Several state attorneys general are reviewing a decision by Alphabet Inc.’s Google not to disclose a security glitch that exposed the data of at least 500,000 Google+ users.
Google said it wasn’t required to notify regulators or users under state data breach notification laws because, in its assessment, no private data was compromised. The information exposed was “limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age,” according to a statement by Google.
Attorneys general could still launch investigations under state consumer protection statutes that say companies must live up to promises they make about protecting data, according to Robert Braun, co-chair of Jeffer Mangels Butler & Mitchell’s cybersecurity and practice.
