Google did not notify authorities of the vulnerabilities in Google Plus, which exposed the data of up to 500,000 users. Google said it had found no evidence that outside developers were aware of the security flaw and no indication that any user profiles were touched. The flaw was fixed in an update made in March. There is no federal law requiring companies to disclose a security vulnerability. Companies must wade through a patchwork of state laws with different standards.