Late on Friday night, Facebook made a surprising announcement. The company said it was suspending the British firm Strategic Communication Laboratories (SCL), and its political data analytics firm, Cambridge Analytica. In 2016, Cambridge Analytica famously played a role in microtargeting messages for Donald Trump’s presidential election, using Facebook data in its models. According to bombshell reports in the New York Times and the Observer this morning, it appears that the firm stole the user information it acquired from Facebook.

A whistleblowera former Cambridge Analytica employeepresented a dossier of evidence to reporters that, according to the Observer, “includes emails, invoices, contracts and bank transfers that reveal more than 50 million profiles – mostly belonging to registered US voters – were harvested from the site in the largest ever breach of Facebook data.” The story is surprising on a number of levels. It suggests that Alexander Nix, the CEO of Cambridge Analytica, intentionally made misrepresentations in recent testimony to the British Parliament. It implicates the hedge fund billionaire Robert Mercer and his daughter, Rebekah, who together played a major role in the Trump campaign. But more than anything, it calls into question Facebook’s handling of what is clearly a massive breach of user privacy.

Journalists, regulatory bodies and Congress should be ready to ask a number of pressing questions to get to the bottom of exactly what happened. The answers are important- governments around the world are considering how best to regulate technology companies, and this extraordinary incident gets to the heart of the relationship between personal data, microtargeting, dark money and the impact of their combination with unaccountable platforms on the health of democracies.

Here are seven key questions:

1. Why did Facebook take more than two years to inform the public of this massive breach?

News reports suggest the company knew of the breach in 2015. The Intercept published allegations that more than 30 million users were affected in March 2017. Further, as Daily Beast reporter Spencer Ackerman put it on Twitter, “Zero acknowledgement from Facebook throughout 2016 & 2017 that anything was untoward about its relationship with the Trump campaign, despite reportedly knowing in August 2016 that Trump-camp partner Cambridge Analytica possessed tens of millions of illicitly acquired profiles.” When confronted with proof of the breach, the New York Times says “Facebook downplayed the scope of the leak and questioned whether any of the data still remained out of its control.” Why did the company behave this way?

2. Did the Trump campaign or Cambridge Analytica violate campaign finance laws?

The New York Times report states that “whether the [SCL’s] American ventures violated election laws would depend on foreign employees’ roles in each campaign, and on whether their work counted as strategic advice under Federal Election Commission rules.” Bizarrely, Cambridge Analytica told the Times that Nix never had any strategic role in the Trump campaign, despite mountains of evidence he led the company’s efforts. There is plenty of video of him discussing what Cambridge Analytica did for Donald Trump. It beggars belief that he would claim otherwise. Did Cambridge Analytica sell its services to the Trump campaign for fair market value or, by contrast, was it employing its data in its own direct-voter-contact advertising, for example, on behalf of the Mercers? The latter would trigger federal election laws that restrict the participation of foreign nationals in certain kinds of decision-making.

3. Did Trump campaign or Cambridge Analytica employees lie to Congress, or to the British Parliament?

Steve Bannon served on the board of Cambridge Analytica. Jared Kushner and Brad Parscale have each been credited with playing a role in the campaign’s data strategy–and Kushner boasted of his direct involvement and work with Cambridge Analytica. What did they know about Cambridge Analytica’s methodology, and were they at any point aware that the firm was trading on stolen data? Was Bannon, Kushner, and Parscale’s testimony to Congress accurate?

Further, did Alexander Nix lie to Congress or the British Parliament? The New York Times reports, as one example, that “while Mr. Nix has told lawmakers that the company does not have Facebook data, a former employee said that he had recently seen hundreds of gigabytes on Cambridge servers, and that the files were not encrypted.” Will members of Congress raise concerns if they were misled? Will British political representatives be willing to consider whether Nix’s testimony constituted contempt of Parliament?

4. Did Facebook’s failure to disclose this breach to the public and notify its directly affected consumers break any laws?

According to the National Conference of State Legislatures, 48 states have laws regarding notification in the event of breaches. Did Facebook fail to satisfy any of these laws, or any federal statute? The company has had the opportunity to disclose the breach several times, including ahead of and during testimony to lawmakers last year. Facebook says that it is “completely false” to say this involved a “data breach,” but is the company so certain that personal information was not part of the breach? Importantly, did the breach involve personal information of third parties (such as friends of the users who directly interacted with the app)? And is the company claiming the breach does not involve stolen sensitive information using some unusual definition of the word “stolen”? The Attorney General of Massachusetts has already announced that she will launch an investigation.

5. Did any of the Facebook embeds in the Trump campaign know that stolen data was being used for targeting?

A study last year in the journal Political Communication detailed the extent to which Facebook, like other technology companies, went well beyond “promoting their services and facilitating digital advertising buys” to “actively shaping campaign communication through their close collaboration with political staffers.” A 60 Minutes profile of Trump campaign digital director Brad Parscale focused on how Facebook embedded employees to help the campaign use its platform. Did any of these embedded Facebook employees know that the campaign was using stolen Facebook data in its models?

6. Did Facebook have evidence its own employees mishandled this situation? Was any disciplinary action taken?

These events unfolded over the course of years, and while the company is adamant that it has taken steps to ensure its policies are enforced, it raises the question: was anyone at any level of the company disciplined over a breach that saw information about 50 million Americans used for political purposes without their permission? What specifically has the company done to change its policies, access to its data and internal security training to ensure nothing like this can happen again?

7. Did other organizations or individuals exploit these apparent weaknesses, and are there other breaches we do not know about?

Given the number of times that Facebook has said things that turned out to be incomplete or false–such as the ever-expanding disclosure of the number of Americans affected by the Russian disinformation campaign in the 2016 election–why should we believe that this is the only breach of this kind that occurred? It is impossible to know how much Facebook user data has been sold, traded or is just sitting on various third party servers. Think of all the old Facebook games and apps, or any other third party use of Facebook user authentication. It is hard to imagine this is the only incident. How can the company and its senior leadership maintain public trust, and why do they deserve it?

***

News of the Facebook data breach broke hours just after Cambridge Analytica was served with papers in a lawsuit by an American professor, David Carroll, who is seeking more information about how his data was handled via mechanisms available to users to ask such questions under British law. In the United States, there are no similar rules. It is time to seriously question how best to regulate technology companies to give citizens and governments the means to defend themselves from such breaches, and to better understand how data, dark money and politics combine to influence citizens and undermine democracy.

Journalists, regulators, and lawmakers should start asking tough questions. Senator Mark Warner of Virginia, the ranking member of the Senate Intelligence Committee, has asked the CEOs of the technology companies to testify before the 2018 midterm elections. Will it be too late?