VerSprite Reacts: Google+ Data Breach
Google Fails to Publicly Announce Breach
Revelations of a massive breach of Google+, a largely defunct challenger to Facebook, suggest that the data of hundreds of thousands of users were compromised over a period from 2015 to March 2018.
Avoiding Reputational Risk
Per multiple news reports, Google chose not to make news of the breach public, believing that it would thus avoid additional scrutiny and calls for tighter regulation that have followed other recent breach disclosures.
The decision suggests that despite a bounce back in the share prices of other companies that suffered breaches in recent years, Google likely worried about the larger reputational damage to its brand and products.
GDPR Mandates Breaches Be Revealed
Legislation such as the European Union’s General Data Protection Regulation (GDPR) mandates that breaches be revealed to relevant data protection authorities within 72 hours of discovery, a provision required under Article 33. (You can read more about GDPR in our blog post: Incident Response: When GDPR Requires Action.)
Failure to comply with the more serious statutes of GDPR is punishable by up to $22 million/4 percent of previous year’s revenue in fines.
Companies with enough money to pay fines are now choosing to defy the laws, instead of suffering from user outrage and media coverage, suggesting that many are still choosing compliance driven security, instead of the more robust and effective security driven compliance strategies.
While a major corporation can afford such a choice, and may survive the fallout, many smaller companies would be unlikely to survive major fines and intense media backlash.
Though many small firms believe their risk of incurring punishment or media scrutiny is lower, or that they would not be priority targets for enforcement authorities, thereby justifying their ability to ignore certain statutes, it is highly likely that the EU will have considered this loophole and will aim to make an example of an offending smaller firm as a warning to others.
VerSprite’s Security Driven Compliance Philosophy
VerSprite’s security driven compliance philosophy aims to help companies opt for more effective strategies for assessing and addressing vulnerabilities, safeguarding their users and reputations, giving users greater confidence in companies’ ability to secure information, and ensuring protocols are in place to address any problems quickly and efficiently. Explore VerSprite’s Security Offerings →