The initial reporting around the data breach that led to the shutdown of the drastically under-used social network Google+ also led to many comparisons to the many security issues Facebook has been dealing with. However, the narrative changed over the next few news cycles, leaving many to question what really happened, and what (if any) effects the public disclosure of the vulnerability would have on Google. To get some clarity, we reached out to Matt Dumiak, the Director of Privacy Services at CompliancePoint for some nuanced insights on the breach, what other businesses can expect, and how to protect themselves from similar liabilities.
Q: The Google+ application programming interface (API) vulnerability appears to have been addressed back in March 2018, before the implementation of both the European Union’s (EU) General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), and at least two state data protection laws. Given that they seem to have dodged the two major bullets, what kind of regulatory fallout do you think Google will have to face from this particular incident?
A: While the GDPR and the CCPA were not effective at that time, the Data Protection Act and a variety of member state laws were in effect in the EU, and all U.S. states now have data breach laws, so it’s possible Google could be penalized under those. However, since it doesn’t appear that anyone accessed the data while it was exposed, it is unlikely Google faces much fallout as a direct result of this issue. The culmination of high-profile data breaches and an increased sensitivity to data privacy will likely result in additional conversations at the federal level and Google could face an inquiry from the Federal Trade Commission (FTC).
Q: Reporting shows that Google executives—up to and including CEO Sundar Pichai— knew about the vulnerability and the decision not to publicly disclose. Does this undercut Google’s statements/stance on privacy and data protection when compared to Facebook?
A: Not necessarily, it’s important to remember that the awareness was surrounding the vulnerability and not the breach. While the data was exposed, it doesn’t appear that anyone accessed the data. It’s also important to note that Google discovered the vulnerability during a self-initiated security audit and took steps to address the vulnerability immediately.
Should Google have notified the public once the vulnerability was patched? Probably, but it’s unrealistic to think companies would proactively share that information until they can remediate the issue unless compelled by law to do so. If anything, this is another argument in favor of the federal government implementing federal rules regarding data privacy and data breach. Facebook’s issues are more public, and people interact more directly with Facebook as a social media platform. Any security issue will make the public think twice about using a service. However, I do not think this will have a huge impact on Google’s public image.
Q: Facebook and Google are massive companies with incredibly visible public profiles. While the backlash against Facebook in particular has been severe, it seems to be weathering the storm (for now). What kind of reputational damage/overall impact do you think small-to-medium sized businesses would face in a similar incident?
A: The extent of the damage would depend on the nature of the business and the data breach. But there are several examples of businesses that have been severely damaged, if not destroyed, as the result of a data breach. The cost to respond to a breach for a small-to-medium sized business can be tens to hundreds of thousands of dollars. The reputational impact can be even more significant.
Q: Do you think this incident will have any effect on the way regulations like the GDPR or CCPA get enforced? What do you think we can expect in the future?
A: It’s unlikely this particular incident will have much impact on enforcement, but we expect that companies attempting to cover up or failing to disclose a data breach (especially if there’s harm to the consumer) will be punished more severely than those companies that proactively notify consumers and authorities after a breach.
One of the key components of the GDPR is the requirement to notify the supervisory authority within 72 hours of a data breach. Similar laws do not yet exist in the U.S. at the federal level, but we expect to see it in the future, and this could help expedite the process.
Q: What can businesses do to protect themselves from similar incidents?
A: There are several things companies can do to protect their business and their data. Some of the basics include things individuals should do such as using antivirus software, implementing strong password policies, and keeping all software up to date. Companies should also ensure employees receive security awareness training.
We also recommend that businesses follow Google’s lead in the situation with regard to self-initiated audits. Because of the audit, Google was able to identify and address the vulnerability before the data was accessed by a third party. Businesses that process or store personally identifiable information (PII) should regularly monitor their environment for vulnerabilities through vulnerability scans and penetration tests.
They should also engage an outside expert to conduct an audit on a regular (typically annual) basis to ensure the necessary processes and controls are in place to protect the data.
Companies should also consider obtaining cyberliability insurance.
|Matt Dumiak is Director of Privacy Services, Customer Engagement Compliance at CompliancePoint focused on U.S. and international direct marketing compliance regulations. He works with clients in a variety of industries and is dedicated to providing reliable and practical consulting services. Matt has earned a Certified Information Privacy Professional (CIPP/US) certification from the International Association of Privacy Professionals (IAPP), a Customer Engagement Compliance Professional (CECP) certification from the Professional Association for Customer Engagement (PACE), and has a B.S. in Economics from Georgia College.|