Vendor Privacy Issues at Facebook Again – Organizations Must Be Enhancing Vendor Management

The importance of vendor management at companies was in focus again this week as the media criticized Facebook for records exposed on a cloud server by a Facebook partner. This is only the most recent example of negative publicity from Facebook’s third-party data sharing. From Cambridge Analytica to the sharing of data for native platforms to provide an integrated experience to Facebook users, the company has been under fire for the last year as a result of its data sharing.

What happened in this latest example? A cybersecurity company reported that millions of records of Facebook users were publicly accessible online on an Amazon cloud server. The information did not include financial information, Social Security numbers or Facebook passwords. Nevertheless, the media reports reiterated the amount of data the social network is collecting and those third-party companies that it shares data with may not always be the best at adequately securing that data.

Third-party data sharing has been a key area of concern in privacy over the last year after being kicked off by the Cambridge Analytica scandal. It will likely be an area of increased attention over the next year too as companies prepare for compliance with the California Consumer Privacy Act (CCPA) and possibly the Washington Privacy Act.

The CCPA requires that companies disclose the business purposes for their collection of personal information as well as the categories of third-parties to which they sell personal information. For those service providers where the transfer of personal information falls within the broad definition of a sale of personal information, then they will have to have a contract in place with the service provider that limits their usage of the data to avoid limitations on its ability to share data with those companies. After an individual exercises their right to opt-out of the sale of personal information, any transfers of personal information that would otherwise fall within the definition of a “sale” must qualify for the service provider exemption.

In addition to the disclosures and consent requirements of the CCPA, organizations that want to take their privacy practices to the next level (and beyond mere compliance) will need to establish a sufficient program of vendor management to ensure not only that they have put in place the right legal requirements, but also that those limitation are followed by the third-parties. This can be difficult to do at both large and small organizations.

Concerns about this area are growing. A 2018 study by the International Association of Privacy Professionals (IAPP) which reviewed Item 1A in 10-K filings of 150 publicly traded companies found that concern over information loss or misuse by third parties (including vendors) increased 17% over the 2017 study.

Facebook told the media that they were investigating the case and that storing information from Facebook on insecure location was prohibited by its policies. The media company that stored the information said in a statement that the information about likes, comments, and reactions was neither sensitive nor private data, so it did not put its users’ privacy and security at risk. Although the media company may have understated the privacy and security concerns in its public statement since the report indicates some app passwords were found, the response also highlights the evolving state with regard to privacy concerns.

The news broke well before Friday’s confirmation by Bloomberg Law that Facebook “may know by this summer whether it could face billions of dollars in fines stemming from potential violations” of the General Data Protection Regulation (GDPR). The Irish Data Protection Commissioner expects a report in the next two months from investigators before they will decide how to proceed in the potential case. Earlier this year, around the time that Ireland’s Data Protection Commission released its Annual Report, the head of Ireland’s DPA told Reuters that the first investigation would be completed by this summer and the remainder by the end of the year. In the Annual Report, the Irish DPA highlighted multiple investigations of Facebook and its subsidiaries for various privacy concerns.

The UK Information Commissioner’s Office (ICO) has already announced that it would fine Facebook the maximum amount for violations of its data protection law for Cambridge Analytica, which happened before GDPR fines went into effect. Facebook also may face fines from the US Federal Trade Commission (FTC) which could result in a total settlement in the billions of dollars for a violation of the 20-year consent decree it entered into several years ago. There have also been reports that subpoenas have been issued by a grand jury with respect to data sharing by Facebook with telecommunications companies following its statements that it had halted its substantial data sharing with third-parties.

Facebook has garnered substantial attention for its privacy practices from the media, government and consumers over the last year. However, it is unlikely that the negative consequences of third-party data sharing will be limited to Facebook. Third-party vendors have been a major source of data breaches at large companies for some time. With privacy breaches coming into focus, there is every reason to believe that the trend of problems at vendors as a result of data sharing will continue.

More Resources:

Check out the materials Clarip has gathered on the CCPA and contact us to see a demo of the Clarip privacy management platform used by Fortune 500 clients.