Facebook: A Cautionary Tale in Data Protection

Just last week, I noted that the UK's Information Commissioner’s Office (ICO) closed its investigation into Facebook under GDPR (the EU's new data protection law) sharing personal data with WhatsApp who they acquired in  2014 when Facebook agreed that the Facebook and Whatsapp platforms would not share data. 

At the time I noted that this was a great example of GDPR's strategic company risk.  Sharing customer data is usually one of the primary reasons for M&A; without it, the value of such transactions is often dramatically reduced. I wonder how many CFOs are accounting for GDPR strategic risk in their M&A strategy. Probably not many.

Wow that was quick - It just got much worse for Facebook

I just watched Mark Zuckerberg's mea culpa about the Cambridge Analytica breach on CNN.  I believe he's "really sorry", there's no question his company is real trouble.

But did the activity carried on by Cambridge Analytica's Facebook user data constitute a security breach? In this case, hackers didn't compromise either FB or Cambridge Analytica, so one would have to argue that no, it wasn't a security breach.

A new concept (for some):  PRIVACY BREACH

In the US, the laws governing privacy are weak to non existent.  We're used to privacy notices being buried; an extensive data brokerage market exists where companies are free to sell your personal data for practically any use, including how much you pay for services, what job interviews you get, what ads you see and so on.

CIO.com:  Inside the Shadowy World of Data Brokers

But as Facebook is about to discover, that doesn't mean there isn't legal risk.  Lawsuits have already been announced. It's clear Facebook's troubles are just beginning.

For data privacy in the EU, things are quite different. There's no question that Cambridge Analytica's use of is a clear violation of GDPR.  Ireland and the UK have already both opened investigations.   The fines are likely to be tame since GDPR doesn't go into enforcement until May, but it's a near certainty EU regulators will find other ways to enforce a maximum penalty of 4% of Facebook's $40 Billion (about $1.6 Billion) . This pales in comparison to their brand risk, not to mention the risk the other 3rd parties have retained personal data scraped from Facebook and put (or will put) that information to use.

What's your risk that 3rd parties retained personal data your company gave them?

  How may EU citizens are likely to stop using Facebook altogether?  To understand this, let's talk about the EU consumer, and the cultural forces driving GDPR.

For many in the EU data privacy = Freedom

It's been explained to me that Europeans have a cultural memory of the Nazi "surveillance state"  and this is one of the primary reasons why Europeans take data privacy so seriously (EU friends, would love your thoughts below on this)  GDPR is notable, not because of the hefty fines, but because it makes control of personal data an individual right. 

The Facebook Cambridge Analytica privacy scandal is sure to strengthen this perception because of the Trump campaigns' use of personal data to manipulate voters (Democrats, you're not off the hook either - see this article). This makes the likelihood of GDPR action against US companies much more aggressive than it otherwise would have been. 

What can the US companies learn from the Facebook scandal?

While Facebook's situation is extreme compared to most US companies at present,  most companies collect significant amounts of sensitive personal data, and with that comes significant responsibility, and risk. 

GDPR is a major risk for companies with EU customers (or who otherwise handle EU resident data), but as the Facebook situation clearly demonstrates,  it's not just regulatory risk and it's not just in the EU. 

On one hand, we need this data to do a better job creating products and experiences customers want.  On the other hand, handing such data in a consistent secure manner company wide is very difficult, especially when that data lives in many places and with 3rd parties. Companies that engage in M&A activity are especially at risk because their personal data is often fragmented across hundreds (or even thousands) of data silos.

Compliance with GDPR is a good start.  If Facebook had automated data governance in place that fully complied with GDPR (including controls for 3rd party access like Cambridge Analytica) , their risk would have been much lower.   If you'd like to know more about data governance automation for GDPR, look here.

 

 

 

 

 

 

Faith, Family and Startups: Why we chose Atlanta for our startup

Faith, Family and Startups:  Why we chose Atlanta for our startup

It was the fall of 2014 and we were finally ready. Nearly 10 years after getting my MBA in Entrepreneurship from Southern Methodist University in Dallas, we had finally built up enough savings and it was time to leave the corporate world to embark on the new, uncertain path to building a new company.

Everything is data

Everything is data

While Amazon, Facebook, Google and other “digital native” companies rapidly launch new products and services with a modular, automated, standardized approach (Devops/Agile), traditional companies increasingly struggle to compete because they can’t take advantage of actionable data being held hostage by traditional and SaaS software vendors, legacy systems, and business silos.

The Virtualization and Cloud Efficiency Myth

The Virtualization and Cloud Efficiency Myth

By allowing administrators to partition up underutilized physical servers into ‘virtual’ machines, they could increase utilization and free up capital.  Unfortunately that hasn’t happened for the most part.   It’s a poorly held secret that server utilization in enterprise datacenters is much lower than most people think as virtualization reaches saturation with about 75% of x86 servers now virtualized.  

Is Cloud an "Enabler" or "Dis-abler" for Disaster Recovery?

Is Cloud an "Enabler" or "Dis-abler" for Disaster Recovery?

While most people working for cloud providers (I used to work at one) will tell you that Disaster Recovery is a great use case for cloud, our panelists weren't so sure. The feeling in the room is that utilizing cloud environment in addition to traditional on premise environments created a bunch of operational complexity and it was safer to keep both production and DR in-house.

How Carly Fiorina' s Mistake Put Me on a Path to Entrepreneurship

How Carly Fiorina' s Mistake Put Me on a Path to Entrepreneurship

None of this would have happened if Carly hadn’t made a mistake in firing all those HP salespeople and I hadn’t taken a risk.

Although successful with these large companies, something was always missing. I yearned to be able to create something on my own, and I’ve just taken an even bigger risk. After 12 years of planning, I left Rackspace in January to join the ranks of the entrepreneurs (or unemployed as some like to call us).

Will GE's Industrial Cloud Flourish Like AWS or Fizzle like New Coke?

Will GE's Industrial Cloud Flourish Like AWS or Fizzle like New Coke?

It's all about user generated data. You might think that GE is a product company, and you'd be right.  But it's also a services company that services millions of industrial devices in the energy, transportation, healthcare, and manufacturing sectors.  These devices  create literally exabytes of data, data which GE currently uses to service and maintain it's customers equipment and gain insights on product design, and in the future will be used for  much more.