On Monday, October 8, 2018 Google disclosed a security breach it discovered months ago that put at risk the personal data of hundreds of thousands of Google Plus users. In March, Google discovered, and fixed, the bug that allowed outside software developers to gain access to personal information on Google Plus users, including names, email addresses, ages, occupations and relationship status. The company’s decision to not immediately report the software bug has some concerned that Google cannot be relied on to protect privacy.
Google Plus, the company’s failing answer to Facebook, will be mostly discontinued, and will be available only to business and other enterprise customers. Google’s engineers concluded that the work required to maintain Google Plus was not worth the effort, considering the service’s low usage. The company also announced new restrictions on the data that outside developers can gather and share on Android, Google’s smartphone operating system, and Gmail, its popular email service.
The security breach occurred before Europe adopted new rules that require companies to notify regulators of a potential leak of personal information within 72 hours. In addition, Google reported that it did not appear, in March, that anyone had gained access to user information, and the company’s “Privacy and Data Protection Office” decided it was not legally required to report the security issue. However, Google’s decision to keep the breach secret for months is still under scrutiny. A memo to senior executives, reportedly prepared by Google’s policy and legal teams, warned of embarrassment for the company and scrutiny by regulators if it went public with the vulnerability, and that Sundar Pichai, Google’s chief executive, would most likely be called to testify in front of Congress.
John Reed Stark, who spent nearly 20 years in the Securities and Exchange Commission’s enforcement division, strongly believes “This is the kind of disclosure situation that the SEC will absolutely investigate.” The Federal Trade Commission may also investigate, as Google signed a consent decree with the FTC in 2011 agreeing to 20 years of privacy audits and to not misrepresent its privacy policies. The technology industry may also face increased pressure from Congress in the form of an “Internet Bill of Rights” introduced last week by Rep. Ro Khanna (D-Calif).