Over the past two years, Facebook, LinkedIn, and Clubhouse have all been the targets of a process called data scraping. Data scraping involves trawling through user profiles to gather information about users, typically phone numbers, email addresses, full names, and social handles, amongst other things. Often, this is performed by AI-driven tools which automate the data scraping process, gathering vast amounts of information in very short periods of time.
The Facebook leak was certainly the largest and possibly the most controversial of the three leaks. In that leak, more than half a billion users had their information revealed. Yet, none of the companies have completed a formal data breach notification. This Weekly Brief will outline why that’s the case, alongside some other information about data breach notification schemes in the US.
When must companies report a data breach notification?
Data breach notification laws in the US vary from state-to-state, but all states; Washington, DC; and most US territories have data breach notification laws in place. This highlights just how complex your data breach notification obligations are, since you need to comply with the relevant laws in each jurisdiction.
Most of these laws require companies to notify affected state residents of any unauthorized access, use, or disclosure of their personal information, including data breaches that expose sensitive categories of information, such as:
- Social Security numbers,
- Credit card or other financial information,
- Health or medical information,
- Insurance IDs,
- Tax IDs,
- Account passwords or other account credentials,
- Digital signatures, or
This is true for California. The state’s regulations require businesses and state agencies to notify any California resident whose unencrypted personal information is acquired or reasonably believed to have been acquired by an unauthorized person. See more about California data breach notification reporting here.
Why have users not been notified about the data scraping incidents at Facebook, LinkedIn, and Clubhouse?
Each company is arguing that the scraped data was available publicly in any event, so there hasn’t been a ‘breach’ to notify users about. In the Clubhouse and LinkedIn leaks, this may be true – the information appears to have been available on the users’ public profiles. The same does not seem to be entirely true in the Facebook leak, which reportedly may have included information users had set to be visible to ‘Only Me’ via their Facebook privacy settings. We haven’t yet seen any legal fallout from the Facebook leak, however, the company is taking the stance that it has not suffered a reportable data breach.
2 key takeaways for businesses about data breach notifications:
Consumers may demand more from you than the regulators.
While data scraping isn’t inherently bad (in fact, it’s essential for search engines to function as they do), it can be when personal information collected through scraping is used by third parties for unrelated purposes or made available on underground criminal forums. Many users don’t anticipate that their phone numbers, email addresses, and other related information might be scraped when they attach those details to a social media account.
If your company is the target of a data scraping incident, it may be worthwhile engaging in proactive PR and disclosing the leak, regardless of your legal obligations (or lack thereof). Public opinion can take a toll on businesses and many consumers have long memories. Letting users know about data scraping incidents also helps them protect themselves against phishing and other social engineering attacks that might utilize the scraped data.
Protect your reputation by collecting data with purpose.
Collecting data without purpose increases your risk of reputational harm following a data breach or leak. You should ensure you know and understand why you are collecting data. Additionally, you should only collect what you need to achieve that purpose. It doesn’t hurt to also remind your users that any information they make publicly available through your site may be read, collected, or used by others.
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.