1

I’m reading the words ”data breach” a lot in the Facebook Cambridge Analytica scandal context (example). But is this a correct way to describe the scandal?

The definition of data breach from the corresponding Wikipedia page is:

A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment.

The definition of ”data breach” in 38 U.S. Code § 5727 (4) is:

The term “data breach” means the loss, theft, or other unauthorized access, other than those incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data.

Two questions about this;

  1. The first question is around the word: (un)intentionally. In the case of Facebook, the data was intentionally shared with third-party developers. Meaning that it would be a data breach following the Wikipedia definition but not following the definition as mentioned in 38 U.S. Code § 5727 (4). Which definition should be followed?
  2. What would be the implications for Facebook if this is or isn’t a data breach?
Bob van Luijt
  • 113
  • 4

3 Answers3

2

In this case, the data was obtained legally through Facebook's terms of service. The developers of the apps were permitted to receive this data.

The terms of service stated that the developers were not allowed to share the data that is collected. The developers shared it with Cambridge Analytica.

The data was obtained legally from the first party, and shared against a terms of service. The terms of service is a contract between the developer and Facebook. It would have to be determined by governments that sharing data obtained in this way is illegal.

Because the data was released from Facebook to an untrusted source who shared the data with Cambridge Analytica, you could consider it a data breach under Wikipedia's definition of "A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment.", as the release of private information was intentional to the first party, and unintentional to the second. Both parties being untrusted environments.

A data breach is generally considered to be an action in which someone uses trickery or illegal means to obtain data. This could be conning employees of a company or hacking into their databases. In regards to the current situation of Facebook, this data was obtained because of extremely loose guidelines of people's personal privacy and data that makes it possible for 3rd, 4th and 5th parties to easily obtain massive amounts of information on people.

Michael d
  • 544
  • 3
  • 10
1

The US Code definition pertains to the Department of Veteran's Affairs: there is no generic legal definition of "data breach" under federal law. The particular rules that the definition relates to making sure that VA computers are secured, and this does not apply to Facebook. Supposing for the sake of discussion that there were some provision that could apply to Facedook, GSR, or CA: "sensitive data" is education, financial transactions, medical history, criminal or employment history and information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records. I don't know if that kind of info is included in what was acquired.

Let's again assume that such data was taken: then was there "loss, theft, or other unauthorized access"? This law pertains not just to online information, but also printed records: "theft" is not an applicable concept, but unauthorized access might be. The courts have found that violation of terms of service does not render access "unauthorized": unauthorized access has to be something like breaking in to a system. This issue can come up in connection with the Computer Fraud and Abuse Act, which refers to "knowingly access[ing] a computer without authorization or exceeding authorized access". But SCOTUS has not addressed this.

The facts of the case are completely unclear, but Facebook is facing the social and economic consequences already. The main parties (Facebook, Global Science Research, Cambridge Analytica) could sue each other, e.g. GSR might sue CA for some breach of contract. Or, CA could sue GSR (it is rumored that CA did file suit, but I can't substantiate that). Everybody could sue Facebook, GSR and CA. In fact, they did. For example, it is alleged that Facebook was negligent in setting up a platform (etc.... basically a description of Facebook). It is alleged that GSR, CA and various others misled Facebook.

In other words, the term "data breach" is being used jargonistically and has no connection to the legal issues. The lawsuits that are emerging will clarify the factual and legal issues.

user6726
  • 214,947
  • 11
  • 343
  • 576
-1

“unauthorized access” means unauthorised by the user, not the holder of the data.

Dale M
  • 208,266
  • 17
  • 237
  • 460