next Zuckerberg, called to testify before Congress about the failure of your company's data privacy policies?
US companies are at a disadvantage, according to Lisa Loftis, principle management consultant for Customer Intelligence at SAS Best Practices. In an interview with InformationWeek Loftis said that one of the things that the EU's GDPR, the General Data Protection Regulation does is narrow the point of audit down to a single regulatory commission. GDPR is a data privacy regulation that goes into effect in Europe on May 25 and governs data privacy for citizens there.
Meanwhile, US companies are navigating the regulations of 50 states, hundreds of local governments, and the US federal government. Plus, they are subject to GDPR if they have done business with EU citizens. It's a lot for any data governance effort handle.
Are You Ready? (No.)
While the challenges of the multitude of jurisdictions may be huge, US-based companies, for the most part, are just getting started with any kind of serious effort around data privacy, according to Dimitri Sirota, CEO of data privacy company BigID, who spoke to InformationWeek in an interview. BigID offers an enterprise data management platform. Sirota said that GDPR requires companies to have a full-time data protection officer in place. But US companies don't always have that individual or practice. US CIOs may be viewing what's happening with Facebook over the past few weeks like a deer in headlights.
Sirota said that some US companies have actually created the role of chief data officer, responsible for all aspects of an organization's data, but it's a relatively new role. Some companies may have placed the responsibility for data privacy under the umbrella of the chief information security officer. The lack of consistency on where the work is done demonstrates that we are just at the beginning of tackling this work in US organizations.
"You need to treat your data the same way you treat your financial accounting," Sirota said. "Data is the currency of business. The work will happen in stages over the course of several years. But the journey has begun. What happened with Facebook has been a clarion call."
Sirota said that companies need to do the following three things to get a handle on their data operations:
- Know what data they have,
- Figure out what data belongs to who, and
- Be able to document how the data is being processed, shared, or exposed.
The time to do this is now, he said. It used to be that a company's data efforts were about hiring an attorney to put together a data privacy statement with language to protect the company. But now, with the events around Facebook, companies are recognizing that there can be a real economic impact to not protecting your customers' data privacy. Loftis agreed.
"Companies can read the writing on the wall," she said. "I think Facebook will be dealing with this for multiple years."
Loftis said that Facebook would need to take several steps to fix some of the damage that has been done. First, the company needs to put a human eye on what it does with data and what it's app developers do with Facebook users' data. Next they need to really understand what data they actually need, and develop transparent policies around that data.
The company also needs to do an immediate audit of what happens around analytics. Are organizations using data to discriminate against certain groups, by targeting housing ads to whites only, as documented in this and other ProPublica stories?
Facebook also needs to take responsibility for what is happening. Even though third party app providers may be misusing the data, enforcing the rules is Facebook's responsibility, according to Loftis.
"I'm not sure Facebook is making a good faith attempt yet," she said.
Personally, Sirota and Loftis are both Facebook users. They are not deleting their accounts, but Loftis she is thinking twice about how she interacts with external sites on Facebook. She's also downloaded her Facebook archive.
"I think there are lots of companies that need to shift their mindsets about data privacy," she said. "I think that many of them are starting to think about that right now."