Irish Data Protection Commission’s Investigation of Meta

An Analysis Group team was retained on behalf of Meta, the subject of an investigation by Ireland’s Data Protection Commission (DPC). In September 2018, Meta notified the DPC of a personal data breach affecting a total of 29 million users globally. The DPC claimed that the cyberattack was foreseeable and therefore preventable, and that Meta’s security measures to prevent the attack, and its incident response measures to detect and mitigate its impact, were inadequate. Our team supported Michael Siegel, Director of Cybersecurity at MIT Sloan, to opine on the adequacy of Meta’s response to the cyberattack. The DPC fined Meta €17 million for this and 11 other (unrelated) attacks Meta suffered between June and December 2018.