In June 2020, a preliminary settlement order for $7.5 million was issued in a class action against the now-defunct social media platform, Google+, pending the judge’s final approval in November. The order is the culmination of a roughly two-year-old lawsuit filed in the wake of revelations that a glitch in Google+ security allowed Google application developers access to users’ personal data. More recently, class members received notices that, pursuant to the settlement’s final approval, they could receive between $5 and $12. Class counsel lawyers also stand to net up to $1.875 million in attorneys’ fees.
Google’s Social Media Attempt
Google+ debuted in 2011 and was considered to be Google’s latest attempt to compete with social media platforms like Facebook and Twitter. In a non-user friendly move, Google tried to speed up the adoption of its platform by forcing individuals to first create a Google+ account before being able to access other Google apps, such as Gmail and Google Hangouts. This requirement was later phased out and activity on Google+ waned. But even after this change, Google+ accounts housed users’ personal information alongside credentials for other Google apps, and were, presumably, protected within the Google ecosystem.
Google+ Bugs and Breaches
In October 2018, Google acknowledged that a bug in its developer API had accidentally given 3rd party software developers access to the personal data of over 500,000 Google+ users. User emails, addresses, and other personal information had been unprotected for three years before Google discovered and fixed the security flaw in a March 2018 internal audit. However, the company waited until the news went public seven months later to acknowledge the mistake. Two months later, Google announced a second data security breach was identified in the developer API and another patch was deployed.
The Plaintiff Class
In late 2018, Google announced it was shutting down Google+ permanently. Just days later, a proposed class action suit was filed by two former Google+ users who were allegedly harmed by the data breaches. Per the complaint, the settlement class is outlined as “all persons within the United States who (a) had a consumer Google+ account for any period of time between January 1, 2015 and April 2, 2019, and (b) had their non-public Profile Information exposed as a result of the software bugs Google announced on October 8, 2018 and December 10, 2018.” Excluded from the class are Google officers, directors, employees, Google affiliates and subsidiaries.
The Class Action Proceedings
From its filing in the U.S. District Court, Northern District of California, the case proceeded regularly. The initial case management scheduling order was issued one day after filing, with the case management statement deadline set for January 24, 2019. The initial case management conference was also set to follow on January 31, 2019. A series of motions, stipulations, consolidation of related cases, hearings, and additions/exits of attorneys occurred during 2019. Google also filed an unsuccessful motion to dismiss and on January 6, 2020, the plaintiffs filed a motion for settlement and preliminary approval.
The settlement hearing was set for February 20, 2020, however as the pandemic began to take hold, the judge continued this in-person hearing to April 16, 2020 in a San Jose, CA federal courtroom. And again, just a few months later, the hearing date was pushed to May 21, 2020.
Nut the Northern California district court showed agility in adopting a teleconference hearing approach and ultimately held it via Zoom on May 19, 2020. After this hearing, Judge Edward Davila issued an order granting preliminary approval of the class action settlement on June 10, 2020. The preliminary settlement amount was announced to be $7.5 million. After this, notices were sent to class action members to opt-in, opt-out, or object to the settlement entirely. Judge Davila will make a final decision on the settlement on November 19, 2020.
Factors in Reaching Settlement
Following the preliminary approval from Judge Davila, the plaintiffs’ counsel released a settlement memorandum where they commented on the seemingly modest settlement amount. Counsel stated that “[t]he settlement provides quick relief for settlement class members, including payments for potentially disseminating their non-public information to unauthorized third-party application developers.” They added, “[i]mportantly, the personal information of all class members was never disseminated or accessed by hackers or other malicious third parties, but instead was potentially exposed to third-party software developers known to Google.”
This points towards a potential weakness in the plaintiffs’ focus on claims of harm from the sale of their information on the dark web. Google appears to have been successful in showing that only the developers they have relationships with could have accessed the data. In other words, the argument may have been that the data leak was not identity theft by hackers with the intent to sell personal information on the dark web. It was instead the inadvertent granting of access to user data caused by a software bug. The plaintiffs may have reconciled themselves to a settlement after realizing they faced an uphill battle to prove injury and damages given that this wasn’t a maliciously planned hack.
Expert Witnesses for Data Privacy Cases
Experts likely played a role in the settlement negotiations. Professionals with experience and insight into data security, API development, identity theft, and developer ecosystems would have been necessary for both sides to argue their case.
Google likely asserted that the plaintiffs’ risk of injury was extremely limited in scope, if it existed at all, due to the reputation and motivations of their developer ecosystem. Developers’ work—building applications that integrate with Google apps—depends upon keeping in good stead with Google. Suddenly launching an attack on Google data security would not be in their best interest to maintain a working relationship with the tech giant. An independent expert for Google on how software developer ecosystems and relationships with tech companies work could have helped make these points during the negotiations.
Google also likely relied on data security experts during settlement negotiations. The Google team would have already performed security testing during their internal audits to expose these bugs in the first place, but, of course, could not use employees as experts for obvious bias reasons. But Google likely found independent experts in network security and API development to explain these concepts and the nature of its own security bug.
The lawyers for the plaintiffs would also have needed experts in data security, APIs, and developer ecosystems to help them develop their case strategies and understand Google’s arguments. The plaintiffs’ counsel likely also hired experts to review and comment on any Google records giving information on the number and types of individuals or organizations that had access via the developer APIs during the data leak periods. Records on the internal and external expert audits, bugs uncovered, and duration of data exposure would also likely need to be reviewed by a professional well-versed in these technical areas.