April 29, 2021

Legal Implications of the Facebook Data Breach

By Timothy Shields.

Just recently, the personal information of over 533 million Facebook users all over the world had been published in a low-level hacking forum. The data included phone numbers, Facebook IDs, full names, birthdates, addresses, and Facebook users’ email addresses.

A representative from Facebook said hackers scraped off these data from a vulnerability that the company fixed in 2019. Despite the relatively old data, security researchers claim that it is still valuable to criminals who want to perpetrate fraud or identity theft. They could use this data to impersonate people and scam them because most users use the same email addresses and passwords across many of their online accounts.

This data breach is a violation of Facebook’s terms and conditions. But, more importantly for Facebook, this breach may violate the data privacy laws in a growing number of states across the United States. What can a business learn from Facebook’s mistakes?

Notification Responsibility

When a business such as Facebook is unfortunate enough to suffer a large data security attack where personal information has been the subject of a breach, there are specific responsibilities under State law that it should comply with.

In a data breach, depending on the state law, Facebook should report the said breach to the appropriate supervisory authority within the statutory time frame from knowledge of said breach wherever feasible. Currently in Florida, that is 30 days. Also, bear in mind that the breach will have adverse effects upon the rights and freedom of the data owners. Consequently, Facebook should also notify them of the breach without undue delay. In Florida, the individuals impacted by the breach are to be notified “without undue delay” but no later than 30 days. Each State has varying timeline requirements.

Facebook and all businesses that hold personal information are required to  have a robust procedure in breach detection, investigation, and internal reporting. Also, they are required to keep a record of personal data breaches.

Fines and Penalties

In Florida, the penalty for a violation can be as high as $500,000. In other states the penalties vary. Currently, Florida does not have a “private right of action” meaning the personal victim of the data breach cannot sure the company for the breach occurring. For informational purposes, if Facebook has violated European data protection rules — the recently carried out General Data Protection Regulation (GDPR) — the organization can be fined up to four percent of its worldwide income.

In addition to the fines, Facebook has suffered great reputational harm as well.


While Facebook has worked to downplay this data breach because the actual data was stolen a couple of years ago, these massive breaches will continue to impact consumers and expose the companies to significant fines. Data privacy is not just the domain of the IT department. Considering the reputational and significant financial risks from compliance and fines, it is very much a critical business issue.

Timothy Shields is a Partner at Kelley Kronenberg focusing his practice on Technology, Data Privacy, and Social Media Representation. Tim serves technology companies as general counsel for a flat monthly rate based on the company’s needs starting at $1300/month.

Contact Timothy Shields at:
Phone: 833-830-HELP (4357)
Email: tshields@kklaw.com

DISCLAIMER: This article is provided as a courtesy and is intended for the general information of the matters discussed above and should not be relied upon as legal advice. Neither Kelley Kronenberg, nor its individual attorneys or staff, are responsible for errors, omissions and/or typographical errors – always seek competent legal counsel.