+1 More Reason to Enhance Your Organization’s Privacy and Security Practices

Published On October 18, 2018 | By Marci Rozen and Michelle Anderson | Data Security, FTC & State AG, Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

The North Carolina Attorney General’s Office issued a letter to Google on October 11th demanding that the company answer questions about the recent breach affecting its Google+ network. The NC AG’s inquiry signals that companies may now face scrutiny from state regulators after a data breach regardless of whether the incident triggers state breach notification laws. It also underscores the fact that in the aftermath of any breach, regulators are interested not only in what happened during a breach but also a company’s privacy and security practices overall, including the means by which a company obtains personal data.

According to a Wall Street Journal report, in March 2018, Google discovered a software glitch that potentially exposed users’ Google+ profile data, including name, email address, occupation, gender, and age. The NC AG’s inquiry is notable, and unusual, because none of the potentially compromised information is subject to North Carolina’s breach notification statute, and there is no evidence that the glitch was exploited.

Indeed, the range of questions posed in the letter portend the NC AG’s interest in Google’s privacy and security practices more broadly. The letter includes some routine requests, such as “any plan, policies, procedures, and/or protections that Google currently has in place, or is developing, to prevent the recurrence of such a breach” and “the number of North Carolina consumers impacted by the Google+ breach” (which, is information that would have been required to be disclosed to the NC AG had the breach been subject to NC’s breach notification statute). However, it also requests that Google provide information that is not necessarily directly linked to data security, like “copies of all privacy assessments and reports prepared by or for Google since January 2017.”

In addition, the NC AG seeks information about how Google obtained information from customers in the first place, including whether providing user data was optional or mandatory and whether user data was pre-populated by Google. Notably, the NC AG’s Office says, “If North Carolina residents were automatically enrolled in Google+ through signing up for another Google service or through a resident’s business or enterprise organization, please describe the process by which those persons gave consent, and provide copies of any approval notices provided to those residents.” This request suggests concern about consumers’ lack of choice over how their information is collected and surreptitious collection of consumer data.

Companies should view this letter as a reminder that:

  • A data breach is a risk not only because of the breach itself but also because it can attract scrutiny of other aspects of a company’s privacy and security program;
  • Such risk may be present regardless of whether the breach triggers state breach notification laws; and
  • Companies should be mindful of how they’re getting consumer data and, if legally required, ensuring that consumers are notified of, and agree to, any collection of such data.


About The Authors

Marci counsels companies on a wide variety of issues involving privacy, cybersecurity, and information law. She routinely helps companies evaluate and develop corporate privacy and information security programs, and provides advice on matters involving cross-border data transfers, insider threat prevention and detection, cloud computing, and electronic surveillance. Marci also assist clients in responding to data breaches, including issuing breach notifications required under state and federal breach notification laws, advising on remediation efforts, and handling litigation and enforcement actions arising from data security incidents.

Michelle Anderson counsels clients on a range of privacy, security, and consumer protection matters. She works closely with clients to understand their goals and risk profiles to help develop strategies for compliance with domestic and international privacy and security laws and regulations.