The Uber Hack: How not to respond to a data security breach

It has been just over a week since the news broke that Uber concealed a major data security breach in which names, email addresses, and phone numbers associated with around 57 million individuals were leaked, including 2.7 million in the UK.  Given the scale, it seems likely that the personal data of UK and EU citizens will have been compromised and the reaction of relevant data protection and cybercrime agencies will be instructive for many data-oriented companies going forward.

With Uber’s CSO and CEO aware of this breach for a year, the event has triggered substantial outrage and already at least 11 law suits have been issued in the US.  The Information Commissioner’s Office and the National Cyber Security Centre have indicated they are investigating the effect of the breach on the UK (affecting over half of Uber’s 5 million users here) and no doubt will be interested in Uber’s decision-making once it became aware of the problem.  Uber may consider itself lucky that this breach took place well before the implementation of the incoming General Data Protection Regulation, which would have allowed for fines of up to 4% of global turnover: an eye-watering ceiling of some $260million USD based on their reported revenue of $6.5 billion in 2016.

Under the current UK regime, there is no obligation to report a data security breach.  However the ICO does recommend reporting “serious” breaches, and when the Information Commissioner learns of the breach they will certainly take the conduct of the reporting entity into account.  Once the GDPR comes in from May 2018, there will be an automatic obligation to report breaches unless they are “unlikely to result in a risk to the rights and freedoms of data subjects” – how far this exception goes is uncertain and much discussed.  Furthermore, if there is a “high risk” to rights and freedoms there will be an obligation to report the breach directly to the data subjects concerned.  Brexit is unlikely to change this, as the UK is implementing an equivalent of the GDPR in the hopes of maintaining data flows to the continent uninterrupted.

Once it learns of a breach, the ICO’s powers extend to fining organisations up to £500,000, as well as enforcement orders requiring action to be taken where appropriate.  Aside from that the most apparent business risk is loss of reputation and trust amongst the customer base as well as with other businesses.  In favour of reporting, however, is that the regulator does not automatically publicise breaches that are reported to it (albeit where a serious breach occurs they are likely to report it promptly).  While actively working with a regulator may allow a business to receive some positive feedback regarding their post-breach conduct, failing to report may leave a business with no saving grace.  In Uber’s case, Uber’s current CEO Dara Khosrowshahi had no excuse but to say “None of this should have happened, and I will not make excuses for it”.  The impact of this revelation on Uber’s customer base and its ability to resolve its myriad of legal disputes remains to be seen and will present a worth case study for anyone facing a similar situation.

Returning to a UK example, TalkTalk still received a fine of £400,000 – 80% of the maximum allowed despite actively reporting its data breach (in which over 150,000 customer’s personal data, including dates of birth, were released).  However TalkTalk had been completely unaware of the vulnerability in their systems, which could have been easily protected had they known, a situation unlikely to be present in more agile organisations.  According to the ICO’s 2016 – 2017 operational statistics, of 2,565 self-reported breaches only 17 resulted in a civil monetary penalty, so companies should not assume they will be treated as harshly as TalkTalk.

From May, under the GDPR the fine for the more serious breaches of data protection law will increase to the aforementioned 4% of turnover or €20 million – whichever is the greater.  This has led some to point out that TalkTalk’s 80% of the maximum translates to £59 million under the GDPR.  While it’s impossible to say how regulators will exercise this vastly increased disciplinary power, there has been a trend of increasing fines under the present Information Commissioner, so companies of any size presented with a security breach will have to tread carefully and should seek professional support immediately.

The last risk worth mentioning is the possibility of complaints and claims by the data subjects themselves, an area which remains underdeveloped for security breaches.  The GDPR provides a right to compensation to any person who has suffered “material or nonmaterial damage” as a result of a GDPR infringement.  The amount of compensation for loss of non-sensitive data is likely to be small, but if victims are dissatisfied with the business’s response there is the significant prospect of activists and litigants-in-person taking advantage of this provision to bring Court claims, which could prove costly in the long-term.  Although no cases can be brought under the GDPR yet, a claim by 5,500 current and former Morrisons employees concerning a 2014 data security breach is presently proceeding through the High Court and may shed some light on relevant principles and the amount of compensation available to UK citizens.  Other data protection issues a company may face include customers requesting copies of their personal data or asking that their data be deleted – requests that will need to be complied with unless an exception applies, and in terms of correspondence alone may be costly.