Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Several state attorneys general are reviewing a decision by Alphabet Inc.'s Google not to disclose a security glitch that exposed the data of at least 500,000 Google+ users.
An official with the Massachusetts attorney general’s office said Oct. 9 it is monitoring the situation. California’s attorney general’s office is concerned about data breaches that impact Californians, a state official who asked not to be identified because the person wasn’t authorized to discuss the matter told Bloomberg Law. A spokesperson for the Connecticut attorney general said the office is trying to understand the scope of the security incident.
Google said it wasn’t required to notify regulators or users under state data breach notification laws because no data was compromised.
Even if the data wasn’t improperly accessed, attorneys general could still launch investigations under state consumer protection statutes that say companies must live up to promises they make about protecting data, Robert Braun, co-chair of Jeffer Mangels Butler & Mitchell’s cybersecurity and practice, told Bloomberg Law Oct. 9.
State regulators “have a variety of basis for which they can launch investigations, including state consumer protection laws,” Braun said. They could argue that Google “implicitly or explicitly made representations that information was protected when it wasn’t,” he said.
Under data breach laws in all 50 states and the District of Columbia, companies are generally required to alert state regulators and consumers when the company believes that unencrypted sensitive personal data is, or is reasonably believed to be, accessed by an unauthorized third party.
Businesses are often left to decide for themselves if personal data was improperly accessed, Braun said. It is a “genuinely hard question on whether they should disclose and if they did what should they disclose,” he said.
Google’s privacy office reviewed the incident and found no evidence of data misuse, the company said in an Oct. 8 blog post. The software bug was “limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age,” and not data on other Google services, it said. Google didn’t immediately respond to Bloomberg Law’s email request for comment.
State attorneys general have been willing to probe Silicon Valley giants for privacy and cybersecurity shortcomings in the past. All 50 states and the District of Columbia settled with Uber Technologies Inc. for $148 million Sept. 26 over its failure to report a 2016 data breach which exposed the names, phone numbers and email addresses of more than 20 million people.
Google likely didn’t have any direct state data breach notification obligations because it determined third parties didn’t access the exposed data, Braun said.
Still, the “delay causes a degree of mistrust,” Scott Vernick, a partner at Fox Rothschild in Philadelphia specializing in data privacy, told Bloomberg Law, referring to the time between the discovery of the vulnerability and Google’s disclosure. “Even if in reality, or as a practical matter, there isn’t any there there, it is the delay that casts a pall of suspicion over the events,” he said.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)