时间:2024-09-23 05:36:28 来源:网络整理 编辑:关于我们
Twitter has been issued a big fine for late reporting of a data breach under GDPR rules.Ireland&rsqu
Twitter has been issued a big fine for late reporting of a data breach under GDPR rules.
Ireland’s Data Protection Commission slapped a fine of €450,000 ($547,000) on the social media company for failing to report an issue — which saw protected tweets become unprotected for some Android users — within the legally required timeframe per Europe's General Data Protection Regulation.
The DPC made its final decision on Tuesday after an investigation that commenced in Jan. 2019. Following a data breach in the 2018 holiday period, Twitter did notify the DPC, but the commission found that the company had reported it outside the 72-hour statutory notice period required under GDPR, and in doing so, "infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach."
The DPC described its €450,000 fine as "an effective, proportionate, and dissuasive measure."
It's not as hefty a fine as those Google's been slapped with in the EU, but it's significant one. The DPC's decision is one of the first to go through the "dispute resolution" process since the introduction of the GDPR.
SEE ALSO:Thanks to Brexit, British Google user data will be moved to U.S.The data breach itself was connected to a much older bug in Twitter's code, according to the investigation, and was affecting protected tweets on Android devices.
"The data breach arose from a bug in Twitter's design, due to which, if a user on an Android device changed the email address associated with their Twitter account, the protected tweets became unprotected and therefore accessible to a wider public (and not just the user's followers), without the user's knowledge," reads the report. "During its investigation, Twitter discovered additional user actions that would also lead to the same unintentional result."
A bug was discovered on Dec. 26, 2018, according to the DPC's report, by an external contractor managing Twitter's bug bounty program, which allows anyone to report bugs. Twitter confirmed in the report that the bug was traced back to a code change made on Nov. 4, 2014 — and that between Sept. 5, 2017 and Jan. 11, 2019, 88,726 EU and EEA users were affected. This contractor shared the result with Twitter in the U.S. on Dec. 29, then on Jan. 2, Twitter's Information Security Team reviewed it, and decided "it was not a security issue but that it might be a data protection issue." Then, Twitter's legal team was notified, who decided the issue should be treated as an incident. On Jan. 4, Twitter triggered the incident response process "but due to a mistake in applying the internal procedure," the Global Data Protection Officer was not added to the incident ticket and wasn't notified until Dec. 7. Then, on Jan. 8, Twitter notified Ireland's DPC through its cross-border breach notification form, and the investigation commenced.
According to Twitter, the statutory reporting process to the DPC worked properly between May 25, 2018 and Dec. 2018, but due to lessened staffing over the 2018 holiday period between Christmas Day and New Years Day, there was a delay in the incident response process.
In a statement attributable to Damien Kieran, Twitter’s chief privacy officer and global data protection officer, the company said it had fully cooperated with the DPC on its investigation.
“Twitter worked closely with the Irish Data Protection Commission (IDPC) to support their investigation. We have a shared commitment to online security and privacy, and we respect the IDPC’s decision, which relates to a failure in our incident response process," he said.
Twitter said the reporting delay was an operational error due to reduced staffing over the holidays.
"An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying the IDPC outside of the 72 hour statutory notice period. We have made changes so that all incidents following this have been reported to the DPC in a timely fashion," said Kieran.
“We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur. We appreciate the clarity this decision brings for companies and consumers around the GDPR’s breach notification requirements. Our approach to these incidents will remain one of transparency and openness.”
Tweet may have been deleted
According to Twitter, since this incident, all reports to the DPC have happened within the 72 hour statutory period. However, the holiday period for 2020 is just around the corner...
Understanding Relational vs. Non2024-09-23 05:22
How to make your iPhone's light flash when you can't find it2024-09-23 05:06
来湛江,到和美乡村过大年2024-09-23 04:58
S. Korea, Britain hold joint high2024-09-23 04:42
Amazon Android Days sale 2024: Save on unlocked phones, tablets, and more2024-09-23 04:30
除夕“守夜人”: 坚守岗位保群众平安2024-09-23 04:28
Pressure mounts on Ten Hag as Bayern loom2024-09-23 04:24
TikTok launches text posts amidst Twitter 'X' rebrand2024-09-23 04:23
采购商+48,英德红茶在泉城济南蹭蹭涨粉2024-09-23 03:57
Operation Cue, A.K.A. Nuking Houses for Emergency Preparedness2024-09-23 03:27
iPhone 16 Pro new color will reportedly be Desert Titanium2024-09-23 05:34
S. Korea mulls tightening sanctions against N. Korea over missile launches2024-09-23 05:27
人勤春来早 实干正当时2024-09-23 05:21
10 Games to Work Out Your GPU to the Max2024-09-23 05:07
Swifties for Kamala raises over $100,000 in donations for Harris campaign2024-09-23 04:12
春节登高 古路村迎大批游客2024-09-23 03:48
Operation Cue, A.K.A. Nuking Houses for Emergency Preparedness2024-09-23 03:22
How to watch 'A Haunting in Venice' on Hulu2024-09-23 03:07
21 Lost and Lonely Cemeteries2024-09-23 03:03
'Grand Theft Auto 6' trailer reveal set for December2024-09-23 02:52