Unless you’ve been living under a rock for the last week, you will have heard about the Facebook breach. This is where the accounts of at least 50 million people were compromised by evil doers. There was another 40 million people who may have been at risk too. Facebook became aware of the breach on Tuesday 25th September and took action by Thursday 27th. This action was to log the 90 million users out of Facebook and make them sign in again. They reported the data breach to the Data Protection Commission (DPC) on Friday 28th September.
As you should know by now, the General Data Protection Regulation (GDPR) requires a business to notify the regulatory authority for data protection within 72 hours of becoming aware of the breach, where there is a risk to the rights and freedoms of the affected individuals. They also must notify the affected individuals if there is a high risk to their rights and freedoms and must do so without undue delay.
Facebook notified both on Friday. They put out a public notice about the breach and the DPC were notified, as confirmed by them earlier this week. Here are some tweets from the Data Protection Commission:
The DPC talked very publicly about the Facebook breach, didn’t they?
And this is what I want to address in this post. This Facebook breach was addressed very publicly by the DPC. I would believe that this is because Facebook is such a huge source of personal data. Also the fact that this story has attracted massive worldwide attention. If they didn’t come out with those tweets, they would have been accused of all sorts of bad practice.
I don’t expect them to be publicly tweeting about a data breach in a small business, which accidentally sent a spreadsheet containing customer personal data to an incorrect e-mail recipient. It’s very important you realise this. I don’t want any business owner, who becomes aware of a data breach which needs to be reported, to decide not to notify the DPC in case they should start tweeting about it.
If you become aware of a notifiable breach, please report it. Unless you are a massive source of personal data, I don’t expect the DPC to tweet about it. It will be dealt with reasonably discreetly.
Want to find out more about data breaches?
I did a short (<2 minute) video on 6 examples of a data breach. If you head over to my YouTube channel you can see an entire video series with more discussion about the different examples of data breaches.
In the meantime, lets be careful out there.