Through the GRC Lens: October

3 min read


Google’s failure to disclose a data breach, California’s tough new laws on corporate governance and net neutrality, and Silicon Valley’s #MeToo — here’s a round-up of October’s top GRC news headlines.

Google Fails to Disclose a Data Breach

At the height of Facebook’s Cambridge Analytica scandal, when the social media giant faced widespread backlash for its misuse of personal data, another Silicon Valley giant found that it had inadvertently exposed the private data of hundreds of thousands of users through its relatively lesser known social network.

Fearing that the disclosure of such a breach would immediately invoke comparisons to Facebook’s disastrous liaison with Cambridge Analytica, and prompt scrutiny from regulators, the tech giant instead chose to quietly fix the issue.

But things didn’t quite go as planned: a damning report by The Wall Street Journal in October revealed that a software glitch in Google’s social network, Google+, gave developers access to the personal data of nearly half a million users, including full names, email addresses, birth dates, gender, profile photos, places lived, occupation, and relationship status. The report also mentions an internal memo from Google which talked about the possible repercussions that the company would face if the breach was disclosed.

Following the revelation, Google announced a host of privacy reforms which also involved the shutdown of the consumer version of Google+.

Though Google said that it found no evidence that users’ personal data was misused in the Google+ glitch, even going into details in its blog post, the incident raises questions about how transparent the tech giant was in handling the entire episode.

California Forges Ahead with Tough New Laws on Corporate Governance and Net Neutrality

In a seeming reversal of the trend of deregulation, California signed two new bills into law on corporate governance and net neutrality, setting an important precedent for the country.

According to The New York Times, the new law on corporate governance requires all publicly held companies headquartered in California to have at least one woman on their boards by the end of 2019 and a minimum of two or three women (depending on the size of their boards) by 2021. The Los Angeles Times reported that companies that fail to comply will face fines of $100,000 for a first violation and $300,000 for a second or subsequent violation.

The law on net neutrality affecting the telecom industry requires internet providers to maintain a level playing field, and bans the practice of prioritizing some sites and services over others. However, a recent report in The Washington Post suggests that this law may be temporarily on hold.

The new laws come after the Golden State adopted another law on data privacy, keeping up with the European Union’s (EU’s) tough new data protection regulation, GDPR.

Silicon Valley Grapples with #MeToo

Fresh on the heels of its data breach, Google found itself in the midst of another controversy. An article appeared in The New York Times detailing how the tech giant protected male senior executives against claims of sexual harassment while paying them millions in exit packages and keeping quiet about the allegations. One of these executives was Andy Rubin, the creator of the now famous Android software.

Unsurprisingly, the news did not sit well with Google employees who staged coordinated walk-outs from Google offices around the world to protest the company’s perceived leniency towards sexual harassment, igniting an internal #MeToo movement.

Speaking at The New York Times DealBook conference, Google’s CEO, Sundar Pichai, apologized, saying that “moments like this show we didn’t always do it right.”

Meanwhile, The Wall Street Journal reported that Uber’s top deal maker, Cameron Poetzscher, resigned after allegations of prior sexual misconduct against him were revealed, sparking a fresh debate on how Silicon Valley giants handle sexual harassment allegations from women.

The Low-Down

Ever since Facebook’s Cambridge Analytica scandal, companies around the world have been wary of intense scrutiny around data privacy issues. Google’s handling of the incident with its social network, and the resulting reputational impact show that being proactive and transparent with customers and regulators is a better road for businesses to take when faced with a security incident.

Silicon Valley’s #MeToo movement also shines an uncomfortable spotlight on the governance practices of tech giants. It shows how legacy corporate governance practices such as “handling things quietly” will be called into question as the cultural zeitgeist shifts towards more ethical business practices.

And while regulations will continue to drive corporate governance to a large extent, employee and customer activism will become an equally important driver of change.



Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.