+1 More Reason to Enhance Your Organization’s Privacy and Security Practices
The North Carolina Attorney General’s Office issued a letter to Google on October 11th demanding that the company answer questions about the recent breach affecting its Google+ network. The NC AG’s inquiry signals that companies may now face scrutiny from state regulators after a data breach regardless of whether the incident triggers state breach notification laws. It also underscores the fact that in the aftermath of any breach, regulators are interested not only in what happened during a breach but also a company’s privacy and security practices overall, including the means by which a company obtains personal data.
According to a Wall Street Journal report, in March 2018, Google discovered a software glitch that potentially exposed users’ Google+ profile data, including name, email address, occupation, gender, and age. The NC AG’s inquiry is notable, and unusual, because none of the potentially compromised information is subject to North Carolina’s breach notification statute, and there is no evidence that the glitch was exploited.
Indeed, the range of questions posed in the letter portend the NC AG’s interest in Google’s privacy and security practices more broadly. The letter includes some routine requests, such as “any plan, policies, procedures, and/or protections that Google currently has in place, or is developing, to prevent the recurrence of such a breach” and “the number of North Carolina consumers impacted by the Google+ breach” (which, is information that would have been required to be disclosed to the NC AG had the breach been subject to NC’s breach notification statute). However, it also requests that Google provide information that is not necessarily directly linked to data security, like “copies of all privacy assessments and reports prepared by or for Google since January 2017.”
In addition, the NC AG seeks information about how Google obtained information from customers in the first place, including whether providing user data was optional or mandatory and whether user data was pre-populated by Google. Notably, the NC AG’s Office says, “If North Carolina residents were automatically enrolled in Google+ through signing up for another Google service or through a resident’s business or enterprise organization, please describe the process by which those persons gave consent, and provide copies of any approval notices provided to those residents.” This request suggests concern about consumers’ lack of choice over how their information is collected and surreptitious collection of consumer data.
Companies should view this letter as a reminder that:
- A data breach is a risk not only because of the breach itself but also because it can attract scrutiny of other aspects of a company’s privacy and security program;
- Such risk may be present regardless of whether the breach triggers state breach notification laws; and
- Companies should be mindful of how they’re getting consumer data and, if legally required, ensuring that consumers are notified of, and agree to, any collection of such data.