The latest Facebook data breach—and how organizations can protect sensitive information

With news of yet another major data breach making headlines, Rob Perry, ASG Technologies’ VP of product marketing, reflected on the state of data security.  In the latest high-profile data handling misstep which came to light on April 3, more than 540 million records about Facebook users were publicly exposed on Amazon cloud servers, according to cybersecurity firm UpGuard which said that two third-party Facebook app developers posted the records in plain sight.

Perry reflected on what businesses can learn from Facebook’s mistakes, and how compliance regulations, such as the EU's GDPR, can serve as helpful guidelines when addressing privacy.

“This personal data exposure, like other issues Facebook has experienced, is not from a breach but from a lack of adequate management of how it shared data in the past,” Perry noted.  “GDPR, in particular, has specific rules on how data can be passed from the collecting entity to processing entities and if and how it can move across national borders. Other organizations should heed these rules and learn from Facebook by putting in place clear standards for how they share the data they collect, track who it’s been shared with, and be vigorous setting and enforcing transfer agreements. Doing so effectively may require a thorough investigation of every data transfer over many years. Looking back into legacy systems may be a key part of quantifying the risk— think of it as ‘data privacy debt.’"

While unfortunate, these breaches continue to focus more attention on the importance of data privacy, a positive aspect of the continued leaks, bringing users to take action. There are lessons to be learned by companies of all sizes from this data leakage about how they need to better understand and protect user data, said Perry.

“In many ways, protection is common sense and the golden rule applies—‘protect data you collect as you’d like others to protect your personal data.’” he explained.  “Basically, get permission for use, store only data you have a use for, secure it at the perimeter and with encryption if appropriate, and only share with trusted partners—those contractually bound to provide the same level of security. The GDPR notion of privacy by design—proactively embedding privacy into the design of data use, storage, and sharing processes—is important. Building a framework to document all the ways in which data is used, and being very careful to establish accountability, must be basic disciplines. Regulations around data privacy are becoming pervasive globally and more restrictive so organizations need to establish their policies today and create a data privacy culture.”

In addition, as organizations transition data from on-premise data centers to cloud-based repositories they must do so in a safe, secure way, Perry said.

They need to expand security measures to cover all information, including structured and unstructured data, that is to be moved from on-premise environments to the cloud. In addition, he said, they need to establish that security remains a top concern as they move to cloud solutions. “That said, the first step in successfully transitioning data is to establish why you chose to move it to the cloud. If there isn’t a clear benefit to having information in the cloud, perhaps operating in a hybrid manner—with data spread between premises and cloud—is a preferred option.”

Next, said Perry, organizations must decide what information to move by identifying the information that meets the “why” requirement, and will actually derive benefits from cloud deployment.  After that has been worked out, organizations must plan out how the data will be moved, he said. This means having a secure connection, appropriate use of encryption, and choosing a cloud solution that’s secure. Credible ISVs are developing software through a secured software development lifecycle, designing security into their software, and testing security in development and production to protect data.  A final consideration, said Perry, is where the data will be stored. “Will it be in a country with similar protections in place and with common values around data privacy and personal data?”