> And what did FB do as due diligence? Very little. When FB discovered the breach, what did they do as a response and to mitigate the effects to the affected users? How did they recover damages and/or enforce specific performance of contract terms to not only remove the data in question but all of the products that resulted in the processing of the data? Again very little.
They revoked Cambridge Analytica's access to Facebook's data, and told Cambridge Analytica to delete the data they had gathered. And Cambridge Analytica again lied to Facebook and told them they had deleted the data. That's the extent of what Facebook could have done. If Kogan broke laws - and he probably did - that's the government's prerogative to charge and prosecute him.
Likening this scenario to banks giving out mortgages that they know debtors cannot pay off is not an effective comparison. This is more like someone securing a loan by falsifying their income. In both cases the customers were harmed. Facebook users' data was used for purposes to which they did not consent, and the bank customers' money was loaned out at excessive risk. But the culprit that is responsible for this is the one that deceived the company, not the company itself. One could reasonably argue that Facebook should have been wise enough to avoid being duped, but that's still much more generous to Facebook than the bulk of the coverage I read that attempted to assign primary blame on Facebook rather than Cambridge Analytica.
Facebook could have sued them into oblivion to demonstrate commitment in enforcing their data protection policies instead of relying on their word to delete the data when they broke their word by misusing the data in the first place.
>That's the extent of what Facebook could have done. If Kogan broke laws - and he probably did - that's the government's prerogative to charge and prosecute him.
No. Facebook is aware of the damage that could have been done. Relying on a party that already breached their terms of use to the data (of FB users) to keep their word is negligence. They should have 1. structured their relationship better so that their is contractual and financial recourse from the third-party and 2. carried out a full investigation into the breach at the time they were notified, not when it was reported by the media.
Also Facebook did in fact breach UK data protection laws and was fined by the ICO for its role in the CA scandal. It was found that their data privacy policies and processes was insufficient. Unfortunately this was before the GDPR and hence the maximum fine that could be imposed was insignificant at £500K.
#1 is speaking from a position of hindsight. As I said, we can claim that Facebook should have been more skeptical of the intentions of university researchers, but this far from being negligent in their enforcement of their data use policies.
#2 Demonstrates persistent misunderstandings of what events transpired. Facebook was not breached in any way. Again, Camridge Analytica did not hack into Facebook's systems. This was Cambridge Analytica's subsequent misuse of the data that they had collected with Facbook's consent, but under stricter terms than the purposed for which Cambridge Analytica subsequently used the data. Facebook ordered Cambridge Analytica to delete the data.
2. Breaching data privacy laws does not mean there was a data breach or break-in. It just means that your handling of user data is in contravention of the legal requirements.
1. The ICO disagrees with you. Facebook was fined specifically for breaching data privacy laws in the UK.
They revoked Cambridge Analytica's access to Facebook's data, and told Cambridge Analytica to delete the data they had gathered. And Cambridge Analytica again lied to Facebook and told them they had deleted the data. That's the extent of what Facebook could have done. If Kogan broke laws - and he probably did - that's the government's prerogative to charge and prosecute him.
Likening this scenario to banks giving out mortgages that they know debtors cannot pay off is not an effective comparison. This is more like someone securing a loan by falsifying their income. In both cases the customers were harmed. Facebook users' data was used for purposes to which they did not consent, and the bank customers' money was loaned out at excessive risk. But the culprit that is responsible for this is the one that deceived the company, not the company itself. One could reasonably argue that Facebook should have been wise enough to avoid being duped, but that's still much more generous to Facebook than the bulk of the coverage I read that attempted to assign primary blame on Facebook rather than Cambridge Analytica.