Google is under fire after widespread reports of its decision not to notify the public of an incident that compromised 500,000 users' data. Google responded by saying that none of the personal data categories or harm thresholds necessary to trigger reporting had been met by the data breach.

Edward McAndrew, Co-Practice Leader of Ballard Spahr's Privacy and Data Security Group said, "[t]his situation really drives home what a minefield incident responses can be for companies even if they conduct an investigation into a security incident and reach what appears to be a reasonable conclusion that no reportable breach occurred." Mr. McAndrew added that this situation also "illustrates the reputational harm companies can face if that analysis and decision-making process later becomes public."

Google stated that its privacy and data protection office reviewed the issue and concluded that the data breach was limited to optional Google+ profile fields: name, email address, occupation, gender, and age.

Read the full article here. Subscription may be required.