MANY AMERICANS responded to news that a Google+ bug exposed users’ personal data to developers with a shrug: Few Internet users were active on the social media service anyway. Others replied with outrage at the company’s decision not to disclose a security flaw until months after its discovery, casting the leak as a serious threat to consumers. The appropriate reaction is somewhere in between.
Google+ was indeed unpopular, which is why it is no surprise this scandal has prompted Google to shut the platform down. But Google’s handling of this leak still has implications for whatever privacy legislation is, or is not, to come from Congress in the months ahead, especially in the area of breach notification. The United States needs a strong federal standard for the reporting of Internet security crises to regulators and consumers, and Google’s case highlights a gap in the rules that states already have.
Most state laws governing breach notification focus on exactly that: breaches, or unauthorized access of user information. The Google+ bug, it seems, was not a breach but a vulnerability. Though a flaw in the system meant developers could have accessed hundreds of thousands of users’ information, there is no evidence so far that they did — and the company seems to have concluded the likelihood was low enough that it could patch its problem in silence.
The question now for Congress, and for states interested in reevaluating their own rules in the absence of federal action, is not only how to strengthen breach notification laws but also how to apply any reporting requirements to vulnerabilities such as Google+’s.
Those requirements could come with drawbacks. A blanket rule for disclosing security flaws could dissuade companies from proactively searching for problems in their systems, for one thing. A flood of notifications could also make it harder for consumers to distinguish between real threats and routine problems. To avoid those concerns but still protect consumers from hacking that companies may not be aware of, lawmakers should consider how easily a given bug can be exploited, how much personal data is at risk and how sensitive that data is. Then, they should base reporting rules around those factors.
The Google+ episode offers other issues for legislators to consider beyond breach notification. The importance of informed consent from consumers is one of them; Google may still run into trouble with the Federal Trade Commission for misrepresenting the privacy of users’ information. Americans should not let Google+’s unpopularity distract them from the important lessons its leak has to teach. Next time this happens, it might be on a platform we actually use.