Google’s admission that it covered up an enormous data breach should serve as a warning to any firm which is tempted to do the same thing.
First Facebook and now Google. The world’s most advanced technology companies are showing themselves to be woefully unprepared for GDPR, so what chance do the rest of us have? That’s one way of looking at the quite staggering admission by Google had covered up a data breach that was so bad it persuaded them to close Google Plus.
By Google’s own admission, this might not be the biggest loss. Back when it was launched it was supposed to be the social media platform to end social media platforms. It was everything: Facebook, Skype and Twitter all in one exciting package. Companies of all kinds instantly began strategizing about how it was going to change their world.
And then…. nothing. After an introductory period in which we were all told this was the future, it soon became clear that it wasn’t. People simply weren’t using it. Even now usage is low with those who do use the platform spending only a short time on it. It’s certainly no Twitter, and no Facebook – it’s not even a Myspace.
So, when Google Plus, started to become a liability Google has quite happily ditched it, but that won’t be quite quickly enough to save their red faces.
Passing the buck
Google’s announcement was quite staggering both in the scale of the breach and the lengths they went to hide it. Third party apps had been able to access user data and those of their friends for three years before the glitch was finally discovered. Google’s response was to keep quiet and, as an internal memo showed, their sole motivation for doing so was to avoid interrupting press criticism of Facebook and Cambridge Analytica.
From a financial point of view, Google should consider themselves lucky that the breach was discovered back in March before GDPR come into force. Had that not been the case, they could now be mulling the prospect of being fined 2% of their turnover.
What they won’t escape, though, is the damage to their reputation and this seems to have been the most important thing they were trying to avoid. Under the rules of GDPR firms will have to notify the regulator and customers that the data has been compromised within 72 hours. In essence, then, you will have to tell your customers that you have failed to take care of their data.
For a financial institution, which is entrusted with vast quantities of highly sensitive data, that can feel like a serious issue, but as Google has just demonstrated the alternative is far worse. The public are used to data leaks and understand that security processes can fail, but what will really catch their eye is what companies do when a breach is detected.
Google’s response couldn’t be worse. They signalled that they will keep quiet about problems rather than be honest and upfront with customers. If you’re relying on them to handle your data in a responsible manner, that is hardly going to fill you with confidence.
Keeping quiet, then, is certainly not an issue. Firstly, the penalties from GDPR will be extreme, and the fallout when news does emerge will be much, much worse.