Facebook disclosed a major hack very quickly. But the alert was short on details.
It took just three days for Facebook to notify authorities and the public that hackers had compromised as many as 50 million user accounts on the social media platform. A swift response. But the flip side: Facebook leaders did not have enough information to paint a clear picture of the hack and the risk to its users during the announcement. They didn’t offer details about who the attackers were, or what motivated them. Nor could they say where the affected users were located or how many users of Facebook-linked third-party applications were affected. The scarce information highlights a difficult trade-off companies must now consider as they face pressure from policymakers here and in Europe to disclose significant data breaches sooner. Europe’s new privacy law, the General Data Protection Regulation, imposes massive fines on companies if they don’t notify privacy regulators about a data breach within 72 hours. US lawmakers have proposed similar a 72-hour rule to replace the patchwork of state data breach laws that exist here. By getting the word out early, companies alert users that their information may have fallen into bad hands. But they risk creating confusion by disclosing the breaches before key details are available.
Facebook disclosed a major hack very quickly. But the alert was short on details.