Potential Facebook Breach Fine by State

◈ Last edit: April, 2021
◈ 50 State, 3 Territories
◈ Breach Laws Analyzed

Unique data. Hand-curated.

In early April of 2021, it was reported that Facebook had a major breach of the data belonging to 533 million users. Facebook argues that this wasn’t a breach but rather a scrape from a previously patched API in 2019. This dataset analyzes State Data Breach Laws and the fine components thereof, looking for potential fines. Based on the way States define PII and public data, it’s unlikely Facebook will even be fined for this breach.

But what if it did meet those criteria? What how big of a fine would current laws allow?

We calculated potential fines to Facebook IF their latest breach fit under current data state breach regulations. This is our analysis.

⚫ We found 35 states with specific fines specified in legislation.

⚫ If we add up the max fines of those states, Facebook might be fined as much as $24B.

California alone might fine FB $20B based on fines listed in AB-375. It specifies $750 in fines per resident. We estimate 27.5M California FB users implicated in the breach.

Other states have the ability to fine FB based on AG action. If we add in specified fines from AG action, that number rises to $89.7B. This number still omits 18 states that would be fining FB zero (and 20 States fining under $1M) who could still bring AG action, we simply don’t have a way to quantify it.

⚫ Note: There is always a lot of nuance in law and I’m not a lawyer. I am however a certified privacy expert. I’ve been studying data breach statutes with Thomas Besore for another project. We are speculating that States might apply max fines to Facebook. Obviously, this isn’t going to happen. While we believe FB is in the wrong for not reporting the breach, that the incident is certainly a breach in any real-world sense of the word, and that the data breached is personal, it does not actually meet the letter of the law requirements under the information we reviewed without some imagination. As well, this particular set of information is much less damaging to consumers than say the Equifax breach, which coalesced State AGs to action.

State Data Breach Fine Info and Potential Facebook Liability

StateEst FB UsersFB Statutory FineFinePerCapState Law CitationPerkinsCSRPSDWTLewis BrisboisNote