Facebook’s breach is news, but Congress’ lack of action on data security is the bigger story

Last week, Facebook announced that they suffered a data breach affecting a reported 50 million users. Coming just over a year to the date from an even larger data breach at Equifax, which affected 146 million consumers, we have to ask: Why is Congress continuing to dither on data security legislation that NCL and others have long called for?

Given Facebook’s high profile and the fallout from the earlier Cambridge Analytica scandal, it’s unsurprising that a breach there would generate headlines. At this point, however, there seem to be more unknowns than knowns when it comes to Facebook’s breach. Statements from Facebook officials have acknowledged that the attack initiated in July 2017. To their credit, executives at Facebook were quick to notify the public after they discovered the breach last week.

Although many, if not most of the facts about the breach are yet to be released, Facebook has stated that the attackers took advantage of three separate, but related vulnerabilities to compromise user “access tokens,” allowing the attackers to take over users’ Facebook profiles.

Many security professionals were concerned that the compromised access tokens might be used to log in to third-party services using the “Login with Facebook” tool that many users are probably familiar with. Fortunately, Facebook recently posted in their newsroom that they have yet to find any evidence that the attackers hacked third-party accounts linked to Facebook log-ins.

In terms of cleanup, Facebook has said that they have fixed the vulnerabilities that attackers utilized and have reset users’ profiles to further secure users’ information. Additionally, Facebook stated that they are establishing tools for developers to manually identify breached accounts and subsequently log them out for security purposes. Despite these steps taken, some are calling for a regulatory fine. Considering the E.U.’s recent General Data Protection Regulation (GDPR), some are speculating that this will be the first data breach under the new regulation. While Facebook notified the Irish DPC of the breach within 72 hours of finding out, the social media titan has to show that they took appropriate steps in protecting user data.

Admittedly, the facts of the Facebook data breach are still coming in; however, one fact is clear: companies like Facebook, Equifax, and the countless other businesses profit by collecting consumers’ data on a massive scale. The collection and use of such huge amounts of personal data creates an inescapable risk to consumers that the data will fall into the wrong hands. That is why comprehensive data security legislation is so urgently needed.

Many of the components of an effective data security bill already exist in state laws in places like California and in the European General Data Protection Regulation. These regulations should be viewed as benchmarks for how companies’ data security practices should be regulated. NCL has endorsed legislation like Senator Patrick Leahy’s Consumer Privacy Protection Act. The Leahy bill not only protects broad categories of data, but it also refrains from preempting stronger state laws that already exist.

The Internet became the phenomenal engine for growth and innovation it is because users felt comfortable sharing their information online. Every time a data breach occurs, the basic trust that created that success is eroded. The only question that remains, will Congress wait until there is no trust left to act? Or will our elected leaders only take real action when it’s too late?