Given the scope and extent of this data misuse, it was perhaps not surprising that the public outcry over the Facebook Cambridge Analytica scandal eventually led to Facebook CEO Mark Zuckerberg having to face two days of grilling by top Congressional lawmakers. And that’s where the situation really escalated – instead of simply being a question-and-answer session about Facebook’s data privacy practices, it became a far-reaching discussion about election meddling, social media censorship, ethical standards for tech companies and the need for federal regulation.
While Facebook managed to escape without being subjected to heavy fines or penalties, the public flap over Cambridge Analytica started a much wider discussion about the weaknesses of industry self-regulation, and the need for Washington to get involved. Moreover, it set up the very real prospect that further data abuses by Silicon Valley tech giants might lead to them being fined, penalized or even broken up into smaller pieces where they could much more accurately monitor data abuse violations. At the very least, stock market investors would be keeping a much closer eye on these companies.
Data breaches at the world’s top companies
2018, of course, was not without its share of high-profile data breaches. Despite years of similar incidents affecting top retail giants and government agencies, it seems that many companies still were not taking the requisite steps to beef up their cyber security defenses. As these stories impacting the likes of Quora, Marriott, Under Armour, and Cathay Pacific continued to break throughout the course of the year, one thing became clear: data privacy was still being viewed by the world’s top companies as something that could be grafted onto existing business processes at the end, rather than something that was fundamentally part of those business processes from the very beginning.
Arguably the highest profile data breach of the year impacted Marriott, the global hotel and hospitality chain. Data hackers had accessed records of 500 million people, as a result of a breach of the Starwood Hotels guest reservation system. By breaking into this system, data thieves could see the names, addresses and even passport numbers of guests. This, of course, triggered a public outcry from top legislators. New York Senator Charles Schumer, for example, said that Marriott should cover the costs of new passports to be issued to all U.S. citizens affected.
Another high-profile data breach involved the popular Q&A site Quora. This data beach impacted 100 million people, and involved hackers getting their hands on names, email, passwords, user account settings, and content created by users (including all questions submitted, all answers submitted, and all comments). Some data privacy experts compared the Quora case to the Cambridge Analytica case, because it appeared that the cyber thieves were not after financial information – instead, they were looking for the type of demographic and pyschographic information that could be used to develop very detailed personal profiles of users.
The same type of data breach occurred at Under Armour, the huge international sports and fitness brand. This time, the hackers were after the food, nutrition and fitness details of Under Armour users with a MyFitnessPal account. There is now a lawsuit seeking class action status, given the scope and breadth of this data hack.
GDPR changes the discussion around data privacy
Another defining moment for data privacy was the launch of GDPR in May 2018. There had already been a tremendous amount of speculation about the new regulation back in 2017, with some predicting that it would forever change the way the world thinks about data privacy. Some warned that the GDPR might have a chilling impact on business.
While the European GDPR was designed by European regulators with European citizens in mind, the effects were far-reaching beyond just Europe. That’s because, according to the way the regulation was designed to protect the information of EU residents, it would apply not just to European companies, but also to any company processing the data of those EU residents. And it didn’t matter where the data processing centers were located, or the home HQ location of that company. Thus, if a company like Google or Facebook planned to do business in Europe, they would have to follow the GDPR – or risk significant fines and penalties.