Viewed from a certain perspective, the 50 million accounts breached at Facebook in late September seem insignificant: They represent only a fraction of the platform's 1.47 billion daily users.
But that 3 percent figure fails to account for the potential fallout from lawmakers, regulators and Facebook account-holders themselves in the aftermath. The breach, while already patched, occurred amid growing scrutiny of the kinds of information that American businesses — particularly those in the multi-billion-dollar technology industry — gather, how they use it and how well they protect it.
Not only is Congress grappling with pressure to establish federal privacy regulations after sweeping new rules in the European Union and California, U.S. Attorney General Jeff Sessions has met with his state-level counterparts to assess how to leverage existing laws governing the companies to press for improvements in their privacy practices.
"Every one of these breaches, especially ones where they affect 50 million people and have follow-on effects to other platforms, raises the chance that you’re going to get a more uniform national set of legislation," Justin Antonipellai, the founder of data-protection firm WireWheel and an acting undersecretary for economic affairs in former President Barack Obama's Commerce Department, told the Washington Examiner.
Just one year ago, credit bureau Equifax disclosed that hackers had gained access to personal identification information for nearly half the country, about 145 million people.
The Atlanta-based company, which had known about the breach for months before disclosing it, failed to adequately protect what amounted to a "digital Fort Knox," one lawmaker complained afterward.
In the 12 months since, Facebook also reported that one of President Trump's 2016 campaign consultants improperly gained access to data on 87 million users, and Google conceded that third-party developers are sometimes given access to Gmail accounts, as long as account-holders consent.
"There are growing concerns that the sector is moving in spaces that most people couldn’t have thought of or imagined and trying to understand what that means," California Attorney General Xavier Becerra said after Sessions' meeting, held in Washington, D.C., in September. "No one has wrapped their arms around this because it has moved faster than any of us."
Given the size of some of the companies, critics have argued that they have amassed monopolistic market power and should be broken up, much as John D. Rockefeller's Standard Oil was in the early 1900s. Existing laws including the Sherman Antitrust Act give the government the power to do so in certain cases, which might lend weight to any requests for reforms from policymakers.
John Thune, a South Dakota Republican who chairs the Senate Commerce Committee, believes there's bipartisan support for a federal law governing consumer data privacy, an issue addressed on a piecemeal basis by past measures including the Children's Online Privacy Protection Act, and the Health Insurance Portability and Accountability Act.
"A decade from now, we may look back and view this past year as a watershed with respect to the issue of consumer data privacy," he said at a Sept. 26 hearing on the matter. "The question is no longer whether we need a federal law to protect consumers’ privacy. The question is what shape that law should take."
That assessment marks a sharp turnaround from even a few years ago, when large social media platforms were viewed mostly with admiration, as engines of technological progress with the potential to remake society in interesting and promising ways.
"While all of those things may still be true, they're also facing much, much tougher scrutiny now that people understand just how these platforms can be misused by people who want to spread misinformation, and people who want to carry out mischief," said April Doss, an attorney with the law firm Saul Ewing who previously served as lead Democratic counsel for the bipartisan Senate investigation into Republican interference in the 2016 presidential election.
"We're going to continue to see increased governmental attention," she told the Washington Examiner, from Congress as well as from agencies like the Federal Trade Commission and overseas regulators.
The issues examined are unlikely to be limited simply to protecting user data from outside intrusion.
"One of the highest priorities should be looking at how users can be helped with their awareness" of exactly what kinds of data they're sharing, Doss said. In the most recent Facebook breach, for instance, attackers were able to retrieve access tokens that let them not only get into Facebook accounts but outside accounts that users had logged into with Facebook credentials.
"That’s the kind of thing that could be a big surprise to some of those users," she said.
While the uses of data and interconnectedness is often explained in agreements that platform users must accept before creating and using accounts, many people don't read or understand them, due to their length and legalistic jargon.
That's an issue addressed in Europe's General Data Protection Regulation, which was passed in 2016 and took effect in May of this year. It requires companies to use "clear and plain language" in requesting agreement from users for the processing of their data, along with an explanation of what the business plans to do with the information.
The regulation, which carries a maximum penalty of 4 percent of annual revenue or €20 million, whichever is greater, also requires businesses to notify users of a breach within three days and to erase that user's information entirely upon the user's request.
Facebook, Doss said, demonstrated a "good faith intent" to comply with the law by reporting its most recent data breach so quickly. But company founder Mark Zuckerberg readily conceded that the incident shows how much work on data protection the Menlo Park, Calif.-based company still needs to do.
"The reality here is we face constant attacks from people who want to take over accounts or steal information," he told reporters afterward. "I’m glad we identified this one, fixed the vulnerability and secured the accounts that may be at risk. But we need to do more to prevent this from happening in the first place."
Zuckerberg is committed to being proactive about the safety of what he considers a community, he said. "We're going to keep investing very heavily in security going forward."
Industrywide, there's a chance that companies having to comply with Europe's rule may institute some of the changes they make across the board, for the sake of simplicity and uniformity. If that happens with the "clear and plain language" requirement, Doss said, it's the "kind of thing that could benefit consumers. Some companies are better than others at making that kind of information very digestible."
While U.S. companies are unlikely to support regulations that are as far-reaching as Europe's, many want a federal privacy structure in order to prevent a patchwork of state regulations. In that case, the companies would likely find themselves forced to comply with the most severe since adapting policies to users on a state-by-state basis wouldn't be cost-effective.
California's law is an example. The measure, which was passed in June and takes effect at the start of 2020, has much in common with Europe's regulation. The bill would require businesses to tell consumers which pieces of their data are collected and how they're used, upon request.
It's "hard to think of a company that's not affected by the California statute," noted Antonipellai.
While each of the data breaches is significant on its own, their collective impact is even greater, he noted. And as users see how interconnected the companies are, they grow more worried.
For consumers to protect themselves, he said, it's important to consider not only the data they supply to companies but the behavior that a search engine or social media platform can record.
"It's the data that's being observed about you that you have to think about — and understand that almost every click is being logged or observed, no matter how it's being used," he said. "If you think about it that way, there's a much higher likelihood that you’re making a smart choice."