Earlier this month, the company behind Timehop, a social media ‘time capsule’ app that shows users their older posts, revealed that it had suffered a data breach affecting 21 million users. And while the attack was not particularly exceptional as far as data breaches go, it nevertheless offers some food for thought, as FIDO Alliance Executive Director Brett McDowell points out in a new post on FIDO’s website.

McDowell begins his analysis by emphasizing the preventive benefits of multi-factor authentication. Like so many other organizations, Timehop announced that it had implemented such security after the hack attack – a prudent move with respect to future security risks, but one that was obviously taken a little too late.

But it’s the attack’s position within a larger regulatory framework that prompts a more incisive insight from McDowell. As he points out the July 4th attack occurred after the full implementation of the European Union’s General Data Protection Regulation. Under the GDPR rules, organizations are compelled to “demonstrate to regulators you had taken risk-appropriate measures ahead of any data breach incident,” McDowell notes. What’s more, any organization that processes payments for customers in the EU is required by PSD2 – another EU regulation – “to provide Secure Customer Authentication for those transactions, which explicitly requires at least two of the three factors of authentication: something you know (like a password), something you are (like a biometric), and/or something you have (like a cryptographic signature from a trusted device).”

In other words, it seems likely that Timehop should have implemented stronger security in the first place, security that might have prevented the July 4th hack attack. But with over half of businesses admitting that they don’t fully comply with EU regulations, according to a recent Gemalto study, this is a message that should be heeded by many more organizations beyond Timehop.