Blog
← Back to Blog
March 20, 2018 cybersecurity

Cambridge Analytica and the Facebook Data Scandal: What It Means for Your Business

Data privacy and social media concept Social media and data privacy concept

The story broke this weekend: a political consulting firm called Cambridge Analytica harvested personal data from 87 million Facebook users without their knowledge or meaningful consent. The data was used for political advertising and voter profiling. Facebook's stock dropped $36 billion in a single day. Mark Zuckerberg has been summoned to testify before Congress.

This isn't a traditional data breach. Nobody hacked Facebook. Instead, Cambridge Analytica exploited Facebook's own data-sharing policies to collect vast amounts of personal information through a quiz app. Users who took the quiz unknowingly gave access not just to their own data, but to the data of all their Facebook friends.

What Happened

  1. A researcher created a personality quiz app on Facebook
  2. About 270,000 people used the app
  3. The app collected data from those users AND all of their Facebook friends (as Facebook's API allowed at the time)
  4. This yielded data on approximately 87 million people
  5. The researcher shared the data with Cambridge Analytica, violating Facebook's terms of service
  6. Cambridge Analytica used the data for political ad targeting
  7. Facebook learned of the violation in 2015 but didn't disclose it publicly

The Bigger Issue: Data as a Business Model

The Cambridge Analytica scandal highlights something that privacy advocates have been saying for years: when a service is free, you are the product. Facebook's entire business model is built on collecting user data and selling targeted advertising access. Cambridge Analytica didn't break into Facebook. They used it as designed.

This has implications beyond social media:

Third-Party App Permissions

How many apps have access to your business's Facebook page, Google account, or Microsoft 365 tenant? Each connected app is a potential data pipeline. Review and revoke permissions for apps you no longer use or never intentionally authorized.

Customer Data Collection

If your practice collects patient data (and you do), this scandal reinforces the importance of data minimization: collect only what you need, use it only for its stated purpose, and protect it appropriately. This isn't just HIPAA compliance. It's the expectation that consumers are rapidly developing.

Social Media for Business

If your practice uses Facebook for marketing (and many do), understand what data Facebook has about your patients who interact with your page. Review your Facebook page's data settings. Be transparent with patients about your social media presence and data practices.

What's Coming: GDPR

The Cambridge Analytica scandal is accelerating a global conversation about data privacy regulation. The European Union's General Data Protection Regulation (GDPR) takes effect on May 25, 2018. While it primarily affects businesses operating in the EU, it's setting the template for privacy regulation worldwide. California is already working on similar legislation.

GDPR principles that every business should start thinking about:

  • Consent must be explicit. Buried terms of service aren't sufficient.
  • Data minimization. Collect only what you need for a specific, stated purpose.
  • Right to deletion. Individuals can request that their data be deleted.
  • Data portability. Individuals can request their data in a usable format.
  • Breach notification. 72-hour notification requirement.

Action Items

  1. Audit your connected apps. Review what third-party apps have access to your business accounts (Facebook, Google, Microsoft). Revoke access for anything unnecessary.
  2. Review your data practices. What patient data do you collect beyond what's clinically necessary? Where is it stored? Who has access?
  3. Update your social media policy. If your practice has a Facebook page, ensure staff know what's appropriate to post and what data practices to follow.
  4. Watch the regulatory landscape. GDPR is the beginning, not the end. US privacy regulation is coming. Practices that adopt privacy-forward practices now will be ahead of the curve.

Facebook's motto used to be "move fast and break things." Turns out, what they broke was trust.