What Legal Obligations do Internet Companies Have to Prevent and Respond to a Data Breach? [October 25, 2018] [open pdf - 454KB]
"Recently, large Internet companies--i.e.,companies that do most of their business on the Internet, such as social media platforms or search engines--have made headlines after failing to secure their users' personal information. For example, on September 28, 2018, Facebook announced a security breach affecting tens of millions of user accounts. According to Facebook, hackers exploited a vulnerability in its code that allowed them to steal 'access tokens,' which are the 'equivalent of digital keys' that 'keep people logged in to Facebook.' Facebook later disclosed that,of the affected accounts,hackers accessed the names and contact details of 15 million users and the biographical information of another 14 million users. Just over a week after Facebook's breach, on October 8, 2018, Google, in announcing the end of its social network Google+, disclosed that a software glitch exposed the personal data associated with up to 500,000 Google+ accounts. Google explained that it discovered and resolved the glitch in March 2018 and that there was no evidence anyone misused the exposed data. The Internet search giant reportedly made an initial decision not to disclose the incident, before reversing course and shutting down the Google+ plat form following a Wall Street Journal investigation."
CRS Legal Sidebar, LSB10210
Congressional Research Service: https://crsreports.congress.gov/