In just the last two weeks, three of the world’s most prominent social networks have been linked to stories about data leaks. Troves of information on both Facebook and LinkedIn users – hundreds of millions of them – turned up for sale in marketplaces in the cyber underground. Then, earlier this week, a hacker forum published a database purporting to be information on users of the new Clubhouse social network. 

Andrew Sellers is the Chief Technology Officer at QOMPLX Inc.

To hear Facebook, LinkedIn and Clubhouse speak, however, nothing is amiss. All took pains to explain that they were not the victims of a hack, just “scraping” of public data on their  users by individuals. Facebook went so far as to insist that it would not notify the 530 million users whose names, phone numbers, birth dates and other information were scraped from its site. .

So which is it? Is scraping the same as hacking or just an example of “zealous” use of a social media platform? And if it isn’t considered hacking…should it be? As more and more online platforms open their doors to API-based access, what restrictions and security should be attached to those APIs to prevent wanton abuse? 

To discuss these issues and more, we invited Andrew Sellers into the Security Ledger studios. Andrew is the Chief Technology Officer at the firm QOMPLX* where he oversees the technology, engineering, data science, and delivery aspects of QOMPLX’s next-generation operational risk management and situational awareness products. He is also an expert in data scraping with specific expertise in large-scale heterogeneous network design, deep-web data extraction, and data theory. 

While the recent incidents affecting LinkedIn, Facebook and Clubhouse may not technically qualify as “hacks,” Andrew told me, they do raise troubling questions about the data security and data management practices of large social media networks, and beg the question of whether more needs to be done to regulate the storage and retention of data on these platforms. 


(*) QOMPLX is a sponsor of The Security Ledger.

In this episode of the podcast (#206): with movement towards passage of a federal data privacy law stronger than ever, we invite two experts in to the Security Ledger studio to talk about what that might mean for U.S. residents and businesses.


Data theft and misuse has been an acute problem in the United States for years. And, despite the passage of time, little progress has been made in addressing it. Just this week, for example, SITA, an IT provider for the world’s leading airlines said that a breach had exposed data on potentially millions of travelers – just the latest in a steady drumbeat of breach and hacking revelations affecting nearly every industry. 

In the E.U. the rash of massive data breaches from retail firms, data brokers and more led to the passage of GDPR – the world’s first, comprehensive data privacy regime. In the years since then, other nations have followed suit.

But in the U.S., despite the passage of a hodgepodge of state data privacy laws, no comprehensive federal law exists. That means there is still no clear federal framework covers critical issues such as data ownership, the disclosure of data breaches, private rights of action to sue negligent firms and so on. 

Changes In D.C. Bring Data Privacy Into Focus

But that may be about to change. In a closely divided Washington D.C. data privacy is the rare issue that has bipartisan support. And now, with Democrats in control of Congress and the Whitehouse, the push is on to pass pro-consumer privacy legislation into law. 

Rehal Jalil, the CEO of Securiti.ai into the studio to dig deep on the security vs. privacy question. SECURE – ITI is a firm that sells privacy management and compliance services.  

n this conversation, Rahil and I talk about the evolving thinking on data privacy and security and about the impact on IT  the EU’s GDPR and state laws like CCPA are having on how businesses manage their data. Rehan and I also talk about whether technology might provide a way to bridge the gap between security and privacy: allowing companies to derive the value from data without exposing it to malicious or unscrupulous actors. 


As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 

The Irish Data Protection Commission (DPC) fined Twitter 450,000 euros (about US$546,000) for failing to timely notify the Irish DPC within the required 72 hours of discovering a Q4 2018 breach involving a bug in its Android app, and also for failing to adequately document that breach.  The bug caused some 88,726 European Twitter users’ protected tweets to be made public.

The case is notable because it is the first fine levied against a U.S. technology company in a cross border violation under the EU’s General Data Protection Regulation’s (GDPR), which went into effect in 2018.  Under the GDPR, the member state of the foreign company’s EU headquarters takes the lead on inquiries on behalf of all the EU’s 27 member states. Because Twitter EU’s headquarters are in Ireland, the DPC took the lead on the investigating the 2018 breach incident, which Twitter attributed to poor staffing during the holidays.

Pursuant to Article 60 of the GDPR, the Irish DPC submitted its draft decision last May to the other EU DPAs. In the draft decision, the Irish DPC found Twitter’s violations to be negligent, but not intentional or systematic.  Other member states disagreed with the Irish DPC draft decision, due in part to the small proposed fine.  The Irish DPC‘s proposed fine was only a small fraction of the maximum fine amount permitted, which under GDPR is up to 4% of a company’s global revenue or 20 million euros ($22 million), whichever is higher. Twitter’s global annual revenue was reportedly about $60 million in 2018.

The Irish DPC responded to the criticisms from other member states by stating that its proposed fine under the GDPR was an “effective, proportionate and dissuasive measure” and brought the matter before the European Data Protection Board, which upheld most of the decision but directed Ireland to increase the fine.

The Twitter case is just the first of many cases involving U.S. companies before the Irish DPC, as there are some 20 other pending inquiries. Ireland also serves as the EU headquarters for U.S. technology companies such as Facebook, Apple and Google.

The decision is available here.

Proposition 24 is known as the California Privacy Rights Act of 2020 (CPRA). It is on the ballot in California on November 3, and if it passes it will amend and expand certain provisions of the California Consumer Privacy Act (CCPA). Some say it’s CCPA 2.0, however, there are some provisions that make the CPRA look more like the General Data Protection Regulation (GDPR) – the European data regulation that reshaped privacy rights in the European Union. Two provisions in particular are very GDPR-like; specifically, the creation of the California Privacy Protection Agency (CPPA), which will become the regulator charged with implementing and enforcing both the CCPA and CPRA, and the expanded definition of sensitive personal information. CPRA would become effective Jan. 1, 2023, with an enforcement date of July 1, 2023. Here are some key highlights of Proposition 24.

What’s new for California consumers in CPRA? CPRA creates a new category of data, similar to GDPR, for sensitive personal information. CPRA also adds several new rights for consumers:

  • to restrict the use of sensitive personal information;
  • to correct inaccurate personal information;
  • to prevent businesses from storing data longer than necessary;
  • to limit businesses from collecting more data than necessary;
  • to know what personal information is sold or shared and to whom, and to opt out of that sale or sharing of personal information;
  • CPRA expands the non-discrimination provision to prevent retaliation against an employee, applicant for employment, or independent contractor for exercising their privacy rights.

What do businesses need to know regarding CPRA? It creates a new data protection agency with regulatory authority for enforcement of both CCPA and CPRA. Some new key provisions for businesses are:

  • the CPRA creates a Chief Auditor, who will have the authority to audit businesses data practices;
  • the CPRA also requires high risk data processors to perform regular cybersecurity audits and regular risk assessments;
  • the CPRA adds provisions regarding profiling and automated decision making;
  • the CPRA adds restrictions on transfer of personal information;
  • the CPRA requires businesses that sell or share personal information to provide notice to consumers and a separate link to the “Do Not Sell or Share My Personal Information” webpage and a separate link to the “Limit the Use of My Sensitive Personal Information” webpage or a single link to both choices;
  • the CPRA triples the fines set forth in CCPA for collecting and selling children’s private information and requires opt-in consent to sell personal information of consumers under the age of 16;
  • the CPRA expands the consumer’s private right of action to include a breach of a consumer’s email address and password/security question and answer.

The CPRA also changes the definition of “business” to more clearly define the annual period of time to determine annual gross revenues, which specifies that a business must comply with CPRA if, “as of January 1 of the calendar year,” the business had annual gross revenues in excess of twenty-five million dollars “in the preceding calendar year,” or alone or in combination annually buys or sells or shares the personal information of 100,000 or more consumers or households, or derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.

In addition to these criteria, CPRA adds somewhat puzzling language that states that a business would also be defined in the CPRA as a person that does business in California, that is not covered by one of the criteria described above, who may voluntarily certify to the California Privacy Protection Agency that it is in compliance with and agrees to be bound by CPRA.

The CPRA adds the new term “contractor” in addition to service provider. A contractor is a person to whom the business makes available a consumer’s personal information for a business purpose pursuant to a written contract with the business. The CPRA contains specific provisions to be included in the contract terms, and the contract must include a certification that the contractor understands the restrictions and will comply with them. The CPRA adds several new definitions, including definitions for cross-context behavioral advertising, dark pattern, non-personalized advertising, and profiling, and makes some changes to the definition of personal information. The CPRA eliminates some of the CCPA language regarding the “categories” of personal information.

The CPRA also adds “sensitive personal information” as a defined term which means:

(l) personal information that reveals: (A) a consumer’s social security, driver’s license, state identification card, or passport number; (B) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer’s precise geolocation; (D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication; (F) a consumer’s genetic data; and (2) (A) the processing of biometric information for the purpose of uniquely identifying a consumer; (B) personal information collected and analyzed concerning a consumer’s health; or (C) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

The CPRA retains the CCPA exemptions for medical information governed by the California Confidentiality of Medical Information Act or protected health information collected by a covered entity or business associate under HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act), personal information collected as part of a clinical trial or other biomedical research study, activity involving the collection of personal information bearing on a consumer’s credit worthiness, and personal information collected, processed, sold or disclosed subject to the Gramm-Leach-Bliley Act or the federal Driver’s Privacy Protection Act of 1994.

The CCPA’s limited exemptions for employment information and so-called business-to-business information are also continued in the CPRA, however these provisions shall expire on January 1, 2023.

The CPRA provides authority for the CPPA to create extensive regulations, including a requirement for regulation of businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security to: (A) perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent; and (B) to submit to the CPPA on a regular basis a risk assessment with respect to the processing of personal information.

The private right of action under CPRA is expanded to include that consumers whose email address in combination with a password or security question and answer that would permit access to the account be able to institute a civil action and to recover damages or other injunctive relief. The CCPA 30-day cure period after notice of a breach is eliminated and administrative fines for violation of the CPRA increase to not more than $2,500 for each violation or $7,500 for each intentional violation or violations involving the personal information of consumers that the business has actual knowledge is under 16 years of age. The CPPA will have broad powers of investigation and enforcement for violations of the CPRA.

We will follow the progress of Proposition 24 on election day and provide an update here next week.