Setting a penalty precedent for PII data breaches
According to a recent Bloomberg story, a federal appeals court in San Francisco denied Facebook’s request to dismiss the case Echavarria v. Facebook Inc., which has been filed against the company for failing to protect the personally identifiable information (PII) of more than 29 million users. In what has been described as Facebook’s worst security breach ever, this case will establish an important precedent for businesses about their roles and responsibilities in safeguarding customers’ data.
Citing a decision in another case, U.S. District Judge William Alsup said, “From a policy standpoint, to hold that Facebook has no duty of care here ‘would create perverse incentives for businesses who profit off the use of consumers’ personal data to turn a blind eye and ignore known security risks.’”
Businesses know they need to do their due diligence to protect user data from potential cyberattacks, but the scale and sophistication of attacks has grown exponentially. Some enterprises can’t keep up with monitoring for these cyberattacks, taking months to years to realize they have been breached. For example, Dominion National, an insurer and administrator of dental and vision benefits, recently announced that it identified a data breach from its network that started nearly nine years ago.
From an outsider’s point of view, it’s easy to point the finger at a business for not knowing where the lapses were in its network security or for failing to implement stronger security requirements in the first place, but none of that solves the problem.
In his ruling, Judge Alsup used phrases like “turn a blind eye” and “ignore known security risks” to speak to the high stakes involved in the case and the data security decisions facing the millions of businesses that deal with personal user data. Whether Judge Alsup knows it or not, he’s making the case that every business already knows. The way businesses have traditionally gone about securing their networks, applications, and data is inherently flawed. It’s virtually impossible to protect data using the network security model approach. All it takes is one compromised system brought about by a bad link in an email, an infected app, a malicious ad, or any number of other threats, and a business could be dealing with a security breach like Facebook’s. Or like those of so many other companies whose breaches have made headlines.
Zscaler has been advocating for a mobile- and cloud-first security approach since its beginnings. Security, including threat protection and policy enforcement, should always follow the user, and it shouldn’t be tied to the network. With so many mobile workers, security for those off the network must be identical to on-net security, and it must be convenient and fast to prevent users from trying to bypass it. By securely connecting workers to their applications and data, regardless of device, location, or network, a business can become more agile even as it significantly reduces its threat attack surface.
It’ll be interesting to follow the Facebook case and hear the verdict. A big decision in favor of protecting users’ PII will send ripples across the enterprise. Every organization will have to come to terms with today’s security risks and take steps to create a more secure enterprise.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Steve House is the senior vice president of product management at Zscaler