Senators Explore Handling of Google Plus Disclosure

Two letters from groups of U.S. Senators were sent last week regarding the privacy breach at Google Plus, one to Google from Republicans and one to the Federal Trade Commission from Democrats.

Republicans from the Senate Commerce Committe have asked Google to provide a copy of the internal memo discussing whether to disclose the Google plus vulnerability by October 30th as well as answer other questions concerning its handling of the leak of personal information.

In addition to their concern about withholding information about the privacy issue from the public, the Republican Senators expressed disappointment that Google’s chief privacy officer testified before the Senate Commerce Committee on privacy only two weeks before, and did not provide information about the issue to the Committee.

In addition to a copy of the memo, the Senators asked to provide information about their disclosure of the vulnerability to the FTC and the Independent Assessor from the Consent Order. They also asked Google to provide information about how they become aware of the issue and why the company chose not to disclose it to the public or the Senate Commerce Committee.

The letter is signed by Senator John Thune (R-SD), Chair of the Senate Commerce Committee; Senator Roger Wicker (R-MS), Chair of the Subcommittee on Communications, Technology, Innovation and the Internet; and Senator Jerry Moran (R-KS), Chair of the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security.

Separately, Senate Democrats wrote to Joseph Simons, the Chairman of the Federal Trade Commission, to urge the organization to immediately open an investigation into the exposure of private information on Google+ and the concealment of the breach. The letter asks the FTC to determine whether the technology company violated its existing consent decree with the FTC, as well as more broadly if the company engaged in unfair or deceptive acts concerning privacy. If the FTC finds violations, it urges “substantial financial penalties and strong legal remedies.”

The letter also questioned whether stricter scrutiny of consent decree requirements was warranted. They noted that there was a mandated audit of Google’s privacy controls after the vulnerability, but it was not discovered. They also thought that the security audit should have been conducted earlier, given that the vulnerability existed since 2015. The Senators expressed concern about the decision to not disclose the vulnerability, calling it part of a “culture of concealment”. Furthermore, they noted that Google is “one of the rare companies that has violated a FTC consent decree” and received a substantial fine for it. Moreover, they expressed concern about the denials of evidence of misuse, since Google could only test records for two weeks.

The letter to the FTC was signed by Senators Richard Blumenthal (D-CT), Edward Markey (D-MA), and Tom Udall (D-NM).

The response to the Republican letter will be due shortly before Google CEO Sundar Pichai testifies before the House Judiciary Committee on political bias at the search engine. It seems almost certain that Pichai will be asked to answer a handful of questions about this incident even though the scope of the testimony covers political bias.

The United Kingdom Information Commissioner’s Office has mentioned in the recent past that a lot of organizations are disclosing breaches that are not required under the General Data Protection Regulation (GDPR). However, in light of what happened to Google, a tendency toward extra transparency with consumers is probably warranted.

If Congress wants to pass a data breach or privacy notification requirement as part of a new federal privacy law, the Google and Facebook scandals this year will no doubt be used as the justification. Businesses that are considering whether to disclose a data breach need to consider doing so in light of the current political climate on these issues.

EU GDPR
– GDPR Compliance
– Consent Management Software
– GDPR Data Mapping Software
– DSAR Portal
– GDPR Text

ePrivacy
– Cookie Scanner
– Cookie Banner Generator
– Cookie Consent Manager
– ePrivacy Regulation

California Consumer Privacy Act
– CCPA Summary
– CCPA vs GDPR
– CCPA Privacy Software
– CCPA Webinar

Federal Privacy Laws
– Pending Congress Bills

Privacy News
– Clarip Blog