The Employees Retirement System of Rhode Island (ERSRI) filed a shareholder class action lawsuit this week against Google parent company, Alphabet Inc., following the firm’s discovery of a new Google+ bug affecting the privacy of as many as 52.5 million users. The suit alleges that Google misled both shareholders and federal regulators in relation to its social network’s breaches when it neglected to inform them of the problems. In particular, the case is being brought based on the fact that the most recent breach and at least one earlier and then-undisclosed breach were similar in terms of ‘legal and factual issues’. For the time being, the nine-page long complaint is seeking to address that issue but also asking the U.S. District Court for the Northern District of California to determine the lead plaintiff in the case. ERSRI is seeking to take up that mantle in the latter issue.
Background: The most recent bug spotted in Google+ and its associated API summarily allowed third-party developers access to personal information about users from their profile even where that had been set to or shared privately. That didn’t include data about financials, government identification number, passwords, or similar information and no developers appear to have taken advantage of the glitch. The primary concern with that bug is not whether abuse of the issue is immediately apparent but the fact that it seems so close, if not related, to another earlier problem. In October, Google revealed that a bug in its system had been in place since 2015 and that it had been known since March but the search giant did not reveal that information to the public or to shareholders. At the time, Google attempted to justify its silence by claiming that it had feared backlash similar to that faced by Facebook’s ongoing privacy breach scandals.
Regardless of the reasons behind the company’s decision to withhold information about that earlier security lapse, that ultimately led to the announcement that Google would be sunsetting Google+ permanently. The initial reason for closing down the social network was said to be its low rate of use — with the average user spending less than five seconds per session. That doesn’t appear to be the case any longer and may not have been the entire reason, to begin with, since Google admitted that it wasn’t worth maintaining. When the news of the second bug broke, the date for that got pushed forward by several months. The service will be shut down in April of 2019.
Impact: The full extent of implications stemming from the new lawsuit in response to the Google breaches isn’t immediately apparent. Given that this is being brought as a class action suit and that Google is such a highly-valued company, the consequences will almost certainly be severe if ERSRI can make its case effectively before the courts. Whether or not the company is ultimately held accountable, in addition to whether or not the results are enough to change the company’s behavior or dissuade future problems remains to be seen. If the case moves forward as it stands, any conclusion at all is likely still months away at least.
