Google Enters Into Stipulated Agreement to Improve Legal Process Compliance Program
Google admitted to loss of data responsive to 2016 search warrant and agreed to program enhancements, reporting obligations, and a first-of-its-kind Independent Compliance Professional.
October 26, 2022
PRESS RELEASE
The Department of Justice on Oct. 25 filed a stipulation and agreement resolving a dispute with Google over the loss of data responsive to a search warrant issued in 2016.
Pursuant to the first-of-its-kind resolution, Google has agreed to reform and upgrade its legal process compliance program to ensure timely and complete responses to legal process such as subpoenas and search warrants, as required under the Stored Communications Act (SCA) and other applicable legal authorities. To monitor that Google fulfills its legal obligations, an Independent Compliance Professional will be retained to serve as an outside third-party related to Google’s compliance enhancements.
“The Department is committed to ensuring that electronic communications providers comply with court orders to protect and facilitate criminal investigations,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division. “This agreement demonstrates the Department’s resolve in ensuring that technology companies, such as Google, provide prompt and complete responses to legal process to ensure public safety and bring offenders to justice.”
“The warrant underlying this agreement was sought in connection with a significant criminal investigation,” said U.S. Attorney Stephanie Hinds for the Northern District of California. “This agreement will help to ensure that, moving forward, Google will maintain the technical capability and resources necessary to comply with lawful warrants and orders, such as the one at issue in this case, that are critical to federal criminal investigations.”
As detailed in the Statement of Facts accompanying today’s agreement, in 2016, the United States obtained a search warrant in the Northern District of California for data held at Google related to the investigation of the criminal cryptocurrency exchange BTC-e. The warrant was issued under the SCA, the federal statute that requires providers such as Google to disclose customer communications when served with a warrant signed by a judge and supported by probable cause.
After the warrant was reviewed by a judge in the Northern District of California, sworn, signed, and served on Google, the Second Circuit Court of Appeals issued a decision holding that SCA search warrants did not reach data stored outside of the United States. Google halted execution of the search warrant and made rolling productions containing only information it could confirm was stored in the United States. Because Google’s data preservation tools at the time stored data in the United States – and thus brought the data under undisputed U.S. jurisdiction – Google also endeavored to create new tools that would prevent the data from being repatriated. Google and the government litigated regarding the search warrant through 2017 and into 2018, when Congress clarified that the SCA does indeed reach data that U.S. providers choose to store overseas. In the intervening time, data responsive to the warrant was lost.
In resolving the matter with the department, Google has agreed to numerous improvements to its legal process compliance program, as set forth in the filed agreement. The improvements are tailored to ensure that Google complies with its legal obligations to respond to lawful court orders, including those issued pursuant to the SCA. Google will maintain sufficient compliance staffing levels to support the enhancements to the program and will allocate engineering resources to support legal process compliance.
Google has further committed to implement processes and procedures to ensure timely response to legal process, as required under the SCA and other relevant legal frameworks, and to generate a compliance timeliness record for missed deadlines, which will be made available to the government upon request. Google will also develop and maintain needed tools to retrieve data in response to legal process, and to develop plans for legal process responses corresponding to new product launches.
The agreement (PDF) also provides that an Independent Compliance Professional will verify the accuracy of assertions in all reports contemplated by the agreement and evaluate Google’s assessment of its compliance with the enhancements to Google’s Legal Process Compliance Program set forth in the agreement. Pursuant to the agreement and in consultation with the mandated Independent Compliance Professional, Google will assemble periodic reports and updates regarding its Legal Process Compliance Program and its implementation of the enhancements set forth in the agreement. Google will provide these reports to the government, the Google Compliance Steering Committee, and the Audit and Compliance Committee of the Alphabet Board of Directors.
In the filed stipulation, Google represented to the court that it spent over $90 million on additional resources, systems, and staffing to implement legal process compliance program improvements.
Google will maintain its lawful protections of user data, and the agreement does not provide the United States access to Google user data.
Senior Counsel C. Alden Pelker of the Criminal Division’s Computer Crime and Intellectual Property Section and Corporate and Securities Fraud Section Chief Lloyd Farnham for the Northern District of California negotiated the agreement on behalf of the government.
You May Also Like
Transform Your Security Operations And Move Beyond Legacy SIEM
Nov 6, 2024Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024