I promised to discuss a different perspective on the damage caused by Facebook’s shadow profiles and data breach.  This is it.  I’ll keep it short because it’s Friday.

The good news about the Facebook data breach is the way it happened.  As you know, in most cases the subject of a data breach is a collection of data that becomes generally available or exposed.  In this case, it appears that limited personal information was exposed on a case by case basis to limited individuals.  That is, personal information was exposed to individuals that have a relationship to the subject of that personal information, but not exposed generally.

While that is a bright side to what happened, it doesn’t make the data governance issue go away.  Linking data in this way creates an obvious increase in the scale of a possible data breach.  That seems to be what happened in this case.  In future posts we’ll discuss related legal issues, but for now suffice it to say that privacy law is an obvious one.