There are many questions surrounding the actions of Cambridge Analytica and Facebook, including whether this incident is considered a data breach. There has been some debate on this issue. Many news organizations, like The Guardian and Fortune initially labeled this incident as a data breach, while other news organizations have claimed otherwise. Facebook representatives, while admitting some wrongdoing, have been adamant that this incident was not a data breach. The terms used by the news media, and by Facebook employees, are important for how this incident is presented to the public, but it is also important to evaluate this incident and determine whether there was a data breach under applicable law. Facebook has users throughout the United States, and the world, and is therefore subject to data breach notification requirements in each of those jurisdictions. One of those jurisdictions is Illinois, and this post will examine whether Facebook experienced a data breach under Illinois’ data breach notification law.
Overview of the Facebook-Cambridge Analytica Incident
On March 17, various news outlets reported that a data analytics firm had harvested the Facebook data of approximately 87 million people in an effort to profile users and target them with political ads. In 2014, a data researcher created an app that asked users to take a personality test for research purposes. Roughly 270,000 people agreed to have their data collected through the app, but in accordance with Facebook’s terms of service at that time, the app was also able to collect the data of these users’ friends as well. Although this practice was allowed at that time, Facebook claims the data was misused because the researcher sold that data to Cambridge Analytica despite representing to Facebook that the data would only be used for research. Facebook has since changed its policies to prohibit the type of data mining that was commonly performed by third parties in 2014.
It is important for Facebook, or any organization in a similar position, to determine whether the relevant facts represent a “data breach” under applicable law. In Illinois, the relevant statute is the Personal Information Protection Act (PIPA or Act). The Act defines certain key terms such as “personal information” and “breach”. A “breach” or “breach of the security of the system data” is defined as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector.” “Personal information” is defined by the Act as:
- an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the name or data elements have been acquired without authorization through the breach of security:
- (A) Social Security number.
- (B) Driver’s license number or State identification card number.
- (C) Account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
- (D) Medical information.
- (E) Health insurance information.
- (F) Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.
- username or email address, in combination with a password or security question and answer that would permit access to an online account, when either the user name or email address or password or security question and answer are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the data elements have been obtained through the breach of security.
Was there Data Breach per the Illinois Data Breach Notification Act
In the Facebook-Cambridge Analytica situation there is no breach under the Act. First, while a large amount of what would commonly be referred to as personal information was collected from Facebook users (age, interests, political affiliation, religious affiliation, physical address, etc.), personal information as defined by the Act was not involved. As demonstrated above, PIPA includes only specific types of information in its definition of personal information, and these are not the type that are included in Facebook profiles, or collected by Facebook and disclosed through third-party apps. Secondly, it does not appear there was an unauthorized acquisition of data maintained by the data collector, which is Facebook in this scenario. All of the information that was obtained through Facebook by the data researcher was either explicitly authorized by the users who signed-up for the personality quiz app, or implicitly authorized through Facebook’s privacy policy and terms of use at that time. While the data was apparently misused by Cambridge Analytica, there was no unauthorized acquisition of data from Facebook, and no breach under Illinois’ data breach notification law.
A data breach can occur in many forms. The immediate reporting on the Facebook-Cambridge Analytica incident referred to the series of events as a data breach; however, we have seen that at least under Illinois law, that is not the case. Each situation is different, and each jurisdiction may have a different law to analyze. If you suspect that you have been the victim of a data breach, it is important to analyze your legal obligations to avoid further harm.
If you have any questions regarding data breaches, data breach notification law, or data privacy, please contact Tim Hayes at McKenna Storer.
If you’d like to learn more about other kinds of data privacy issues, read more of Tim’s has extensive information about data privacy laws.