It isn’t surprising to see Facebook think it doesn’t have an ethical obligation to alert users to its latest data leak, but this time there’s an extra level of disappointment.
The social media giant has been relatively mum on the publication of a data set that contained the personal information of over 533 million of its users on a hacking forum earlier this month. Facebook released a blog post explaining how the data was scraped prior to a platform update in September 2019 and assuring the vulnerability no longer exists, but that has been the extent of its customer-facing communication thus far.
No notifications on its app. No efforts to e-mail users. Just a blog post wedged in an online newsroom full of promotional posts that leaves to chance whether those affected will know their names, locations, birthdays, e-mail addresses, and phone numbers were potentially made available for free to anyone looking to find them.
Meanwhile, LinkedIn, put in a similar situation after reports surfaced of data scraped from its site being made available on hacking forums days after the Facebook leak, issued a statement that it promoted prominently in its LinkedIn News section of users’ feeds for multiple days.
Facebook is no stranger to these kinds of ethical dilemmas, but one might have hoped the company’s appointment of its first chief compliance officer earlier this year would change the way it does business.
Henry Moniz got his start in the position in February after a lengthy run as compliance chief at Viacom/ViacomCBS. His role at Facebook was billed as being empowered to enhance the legal and ethical standards of the company, with direct report to General Counsel Jennifer Newstead and a board committee overseeing audit and risk.
It sounded great on paper—perhaps even too good to be true. The fact Facebook named its first chief compliance officer in 2021 despite going public in 2012 and all the regulatory scrutiny it has faced since is all you need to know about how the company views compliance. A big factor in whether Moniz can succeed in his position will be buy-in from CEO Mark Zuckerberg, and whether that comes to fruition remains to be seen.
What we know now is he isn’t off to the best start. Not only is Facebook’s handling of the leak ripe for ethical criticism, it could also lead the company to pay a fine under the EU’s General Data Protection Regulation (GDPR). The Irish Data Protection Commission announced Wednesday it has launched an inquiry into whether Facebook did not properly disclose the full extent of the leak and failed to report the breach within the necessary 72-hour timeframe. The GDPR probe is the company’s 10th it faces in Ireland.
The problems don’t end there: Facebook is also facing a potential “mass action” lawsuit under the GDPR on behalf of users in response to the leak.
Facebook maintains the data made available in the leak is old and the issue behind it resolved. It surely knows better than we do. But if that’s the case, why not make some effort to let users know everything is under control? The way things stand now, it sure doesn’t feel that way.