To Disclose or Not to Disclose: Google+ Breach Raises The Question
Google chose not to disclose the breach when it was discovered in March because it found no evidence of data misuse.
October 09, 2018 at 10:06 AM
3 minute read
The original version of this story was published on Corporate Counsel
Google has become the latest tech company under fire for exposing user data.
On Monday, the Wall Street Journal reported the Mountain View, California-based company exposed the data of thousands of users on it social network platform, Google+. Google chose not to disclose the breach when it was discovered in March because it found no evidence of data misuse.
The exposed data includes full names, photos, contact information and occupation, some of which fall under the definition of “personal data” under the European Union's General Data Protection Regulation. However, the breach occurred before the GDPR went into effect in May.
According to the WSJ, Google's in-house lawyers believed the company did not have a legal obligation to disclose the breach. Without the legal obligation to disclose, the decision whether to report takes in a number of factors.
“The lack of potential for harm certainly is a factor in a decision not to disclose,” said Albert Gidari, the consulting director of privacy at the Stanford Center for Internet and Society, in an email.
“In fact some state breach notice laws incorporate a materiality standard and don't require notice if there is little likelihood of harm. Profile data for the most part already is out there— things like email or gender and name are commonly obtainable so it is easy to see how a decision could be made not to give notice of such a breach.”
Dominique Shelton, a partner at Perkins Coie who co-chairs the firm's ad tech privacy and data management group said that if companies rush to disclose a breach without having a full picture of what data was taken and who was impacted, the disclosure could harm consumers.
If companies release inaccurate information in an effort to get a disclosure out as soon as possible, for instance, it can leave consumers confused about what data was taken and the next steps.
“The key here is to make sure you're taking steps [that are] as well meaning as possible, [and] that are also designed to be as helpful to the consumer as possible,” Shelton said.
Wiley Rein partner Kirk J. Nahra, who specializes in privacy and information security litigation, said notifying consumers of a breach that hasn't led to a misuse of personal information may create “anxiety where there is no need for anxiety.”
Consumers should be notified whenever there is a legal obligation, but outside of the law, Nahra said, the decision to disclose is “a factor of business consideration.”
“There are lots of times I've worked with companies who don't have a legal obligation to disclose and disclose anyways, and situations where they chose not to … they don't see any injury to individuals, [and there are] questions as to what the point of notice is,” he said.
Companies that chose to disclose sometimes do so as an example of customer service, or because misinformation about the breach has spread to the public. Those that chose not too sometimes think there is no point in alarming consumers over a breach with little long-term impact, or that consumers cannot change.
“It's usually do the right thing,” he said. “If you really don't think anything happened, a notice is probably just going to create unnecessary worries.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllInCloudCounsel Hires First GC to Continue Expansion in Asia
COVID-19, Remote Work and Cybersecurity Threats: 7 Pointers for In-House Counsel
Data Security Firm Druva Hires Former Apple, Broadcom Lawyer as Its First General Counsel
3 minute readTrending Stories
- 1Blake Lively's claims that movie co-star launched smear campaign gets support in publicist's suit
- 2Middle District of Pennsylvania's U.S. Attorney Announces Resignation
- 3Vinson & Elkins: Traditional Energy Practice Meets Energy Transition
- 4After 2024's Regulatory Tsunami, Financial Services Firms Hope Storm Clouds Break
- 5Trailblazing Pennsylvania Judge Sylvia Rambo Dies at 88
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250