by Ahmore Burger-Smidt, Head of Data Privacy Practice

“Little pigs! Little pigs! Let me in! Let me in!”

“No! No! No! Not by the hairs on our chinny chin chin!”

“Then I’ll huff and I’ll puff and I’ll blow your house down.”

In The Three Little Pigs, the conflict centres around the fact that the big bad wolf wants to get inside the pigs’ homes to eat them. Facebook faces a “wolf” that is doing his best to get it to allow him access to its users’ information and this persistence, may very well blow the Facebook house down.

Facebook, already facing scrutiny over how it handled personal information of its users, just during the Cambridge Analytica saga earlier this year, disclosed that a further attack on its computer network had exposed the personal information of millions of users.

This breach is reportedly the largest in the company’s 14 year history.

The attackers exploited a feature in Facebook’s code to gain access to user accounts and potentially take control of them. The attackers allegedly exploited two bugs in the site’s “View As” feature, which allows users to check what information other people can see about them. Ironically, this feature was built to give users more control over their privacy. The hackers allegedly also attempted to harvest users’ personal information, such as their names, sex and hometown from Facebook’s systems.

Facebook’s European subsidiary is headquartered in Ireland and the Irish Data Protection Commission is the data watchdog that regulates Facebook. The Facebook data breach will be the first major test of Europe’s tough data protection laws, the General Data Protection Regulation (“GDPR“).^[1] The GDPR regulates how companies handle the data of European citizens and governs how that information is stored and used.

The GDPR to a large extent, deals with data breaches as well as the penalties for companies who fail to notify regulators about a data breach within 72 hours of it occurring. Firms can also be fined if it is found that they do not have adequate measures in place to prevent a data breach or have acted contrary to any of the principles of processing information as set out in GDPR.

If it is found that Facebook breached the GDPR, the maximum fine that Facebook could potentially face is 4% of its annual global turnover. It is estimated that the social network’s 2017 revenue is over $40.65 billion and the potential fine could amount to approximately $1.63 billion.

The primary moral lesson that Facebook can learn from “The Three Little Pigs” is that hard work and dedication pay off. While the first two pigs built their houses quickly and spent their free time playing, the third pig laboured in the construction of his house of bricks – data security in terms of POPIA^[2] and a data breach plan cannot be ignored!

Facebook has been reshuffling its security teams since its chief security officer left its employ in August. Instead of acting as a stand-alone group, security team members have been working closely with product teams across the company. This move, the company said, is an effort to embed security across every step of Facebook’s product development.

Still, the recently discovered breach is a reminder that it is exceptionally difficult to entirely secure a system that connects with thousands of third-party services and has more than 2.2 billion users globally.

The Three little pigs lived happily ever after.

[1]             General Data Protection Regulations (EU) 2016/679.

[2]             Act 4 of 2013.