On Monday, 8 October 2018, the Wall Street Journal broke the news that Google had known for months that it had a data breach (due to a bug in the Google+ system) but did not notify users of the breach because it feared the regulatory scrutiny and reputational damage it would face.
Given that during the last few months Facebook’s Cambridge Analytica data scandal has been in the headlines on a weekly basis, it may be that this was an irrational fear for Google executives. However, the fact that they failed to consider acting in the best interests of users is a clear and arrogant breach. Under US Federal Law there is no obligation to notify of a breach but under many US state laws, and in relation to any Google+ users in Europe and Australia, mandatory data breach notifications would apply. The breach reportedly affected up to 500,000 Google+ accounts and allowed other apps access to account holder details including names, emails, addresses, gender, birth dates and profile photos.
How was the breach reported here in Australia?
Immediately following the Wall Street Journal report on 8 October 2018, it was then also reported in The Guardian. However, it was not reported in Australian national newspapers until later in the week and even then it did not make front page news. Why not?
Data Breach Notification fatigue?
At the outset of the introduction of the Australian mandatory notification regime in February this year, a number of proponents said that the sheer volume of data notifications would create fatigue and that people would cease to be concerned about breaches of which they were notified (breach fatigue).
Since February the Office of the Australian Information Commissioner (OAIC) has released two quarterly reports on breaches notified under the scheme and it is clear that the number of notified breaches is increasing. It is also clear from the lack of press provided in relation to the Google+ breach that notifications are perhaps becoming less news worthy, but does that mean that regulatory sanctions or loss of reputation are having a reduced impact on breached organisations?
Possible regulatory responses
Since the General Data Protection Regulation (GDPR) was introduced in Europe in May, European regulators have been pursuing large organisations (such as the Googles of the world) in relation to their data practices. This breach, and the clear disregard in which Google has held the regulators will not be viewed kindly by European data protection agencies. Public statements made by those data protection agencies have consistently said that they will use their powers to the full extent.
Similarly, consumers in both the US and the UK who have suffered loss as a result of the data breach, be that economic or otherwise, have pursued class actions against offending organisations. The reputational issue and the cost of a breach is one that is likely to increase. In the first quarter that it reported to the Securities Exchange Commission after its 2017 data breach, Equifax disclosed in its financial statements direct costs (not including the indirect costs) in excess of US$89 million in dealing with the breach. Accordingly, a breach such as that of Google+ is one that can only be expected to hit Google’s bottom line.
What does it mean for other businesses?
Much of the reporting has focused on the fact that Google chose not to act in the best interests of users for its own purposes and in doing so, disregarded best practice and general regulatory regimes. We can only speculate that when various regulators undertake investigations into the breach they will not be offering Google any concessions, as they will be seeking to make an example of them.
If you are regulated by the Australian Privacy Act and suspect you have a notifiable data breach then there are obligations to assess that breach and, if you determine it is one that could give rise to a risk of serious harm, then there are steps that must be taken to notify both regulators and individuals.
Given the potential penalties in terms of fines, enforceable undertakings and reputational risk these are not obligations to be treated lightly, or with the disregard that it appears Google has displayed in this instance.