Data Breach through Social Engineering

Harvard Law Review Blog, 2018

3 Pages Posted: 14 Aug 2018

See all articles by Ido Kilovaty

Ido Kilovaty

University of Arkansas - School of Law; Yale University - Law School

Date Written: March 21, 2018


The recent uproar involving Cambridge Analytica’s unauthorized access to, and dubious use of, personal data belonging to 50 million Facebook users in attempts to support the presidential candidacy of Donald Trump raised a series of important questions. The access to that personal information was enabled by an app developed by University of Cambridge neuroscience lecturer Aleksandr Kogan, which used Facebook Login. This granted access to personal information of its users and their Facebook friends, which was subsequently passed on to Cambridge Analytica. This post will focus on the data breach question – whether unauthorized access to personal information, in the absence of hacking, qualifies as a “data breach” for the purposes of state data breach notification laws, and potentially Federal Trade Commission (FTC) data security enforcement.

Keywords: data breach, cambridge analytica, social engineering, data breach notification law, cybersecurity law, cyber law, internet law, facebook, social media, manipulation

Suggested Citation

Kilovaty, Ido, Data Breach through Social Engineering (March 21, 2018). Harvard Law Review Blog, 2018, Available at SSRN:

Ido Kilovaty (Contact Author)

University of Arkansas - School of Law ( email )

260 Waterman Hall
Fayetteville, AR 72701
United States

Yale University - Law School ( email )

P.O. Box 208215
New Haven, CT 06520-8215
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics