In this article, we look at what ‘greenwashing’ is, how and why it is being used, and what is being done to stop it.

What Is Greenwashing?

Greenwashing, a term coined by Jay Westerveld in 1986, refers to how some companies mislead stakeholders about their environmental and ethical credentials by spending more on marketing themselves as being environmentally friendly and ethical when, in fact, it is not the case.  This practice is most likely to be something found in industries where the environmental impact of production and waste are known to be great, e.g. oil and gas, consumer electronics, fashion, and fast-moving consumer goods (FMCG) packaging.

Why?

A widely publicised climate emergency, knowledge of ethical issues in production, publicity and pressure from campaigners and political movements, the availability of choice, and the rise of social media are all factors that have led to more consumers being better informed and more engaged with how their consumption is linked to environmental and ethical issues.  Many of these consumers are now more likely to reject products with known poor environmental/ethical credentials and favour those (i.e. choose to purchase and feel more loyal towards) entities whose credentials are believed to be good and whose values they share. For example, a Nielsen report showed that 66 percent of consumers said they would pay more for sustainable brands. Unfortunately, another survey (TerraChoice) has shown that 98 percent of green-labelled products may actually be greenwashed.

Until there is a more unified, global approach to climate change from institutions and governments, economic factors and mass consumption are, to a large extent, in conflict with tackling climate change. Making products from raw materials to feed demand at a competitive price and in a way that is profitable can lead some companies to make short-term, environmentally damaging, and perhaps unethical decisions. Some companies know, therefore that by disguising their operations they can reap the positive benefits of being perceived as green whilst not investing in green solutions and practices.

Greenwashing Methods

Some popular methods of greenwashing include:

– Making changes to logos, brands, names, labelling and packaging (using environmental images and claims about the nature of ingredients), and differentiating product lines.

– Irrelevant claims, ‘lesser of two evil’ claims, and hidden trade-offs.

– Associating themselves with charities, environmental and ethical organisations (e.g. using logos, and donation information).

– Presenting data and figures and making claims that would be difficult to substantiate.

– Publicising environmental programs that companies are/have been involved with and using distraction tactics.

– The use of language/environmental buzzwords and soundbites that could be misleading (e.g. eco-friendly, bio, mineral, happy, green, healthy, herbal, non-hazardous, pure, re-usable, recyclable, free-range).

Examples of Greenwashing

There are many, widely publicised examples of what could be called greenwashing, often by well known brands (as these are newsworthy and attract more publicity). Please note that it could also be argued (or dismissed) by these companies that rather than greenwashing, it was simply a mistake/not thought through/not intended to deceive etc, which in some cases, could be legitimate arguments. With this in mind, a few examples of greenwashing might include:

– The McDonalds fast-food company publicising a switch (in some UK branches) to ‘fully-recyclable’, paper straws from plastic straws in 2018. The move backfired when the thickness of the straws meant that they couldn’t be recycled in the normal way, and a packaging supplier pointed out the issue was not with the straws but the need for investment in the UK’s recycling infrastructure.

– The H&M clothes recycling scheme for World Recycle Week (2016), where customers could return their old H&M jumpers to the stores, from where they would be sent for recycling.  It was found that only a small amount of the fibre could be recycled and that, based on the company’s publicised figures, it could take 12 years for H&M to use up 1,000 tons of fashion waste (the same amount of clothes that the company produced in 48 hours).

– A recent move by Tesla to allow customers to buy their electric vehicles with Bitcoin led to criticism when a medium.com article pointed to how, ironically, the cost of buying an energy-saving, environmentally friendly electric-powered Tesla car in Bitcoins could equate to cancelling one third of the CO2 savings for its whole lifetime.

– Ryanair was recently criticised by the Advertising Standards Authority (ASA) for using old information to claim it was the UK’s lowest emission airline after the statistics it used in the advert didn’t include many rival airlines and were based on 2011 data.

– Back in 2008, oil and gas company Shell had an advert banned which claimed that a project involving strip-mining of 140,000 sq km of Alberta and the building of the world’s largest oil refinery equated to a ‘sustainable’ project. The advert about the project was banned due to a lack of supporting data about how operations would help manage climate change.

Related Issues

There are some practices that could be considered more in terms of hidden aspects and trade-offs that feed into greenwashing.  These include:

– Planned/built-in obsolescence. One example could be Apple products.  Although the company publicises its stores, offices, and data centres as being fully by renewable electricity, and all its operations (including commuting and business travel) as carbon neutral, older models of products (e.g. older iPhones and iPods) aren’t updatable with the latest operating systems and apps, thereby severely limiting the usefulness of the hardware.

– The right to repair.  The fact that many tech products/consumer devices, for example, are manufactured in a way, and/or contain labels (voiding warranties if opened) that appear to prevent third-party repairs or force the owner to use only the services of the maker, is a practice related to greenwashing in many cases. It has led to legislation, primarily in the US and the EU, to give consumers the right to repair their own consumer electronic devices, which they may have bought with green claims in mind, and thereby prevent the environmental impact of disposal.

– Carbon-offsetting. Companies may use carbon-offsetting, often in good faith, but as environmental campaigners such as Greenpeace point out, it may not really work because companies need to stop carbon emissions from getting into the atmosphere in the first place. There is also an argument that carbon offsetting doesn’t deliver the level of carbon savings that it claims, and that it may simply allow companies to continue with unsustainably carbon-intensive behaviours and lifestyles while feeling good about themselves and promoting a positive image.

What Does This Man For Your Business?

The economic and commercial reasons for greenwashing, on whatever scale, are obvious, and although it may enable companies to benefit in the short-term, it is a high-risk strategy for consumer trust and business continuity as well as for the environment. Being found-out for deceiving consumers in this way can be damaging for brands and profits, but the real damage comes from activities globally that are contributing to the climate emergency. A global effort, right from the individual level up to companies, institutions, governments is needed on all fronts to help tackle this monumental challenge. Greenwashing is a threat to the success of this because, by deception, it prevents good environmental choices being made whilst enabling companies to carry on with environmentally damaging practices, the losers being all of us, including those who are using greenwashing. As a greater focus and effort comes to bear upon tackling environmental issues, greenwashing attempts are now being spotted, scrutinised, and publicly called-out by pressure and environmental groups, consumer, and adverting standards associations, and punished through legislation.  For example, The UK Competition and Markets Authority (CMA) has proposed to introduce legislation within this year to tackle greenwashing and false claims surrounding ‘eco-friendly’ products. Keeping-up the effort to discourage and ‘out’ greenwashing practices is one important front in the fight to protect the planet.

President Biden’s administration in the U.S. has placed new sanctions on Russia over alleged cyberattacks affecting the U.S. and its allies.

What Is Russia Accused Of?

The U.S. government sanctions relate to:

– The ‘SolarWinds attack’ where cyber-criminals accessed 18,000 government and private computer networks. The U.S. appears to blame the Cosy Bear hackers for carrying out the attacks which then (allegedly) enabled Russia’s foreign intelligence service, the SVR, to spy on and disrupt the systems of many different organisations around the world.

– Alleged Interference in the 2020 U.S. presidential election.

Executive Order

The Executive order, issued by President Biden, accuses the Russian Federation of engaging in “harmful foreign activities” such as, “efforts to undermine the conduct of free and fair democratic elections and democratic institutions in the United States and its allies and partners; to engage in and facilitate malicious cyber-enabled activities against the United States and its allies and partners; to foster and use transnational corruption to influence foreign governments; to pursue extraterritorial activities targeting dissidents or journalists; to undermine security in countries and regions important to United States national security; and to violate well-established principles of international law, including respect for the territorial integrity of states”.

The Sanctions

The Executive Order from President Biden contains a long and detailed list of sanctions, and targets 32 entities and officials who the U.S. believe were involved in influencing the 2020 U.S. presidential election and engaged in other acts of disinformation. It is understood that the Order will initially lead to the expulsion of ten diplomats and will prohibit the purchase of rouble-denominated bonds by U.S. financial institutions, thereby causing Russia some financial pain.  The Executive Order can be viewed here: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/04/15/executive-order-on-blocking-property-with-respect-to-specified-harmful-foreign-activities-of-the-government-of-the-russian-federation/.

Other Sanctions

The new, tougher stance towards Russia under the Biden administration led to other sanctions being imposed last month and targeted seven senior Russian officials and fourteen organisations.  The sanctions, which were mainly the freezing of assets held in the U.S. were made in response to the poisoning of opposition leader Alexei Navalny and more broadly to curb what the U.S. sees as a developing pattern of the use of chemical weapons by Russia (poisonings).  One U.K. example of this pattern was the use of Novichok in Salisbury to poison Sergei and Yulia Skripal.

It has also been reported that the same two Russian suspects wanted for the Salisbury poisonings are now wanted by the Czech Republic in relation to an ammunition depot explosion there in 2014. The Czech Republic is also expelling 18 Russian diplomats who it believes have been involved in spying.

What Does This Mean For Your Business?

With the Biden administration and cooperating EU countries now signalling that they will be taking a harder line with Russia with what are designed to be proportionate responses to curb some of its most worrying and damaging activities, the idea is to try and restore some balance and order and return to more dialogue and diplomatic process rather than an escalation and conflict. The Solar Winds cyberattack, for example, is believed to have compromised 100 companies and a dozen government agencies in the U.S., including the Infrastructure Security Agency/ CISA whose job it was to protect federal computer networks from cyberattacks! The malicious code was implanted in a simple software update from the Texas-based company that was downloaded 18,000 times.  As such, the damage to agencies and big businesses and their stakeholders (including the many businesses down the line who may have been compromised) is still not fully known, and the expertise and effectiveness of the attack has worried western governments. Interference in state processes such as elections and cyberattacks with the sophistication of the SolarWinds one are a serious threat to businesses, organisations and even whole economies, so if sanctions are an effective way to help stop these, then this latest round of sanctions may be one step towards protecting western business, organisations, state agencies, and economies.

Following the recent leak of an EU draft of rules for applying to AI, 40 MEPs have called for a ban on the use of facial recognition and other types of biometric surveillance in public places.

Draft Rules

The leaked draft rules by EU lawmakers to regulate the use of AI prompted the MEPs to publish a letter outlining how the draft rules could be strengthened to offer greater privacy protection and guard against discrimination, threats to privacy, and more.

Biometric Mass Surveillance

The MEPs noted that the draft rules do not include a ban on the use of facial recognition or similar biometric remote identification technologies in public places (e.g. facial recognition systems).  The letter from the MEPs highlighted how this type of surveillance has been shown to lead to mistaken identification/wrongful reporting of subjects, discrimination of “under-represented groups” and having a “chilling effect” in a society that is diverse and used to certain freedoms. The MEPs have, therefore called for a total ban on this type of surveillance.

Automated Inference Warning

The letter also warned of how automated inference, such as predictive policing and indiscriminate monitoring using biometrics, could violate rights to privacy and data protection, suppress free speech, be counter-productive in the fight against corruption, and pose a particular risk to “LGBTQI+ communities, people of colour, and other discriminated-against groups”. The MEPs, therefore, request in the letter that the new rules should prohibit “automatic recognition of gender, sexuality, race/ethnicity, disability and any other sensitive and protected characteristics”.

Other Areas of Concern

The letter also says that the MEPs would like the wording of the proposed new rules to be tightened up to cover all untargeted and indiscriminate mass-surveillance, and that the proposed exemption on the prohibition on mass-surveillance for public authorities (or commercial entities working for them) would threaten public security.

In the UK

The use of biometric public surveillance in the UK has also caused concern.  For example:

– In December 2018, Elizabeth Denham, the UK’s Information Commissioner launched a formal investigation into how police forces used FRT after high failure rates, misidentifications and worries about legality, bias, and privacy. This stemmed from the trial of ‘real-time’ facial recognition technology on Champions League final day June 2017 in Cardiff, by South Wales and Gwent Police forces, which was criticised for costing £177,000 and yet only resulting in one arrest of a local man (whose arrest was unconnected).

– Trials of FRT at the 2016 and 2017 Notting Hill Carnivals led to the Police facing criticism that FRT was ineffective, racially discriminatory, and confused men with women.

– In September 2018 a letter, written by Big Brother Watch (a privacy campaign group) and signed by more than 18 politicians, 25 campaign groups, and numerous academics and barristers, highlighted concerns that facial recognition is being adopted in the UK before it has been properly scrutinised.

– In May 2019 in the UK, following controversial incidents where facial recognition had been tested in some public places, Luciana Berger (MP) put forward a written parliamentary question about bringing forward ‘biometrics legislation’ related to how facial recognition was being used for immigration purposes at airports. Also, questions were asked in Parliament about possible safeguards to protect the security and privacy of citizens’ data that is held as part of the Home Office’s biometrics programme.

– In September 2019, it was revealed that the owners of King’s Cross Estate had been using FRT without telling the public, together with London’s Metropolitan Police Service supplying the images for a database.

– A letter published by London Assembly members Caroline Pidgeon MBE AM and Sian Berry AM to Metropolitan Police commissioner Cressida Dick asked whether the FRT technology could be withdrawn during the COVID-19 pandemic on the grounds that it has been shown to be generally inaccurate, and it still raises questions about civil liberties. The letter also highlighted concerns about the general inaccuracy of FRT and the example of the first two deployments of LFR this year, where more than 13,000 faces were scanned, only six individuals were stopped, and five of those six were misidentified and incorrectly stopped by the police. Also, of the eight people who created a ‘system alert’, seven were incorrectly identified. Concerns have also been raised about how the already questionable accuracy of FRT could be challenged further by people wearing face masks to curb the spread of COVID-19.

What Does This Mean For Your Business?

Biometric surveillance clearly has benefits in terms of being a tool to help with the work of government agencies and law enforcement, but many now feel that its use is advancing too far ahead of the legislation. In a diverse society where data protection rights have been tightened up and respect for privacy with it (due to GDPR), mass surveillance of this kind feels to many people like it goes against those rights, and in a ‘chilling’ way that feels as though it may affect freedom and could be used (if not properly regulated) to discriminate. The UK trials and usage of facial recognition to date has also revealed areas where the technology has been unreliable, and there may also be issues of bias.  It is not surprising, therefore, that a group of MEPs have chosen to apply pressure to tighten up the rules, although it remains to be seen if the concerns of the MEP group affect the final legislation.

If you’d like a quick and easy way to regularly email group of contacts (e.g. work colleagues or suppliers), Outlook gives you the ability to create a Distribution List (or Contact Group in 365). Here’s how it works:

For Outlook Online

– Log into outlook.com or select Outlook from the app launcher.

– On the Left-hand side, select Groups > New group.

– In the pop-up, name the group, give it a brief description, and select ‘Create’.

– Add group members by searching by name/email address, and they will appear under “This person will be added.”

– When all email addresses have been added, select the ‘Add’ button, and select ‘Close’.

– To send an email to the group, select ‘New message’ and in the ‘To’ field, type the name of the group you created.

For Outlook On Desktop

This is called a ‘Contact Group’ rather than a Distribution List. To build one:

– Launch Outlook and select ‘People’ (lower left).

– From the toolbar, select ‘New Contact Group’ (a ‘New Group’ button in 365).

– When the windows loads, name your contact group.

– To add members, select ‘Add Members’ and choose where to get members from – Outlook Contacts, Address Book, or New Email Contact.

– Search for the people/email addresses to add. When their entry is highlighted, select the ‘Members’ button (or double-click their entry) to add them.

– When this is one, select ‘OK’, save changes, and close the window.

– The name of the Contact Group will appear as an entry in the Outlook address book so can be selected in the ‘To’ field when creating a new email.

When employees leave a business or organisation, there are many actions that need to be taken to maintain security. Here’s a summary of some of them in relation to the health and continuity of the business and to fulfil legal and stakeholder responsibilities.

Different Reasons, Same Actions

Members of organisations inevitably change over time. They may leave (e.g. to go to another job or move away) may be asked to leave, or many other reasons. For businesses or organisations to fulfil their responsibilities to themselves, their shareholders, customers, other employees, and data laws, and to allow them to act quickly when the time comes, it pays to have at least a (preferably, updated) checklist in place to ensure that security is maintained and weaknesses, threats, and disruption are minimised.

Potential Threats

Examples of the kinds of potential threats that an organisation may need to guard against on employee exit include:

– Damage, theft, and disruption – In addition to the risk of data theft, attacks on a company’s systems and network, which may have been facilitated by not having security measures or procedures in place for employees leaving/retiring, can cause costly and disruptive damage.

– Insider threat – One of the dangers of not managing the departure of an employee properly is that a business could then have an ‘insider threat’ (i.e. a former employee, contractor or partner with access rights and logins that still work). This could lead to private company business being leaked (possibly to competitors), industrial espionage, opportunities for extortion, access being gained to financial details, customers stolen, and more. A recent IBM study found that insider threats account for 60 percent of data breaches.

Examples

High profile examples of organisations that have suffered data breaches at the hands of ex-employees include:

– Broadcasting watchdog Ofcom, which suffered a large data breach in 2016, where a former employee downloaded around six years’ worth of third-party data before leaving for a new job at a major broadcaster. The data was then offered to the new broadcaster who informed Ofcom.

– Back in 2013, a disgruntled Morrison’s (ex) employee (IT Internal Auditor) Andrew Skelton copied the payroll data of 99,998 Morrison’s employees to his personal USB stick and then posted the data on a file-sharing website. This resulted in a Class Action lawsuit being launched against Morrison’s by over 5,000 employees, with Morrison’s being found “vicariously liable” for the breach.

Legal Responsibility

The examples above highlight one important reason for closing any potential holes in security on employee exit which is the legal responsibility under current data laws. The United Kingdom General Data Protection Regulation (UK-GDPR) and the Data Protection Act 2018 (an updated version of the DPA 1998) are the main legislative frameworks covering how a businesses or organisation in the UK should manage the protection and handling of data. Within these, the data controller (i.e., you and your company/organisation) hold the responsibility for data matters.

Protecting that data is important both to protect those whom the company holds data about, and to protect the company itself from legal penalties, damage to reputation and more.  As well as personal data, a business needs to ensure that other sensitive data such as financial records, intellectual property and details about company security controls are all protected.

Procedure

These threats and responsibilities demonstrate that businesses and organisations need to address them as part of due diligence. This can be done by developing a built-in company procedure when an employee leaves for whatever reason.

Checklist

This company procedure could be built around a checklist / a kind of security audit that takes the following into account:

– Emails are a window into company communications and operations and a place where sensitive data is exchanged and stored. It is also a common ‘vector’ for cyber-criminals.  With this in mind, managing the email aspects of security when an employee leaves/retires is vitally important.  Measures that can be taken include revoking access to company email, setting up auto-forwarding and out-of-office replies, while making sure that you mention who the new contact is. Also, it’s important to revoke access to/remove login credentials for other email programs used by the company to communicate with customers and other lists of stakeholders, for example via mass mailing programs with stored lists, such as Mailchimp.

– Revoking access to company systems and networks. Employees have login details and rights/permissions for company computer systems and networks. Access and logins for these should be revoked for the employee when they leave.

– CRMs provide access to all manner of data about the company, its customers, its other stakeholders, sales, communications and more. Login access should be revoked when an employee leaves.

– Collaborative Working Apps/Platforms and shared, cloud-based, remote working platforms (e.g. Teams or Slack) also contain direct access to company data. Make sure that a departing employee can no longer have access to these groups.

– If the departing employee has a personal voicemail message on the company phone, this also needs to be changed.

– A leaving employee will need to return all company devices, and this implies that a company should have procedures in place to keep a record of which company devices have been allocated to each employee.

– Retrieval of any backup/storage media (e.g. USBs) may also help to prevent some security threats.

– Although it is best to store all online documents in a shared company folder that you have control over (e.g. in OneDrive), it is possible that an employee has stored items in separate folders on their computer. Making sure that these are transferred to you or deleted when the employee leaves can help to maintain levels of security.

– Having a policy in place for the regular changing of passwords can work well anyway as a fail-safe but also, changing any passwords shared with multiple members of staff is an important measure to take when an employee leaves.

– If the departing employee was authorised to use company credit/debit cards, changing the PINs for those cards is another step that needs to be taken to maintain security with the company/organisation’s finances.

– Letting the company team/person responsible for IT security know that a person has left, particularly if the person left ‘under a cloud’, is another way that you can help to close security loopholes.

– Making sure that all company-related keys, pass cards, ID cards, parking passes, and any other similar items are retrieved is something that should be done before the ex-employee leaves the premises for the last time.

– If the employee has been issued with physical documents (e.g. a handbook) which contains information and data that could threaten company security, these need to be retrieved when the employee leaves.

– If the departing employee’s email address and extension feature on the website and/or is that employee is featured as being in the role that they are departing from, this needs to be removed from the website.  Also, check that company social media doesn’t indicate that the departed employee is still in their role (e.g. on LinkedIn and Facebook).  You may also wish to make sure that the ex-employee doesn’t feature in the business online estate (e.g. at the top of the website home page) or other prominent pages.

BYOD Threat

Where companies offer ‘Bring Your Own Device’ (BYOD) meaning that employees can bring in their personally owned laptops, tablets, and smartphones to work and use them to access company information, this could pose an additional level of threat on employee exit. This threat may be lessened where companies opt for different types of BYOD such as corporately owned/managed, personally enabled (COPE), choose your own device (CYOD), personally owned and partially enterprise managed or personally owned with managed container application.

In any case, BYOD should be always accompanied by clear policies and guidance as part of effective management.

Ex Employee’s Legal Responsibilities

It should be remembered that, although the business / organisation has legal responsibilities to protect company data, the ex-employee is also subject to the law for their behaviour. This is of particular importance where an employee, who has dealt with the personal details of others in the course of their work, leaves or retires.  For example, the ICO prosecuted a charity worker who, without the knowledge of the data controller (Rochdale Connections Trust), sent emails from his work former email account (in February 2017) containing sensitive personal information of 183 people.  Also, a former Council schools admission department apprentice was found guilty of screen-shotting a spreadsheet that contained information about children and eligibility for free school meals and then sending it to a parent via Snapchat.

What Does This Mean For Your Business?

Having a regularly reviewed and updated procedure in place for the steps to take during an employee’s exit is an important part of due diligence, legal responsibility, responsibility to all stakeholders, and is a way for a company to protect itself from preventable threats in the future. This procedure, therefore, feeds into business security and business continuity and is also an argument for making sure that employees work within monitored and controlled company systems rules and procedures, thereby making it easier to close all loopholes and minimise threats on employee exit.

With Facebook having to inform more than a staggering 530 million users that they were exposed to a data breach in 2019, some criticism for the company about the breach has prompted some to ask just what is happening?

What Breach

It has been reported that in 2019, the ‘scraped’ details of 530m Facebook users were exposed on a hacker’s forum. The stolen dataset, including details from users in 106 countries, is reported to have included phone numbers, Facebook IDs, (full) names and birthdates, but not financial information, health information or passwords. This ‘old’ data is reported to have recently been made publicly available again in an unsecured database.

How?

According to Facebook, before 2019, a simple bug in its Contact Importer code allowed hackers to access part of an unprotected server in the company’s systems and to ‘scrape’ user profile data.

Found Online

The database that appeared to contain scraped details of the Facebook users was originally discovered online in September 2019, just one day after it was known to have been taken. At the time, it was reported that most of the data came from US users but that 18 million records were from UK users.

Blame

Facebook appears to place the blame on the ‘malicious actors’ and puts it down to the “adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet services.” Facebook has made it clear that this story is not about a recent hack of its systems but rather is old news, and old data and that back in 2019, after the scraped dataset was posted online, Facebook made changes to the contact importer to stop the software from being used in future to imitate the app and upload a large set of phone numbers to see which ones matched Facebook users.

Criticism

With the trust-damaging Cambridge Analytica data still casting a shadow over Facebook, the re-surfacing of this scraped data online last weekend and Facebook’s apparent attitude to it has drawn a good deal of criticism including:

– An initial silence from Facebook after the Business Insider article highlighted the breach. For example, Ireland’s Data Protection Commission (DPC) saying that it had received no communication from Facebook over the weekend when the breach was announced.

– The fact that although Facebook may see this as old data, this vast quantity of data may still have a use for cybercriminals. For example, any stolen phone numbers that can be connected with email addresses could still be used to obtain an SMS code to login to their email account (SIM-swapping to redirect SMS-based codes to hackers’ devices). The stolen data may also be used for other disruptive activities such as spam calls.

– Facebook may not have notified users whose data had been stolen and may still be unlikely to.  There is no simple way for these users to tell if, and/or how seriously they have been affected, if their data has been passed on/sold on/used in other attacks. Users who may have had their details stolen could well have the same details as those 3 years ago, may not have changed any details and may, therefore be at risk of other attacks at any time.

– Criticisms of an apparent culture of impunity and a questionable attitude to customers data privacy and security at Facebook through its dismissal of the 533 million people’s data as being essentially old news that they couldn’t really do anything about, simply saying that it is now “publicly available”.

– Questions over whether, under GDPR, Facebook does still have a responsibility to inform users whose data has been stolen and criticism that Facebook should be doing more to respond to European regulators and not just American ones.

– That Facebook may have more antitrust questions to answer in Washington and that there now needs to be more transparency, accountability, and regulation of the activities and privacy/security measures taken by big social media companies, and that these companies must somehow be made to act more responsibly in several areas, including data protection.

– That the market dominance and apparent monopoly position by Facebook (it owns platforms Instagram and WhatsApp) has enabled these privacy and security issues to keep happening.

What Can You Do?

One of the few things that users can do to see if their details have been taken in this or other known leaks/attacks is to check on the HaveIBeenPwned website:  https://haveibeenpwned.com/

What Does This Mean For Your Business?

The staggering size of this breach coupled with what many have seen as an unsatisfactory response from Facebook, on top of the company’s history with data privacy and security (e.g. the Cambridge Analytica scandal) have seen the social media giant come back under the spotlight once again with many calling for greater accountability (particularly to European regulators).  This will, no doubt, be another blow to user trust and could fuel action in Washington, adding new momentum to the whole antitrust battle and what to do with a dominant social media giant to stop this kind of thing from happening.  For users, as individuals and those with business pages, and those users of Instagram and WhatsApp, it’s a case of not really knowing if their data has been stolen and sold on (apart from proactively checking on a website) and feeling relatively powerless in their relationship with the social media giant as regards their data privacy security, and the company’s apparent attitude to it.  Many may feel that pressure at state level, government questions, and tougher action from regulators may be the only real way to force changes in such a powerful company.