Should Credit Unions Unfriend Facebook? The Data Threat Debate

Facebook’s recent data collection and privacy woes have far-reaching ramifications, and credit unions, like many other Facebook users, may find themselves wondering whether and how they should change the way they use the platform. Here’s what two industry pros said credit unions can do now.

1. Keep up with the news.

“A lot of people are calling this the Facebook data breach, but technically this is not a breach,” said Sean Darragh, who is the chief information security officer and vice president of data center operations for the Austin, Texas-based Malauzai Software, which provides mobile and internet solutions for financial institutions.

The problem, according to Facebook, is that a psychology professor violated the company’s policies by sharing data he collected from a Facebook personality-predictor app. In downloading the app, some 270,000 people gave consent for the professor to access their profile information, as well as data about the content they liked and certain information about friends who had their privacy settings set to allow the data collection.

Facebook said in a statement that although the professor gained access to the information in a legitimate way, passing that data on to third parties (in this case, Cambridge Analytica and a person at Eunoia Technologies) violated company policy. Facebook said it found out about the violation in 2015, kicked the app off of the platform, and received certifications from the third parties that they had destroyed the data they received. Last month, that last part turned out not to be true, which has led to questions about just how much data Facebook collects in the first place.

“I think it’s a reminder that any time you share data, there are consequences,” Darragh said.

2. Review the privacy settings on your credit union’s Facebook account.

“At the highest level, the biggest thing the credit union should be doing is ensuring that their settings are such that they’re not agreeing to share any information about their members that they might post to third parties outside of Facebook,” Darragh said. Mining that data could help criminals attempt account takeovers, he noted.

Facebook’s default privacy settings are fairly permissive, he added, and members might be sharing a lot about themselves or allowing a lot of information to be collected.

“Just because I like my credit union, does that mean there’s some issue there? Well, I wouldn’t say there’d be a direct risk, but there could be some inference risk, because if you’re overly permissive and you overly share, then from an attacker’s perspective what you’ve done is you’ve let me know what financial institution you use,” Darragh explained. Seeing that a member has made a big purchase, such as a car or a home, could make them a target, he added.

“It’s not just Facebook that has your data,” Darragh noted. “If you share something online through an agency such as Facebook, or Google, or whoever, there are tons of people out there who can receive that feed and then store that information themselves. While Facebook might delete your data, all the other people who have seen it or interacted with it can still have it.”

3. Don’t overreact.

“It’s going to be hard to make a judgment on what credit unions are doing or not doing because it’s so fresh,” Maryland and District of Columbia Credit Union Association President/CEO John Bratsakis said.

Bratsakis said he hasn’t seen a flood of credit unions unfriending Facebook and shunning the platform in order to distance themselves from the brand. After all, social media isn’t going anywhere, he said.

“One fear is that people become anesthetized to [privacy issues], similar to the way consumers have with data breaches,” Bratsakis added. “We went from everyone reissuing cards on almost a wholesale basis to now consumers saying, ‘Don’t do that. I may be affected, but if I’m not, I don’t want to have a new card issued.’ That’s the challenge and I think it’s here to stay; social media is here, it’s not going to change – but how we deal with it, I believe that will continue to evolve.”

“I think [abandoning Facebook is] a question that should be considered, but at the end of the day, I would say from a business perspective, there are some legitimate business use cases around letting people know that, hey, my credit union’s been really good to me, they’re a good partner, that type of thing,” Darragh added.

4. Scrutinize your other social media platforms.

The Facebook drama is also reason for credit unions to audit all of their settings on their other social media accounts, the pros said.

“I think [credit unions] need to be careful [with] what they’re doing and use the same types of safeguards and cautions that they use in any of their data that they’re using and any way they’re communicating,” Bratsakis noted. “It’s unclear exactly how all that data that’s out there on these social media sites – what that actually can be used for.”

The good news, Darragh added, is that there are privacy settings.

“I would say, not that you have to do anything different, but yes, I would say this is an event that for any financial institution social media manager, this is a cause to audit all of my settings on any social media that I use,” he said.

Darragh said credit unions should also review the Federal Financial Institutions Examination Council’s social media guidelines. “There’s an excellent document that they put out that helps banks to derive their policies, and for their social media managers to understand what they need to do. Those should definitely be reviewed.”

5. Teach members about good data hygiene.

Facebook’s data issues have created another opportunity to speak with members on a regular basis, Darragh said.

“I think from a credit union’s perspective, their primary focus should be educating their end users or their members,” he explained. “Much like you take the time to regularly check your bank statements, and much like you take the time to regularly check your credit report, you should audit your privacy settings that you have on your social media, because you can have a greater degree of control over what you do and don’t share automatically.”

New regulations in the European Union may soon change how social media platforms store and delete information, but at least for now, data is forever, Darragh said. “While Facebook might delete your data, all the other people who have seen it or interacted with it can still have it,” he noted, adding, “There’s a saying on the internet: If it’s free, you’re the one for sale,” he said.