Health-care companies claim they are not threatened by Amazon's potential foray into the space. A recent lawsuit suggests otherwise.Technologyread more
It wasn't supposed to be this way: The 2017 tax cut and aggressive moves toward deregulation were supposed to pull the U.S. economy out of its glacial move higher.Economyread more
The yield on the benchmark 10-year Treasury note fell below 2% for the first time since November 2016 on Wednesday.Bondsread more
Slack pursued an unusual direct listing, meaning it did not have banks underwrite the offering.CNBC Disruptor 50read more
President Trump says Iran may not have intentionally downed an unmanned U.S. surveillance drone.Politicsread more
Slack's public market debut on Thursday will generate billions for venture firm Accel and healthy returns for Andreessen Horowitz and Social Capital.Technologyread more
The road to the Fed's policy pivot to lower interest rates began in early May, with a tweet from President Trump on trade.Market Insiderread more
See which stocks are posting big moves after the bell on June 20.Market Insiderread more
Chairman Jerry Nadler, D-N.Y., said in a statement that lawyers for the Trump administration blocked Hicks from answering questions 155 times during the Wednesday hearing.Politicsread more
Jim Cramer says "you'll want to keep some powder dry so you can buy into weakness and get some real bargains."Mad Money with Jim Cramerread more
CNBC analysis using Kensho found that Disney, Verizon and Home Depot were some of the best performing Dow stocks in declining-rate environments.Investingread more
Frustrated posts from Facebook users point to confusion over the company's Friday announcement that as many as 50 million accounts may have been compromised. Users of the social media platform want to know if their accounts were used and if so, how and by whom.
But cybersecurity investigations take time — they always have. They can be messy and inconclusive for months, or even years. But because of General Data Protection Regulation (GDPR) enacted this May in the European Union, fast but incomplete notifications are likely the new norm.
GDPR calls for a swift three-day notification period for companies to tell people who may have been affected by a breach. But companies often don't know who precisely got the brunt of the hack among their customers right away. So while notifications may go out, the process of uncovering details in the public eye will be much slower.
"The GDPR requires prompt notice — 72 hours from 'awareness' of the breach. But it doesn't require 'perfect' notice," explains Paul Ferrillo, head of the cybersecurity practice at law firm Greenberg Traurig. "The [regulation] allows an immediate notice within 72 hours, as well as updates to that notice in phases. It comports to the right of the individual to know if there is a breach to protect him or herself."
"It's very hard for even the most skilled practitioners to fully understand the contours of a sophisticated data breach in less than 72 hours," he said.
Compared to a wide range of types of hacks, the attack against Facebook appears to have been genuinely "sophisticated," a term that is sometimes overused in relation to security breaches but applies here and means the investigation could take a long time.
Facebook's attack was multi-pronged and used previously unknown security loopholes in multiple applications available on the platform. Only when used in concert did these loopholes allow attackers to compromise accounts, Zuckerberg said on Friday. This is more complex than other breaches that may be easier to investigate, like email spear-phishing attacks, Ferrillo said.
Other companies that have dealt with breaches like these, which involve several steps and activities by attackers, have also struggled with a changing narrative that plays out in the public eye. Corporations like Equifax and Sony, had investigations that stretched for months and, for some details, more than a year. Like these events, details about what happened at Facebook will likely shift in the coming months.
Despite the complexity of the company's security investigation, Facebook has invested a great deal of time and resources into its security program. It has simultaneously faced privacy and security scandals throughout the past year. It's unlikely that consumers or regulators will be forgiving.
The GDPR's main governing body, which is based in Ireland, issued a statement this week indicating they may be tough on the social media giant: "[Facebook's] notification lacks detail and the [Data Protection Commission] is concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts, but Facebook is unable to clarify the nature of the breach and the risk for users at this point. The DPC continues to press Facebook to clarify these matters further as a matter of urgency."
This is key, as the stakes are high for Facebook. A maximum fine under GDPR amounts to 4 percent of a company's global annual turnover from the previous year. For Facebook, that could be well over $1 billion.
It gets more dire for Facebook, given GDPR was passed in part over concerns specifically about how companies handle the personal information of consumers.
Facebook's seemingly muddy messaging over breach will be the new norm under GDPR.