Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Meta's $1.3B Fine: What can Happen if you Don’t Monitor Your PII

Continuous discovery and data monitoring critical to identify misplaced PII.
Brian Vecci
2 min read
Last updated July 7, 2023

Sometimes when I speak with organizations about sensitive data risk, I hear things like, “All of our data is sensitive,” or “We’re sure PII is only in X system.” But it’s not what you know that might be your biggest problem — it’s always what you don’t know.

Discover your weak points and strengthen your resilience: Run a Free Ransomware Readiness Test

Meta, the parent company of Facebook, was recently fined €1.2 billion by the Irish Data Protection Commission (DPC) for transferring European PII to the United States, violating the General Data Protection Regulation (GDPR). Totaling about $1.3 billion, this marks the largest-ever fine under GDPR.

Read on to find out who falls under this EU regulation, why it’s so important to track PII data, and how with continuous discovery and data monitoring, you can protect your organization against fines and risk.

Why is tracking PII important?

The General Data Protection Regulation (GDPR) is a European Union law that applies to any organization that processes the personal data of individuals located in the EU, regardless of where the organization is located.

One of the key provisions of the GDPR is that organizations must take appropriate measures to protect personal data from unauthorized access, use, disclosure, alteration, or destruction. The GDPR also sets forth strict requirements for transferring personal data outside of the EU, and it’s because of the GDPR that Meta found itself in hot water.

The DPC found that Meta had failed to implement adequate safeguards to protect European user data from being accessed by U.S. law enforcement agencies. The DPC also found that Meta had not obtained the necessary consent from European users for the transfer of their data to the United States.

This fine, which Meta has said that it will appeal, is a significant development in the ongoing debate over the transfer of personal data between the European Union and the United States. The GDPR has been criticized by some for making it too difficult for businesses to transfer data between the two regions. Now, the fine could lead to more businesses taking steps to comply with the GDPR, or it could lead to changes to the GDPR itself.

Organizations that store personal data on U.S. servers should be aware of the risks involved. The GDPR allows for fines of up to €20 million or four percent of global annual turnover, whichever is greater, for organizations that violate the GDPR.

A sample of Varonis' built-in policies to accurately identify EU citizen PII. A sample of Varonis' built-in policies to accurately identify EU citizen PII.

How can you protect yourself?

To reduce the risks of storing personal data on U.S. servers, organizations should continuously monitor their data to identify where all of their PII is — once you start looking, you’ll find PII and other sensitive data in places you don’t expect, accessible by people you don’t expect, and often being used in ways you don’t expect. Continuous monitoring also helps you quickly detect and respond to security incidents and identify and address risks before they lead to a data breach.

It's important to have a centralized inventory of PII across cloud apps, cloud infrastructure, and on-prem data stores to quickly identify misplaced or exposed data.

By taking these steps, organizations can help to protect personal data, while reducing the risk of fines under the GDPR.

Continuous discovery and data monitoring can also help you:

  • Identify and eliminate security vulnerabilities in your systems and applications. Once a vulnerability is identified, it can be remediated to prevent unauthorized access to data.
  • Detect and respond to data breaches. If a data breach does occur, continuous discovery and data activity auditing can help organizations detect the breach quickly and respond effectively, minimizing the damage caused by the breach.
  • Comply with regulations. Many regulations, such as the GDPR, require organizations to have processes in place to discover and monitor data. By complying with these regulations, organizations can help to protect themselves from fines and other penalties.

You can’t properly protect data if you can’t find it, and you can’t fix risks you don’t know about. Continuous discovery and data monitoring is a critical part of any organization's data security program. By implementing these processes, organizations can help to protect their data, comply with regulations, and reduce the risk of fines.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

securityrwd---what-happens-when-you-create-a-microsoft-team?
SecurityRWD - What Happens When You Create A Microsoft Team?
Microsoft Teams seems like a straightforward collaboration platform, but the deceptive simplicity hides the true complexity lurking just under the surface.
what-is-psd2-compliance-and-what-does-it-mean-for-your-business?
What is PSD2 Compliance and What Does it Mean for Your Business?
The PSD2 regulation for the EU encourages financial innovation while also mandating better safeguards for consumers. Read about PSD2 compliance and what it means for your business.
how-hackers-use-osint-to-find-business-data
How Hackers Use OSINT to Find Business Data
OSINT can be a valuible resource for finding business data, if you know where to look. Here are the best sources of OSINT for business info in 2019.
threat-update-63---moving-to-the-cloud-doesn't-mean-you-don't-own-the-data-risk
Threat Update 63 - Moving To The Cloud Doesn't Mean You Don't Own The Data Risk
Leveraging cloud solutions can alleviate some legacy infrastructure risks but can bring data protection challenges to the forefront. Kilian Englert and Ryan O'Boyle from the Varonis Cloud Architecture team discuss...