Companies are “highly unlikely” to be hit with a full GDPR fine for software bugs that are exploited by hackers, says data protection expert Tom Martin.
Last week’s Facebook breach, which saw 50 million accounts compromised via a flaw in the ‘View As’ tool, is currently being investigated by data regulators in what will be the first big test under Europe’s revamped data protection laws.
Many are reporting that Facebook faces the prospect of a full GDPR fine from EU regulators of $1.6bn, which is 4% of the social network’s global annual turnover.
However, Martin believes that Facebook is unlikely to be hit with a multi-billion dollar fine.
“The recent [Facebook] breach was a proper hack – people gaining unauthorised access to personal data via a bug in some code,” the co-founder of Dosadi Ventures, an agency specialising in Facebook marketing, told Verdict.
“I think it’s highly unlikely the authorities will ever try and impose really large fines for things like this, simply because it’s impossible to have bug-free code and this could happen to any organisation.”
Avoiding a full GDPR fine: Protection by design and default
The UK’s data privacy regulators, the Information Commissioner’s Office (ICO) stipulates that companies should have “data protection by design and default”.
This means that organisations are legally required to ensure that data security is woven into the design of the software and not as an afterthought.
“I actually think Facebook is a pretty good example of security by design,” said Martin.
“Considering that their entire platform is designed to store and share personal data, they’ve actually had very few security issues.
By contrast, Martin says that credit rating agency Equifax, which was recently fined £500,000 for failing to protect the personal data of up to 146 million global customers from a cyberattack, was not secure by design.
“They just left personal data sitting basically unprotected on a web server,” said Martin. “Those are the types of companies that I think will end up getting hit with the really big fines when something goes wrong.”
It is still unclear how much data – if any – was stolen by the hackers. Last week, Facebook forced up to 90 million users change their passwords as a precaution and says the bug has been fixed.
The social network also said that there is “no evidence” that hackers used stolen keys to access third-party apps linked to Facebook accounts, such as Instagram and Spotify.