Search

How can we help?

Icon

The Uber Hack: How not to respond to a data security breach

It has been just over a week since the news broke that Uber concealed a major data security breach in which names, email addresses, and phone numbers associated with around 57 million individuals were leaked, including 2.7 million in the UK.  Given the scale, it seems likely that the personal data of UK and EU citizens will have been compromised and the reaction of relevant data protection and cybercrime agencies will be instructive for many data-oriented companies going forward.

With Uber’s CSO and CEO aware of this breach for a year, the event has triggered substantial outrage and already at least 11 law suits have been issued in the US.  The Information Commissioner’s Office and the National Cyber Security Centre have indicated they are investigating the effect of the breach on the UK (affecting over half of Uber’s 5 million users here) and no doubt will be interested in Uber’s decision-making once it became aware of the problem.  Uber may consider itself lucky that this breach took place well before the implementation of the incoming General Data Protection Regulation, which would have allowed for fines of up to 4% of global turnover: an eye-watering ceiling of some $260million USD based on their reported revenue of $6.5 billion in 2016.

Under the current UK regime, there is no obligation to report a data security breach.  However the ICO does recommend reporting “serious” breaches, and when the Information Commissioner learns of the breach they will certainly take the conduct of the reporting entity into account.  Once the GDPR comes in from May 2018, there will be an automatic obligation to report breaches unless they are “unlikely to result in a risk to the rights and freedoms of data subjects” – how far this exception goes is uncertain and much discussed.  Furthermore, if there is a “high risk” to rights and freedoms there will be an obligation to report the breach directly to the data subjects concerned.  Brexit is unlikely to change this, as the UK is implementing an equivalent of the GDPR in the hopes of maintaining data flows to the continent uninterrupted.

Once it learns of a breach, the ICO’s powers extend to fining organisations up to £500,000, as well as enforcement orders requiring action to be taken where appropriate.  Aside from that the most apparent business risk is loss of reputation and trust amongst the customer base as well as with other businesses.  In favour of reporting, however, is that the regulator does not automatically publicise breaches that are reported to it (albeit where a serious breach occurs they are likely to report it promptly).  While actively working with a regulator may allow a business to receive some positive feedback regarding their post-breach conduct, failing to report may leave a business with no saving grace.  In Uber’s case, Uber’s current CEO Dara Khosrowshahi had no excuse but to say “None of this should have happened, and I will not make excuses for it”.  The impact of this revelation on Uber’s customer base and its ability to resolve its myriad of legal disputes remains to be seen and will present a worth case study for anyone facing a similar situation.

Returning to a UK example, TalkTalk still received a fine of £400,000 – 80% of the maximum allowed despite actively reporting its data breach (in which over 150,000 customer’s personal data, including dates of birth, were released).  However TalkTalk had been completely unaware of the vulnerability in their systems, which could have been easily protected had they known, a situation unlikely to be present in more agile organisations.  According to the ICO’s 2016 – 2017 operational statistics, of 2,565 self-reported breaches only 17 resulted in a civil monetary penalty, so companies should not assume they will be treated as harshly as TalkTalk.

The GDPR provides a right to compensation to any person who has suffered “material or nonmaterial damage” as a result of a GDPR infringement.

From May, under the GDPR the fine for the more serious breaches of data protection law will increase to the aforementioned 4% of turnover or €20 million – whichever is the greater.  This has led some to point out that TalkTalk’s 80% of the maximum translates to £59 million under the GDPR.  While it’s impossible to say how regulators will exercise this vastly increased disciplinary power, there has been a trend of increasing fines under the present Information Commissioner, so companies of any size presented with a security breach will have to tread carefully and should seek professional support immediately.

The last risk worth mentioning is the possibility of complaints and claims by the data subjects themselves, an area which remains underdeveloped for security breaches.  The GDPR provides a right to compensation to any person who has suffered “material or nonmaterial damage” as a result of a GDPR infringement.  The amount of compensation for loss of non-sensitive data is likely to be small, but if victims are dissatisfied with the business’s response there is the significant prospect of activists and litigants-in-person taking advantage of this provision to bring Court claims, which could prove costly in the long-term.  Although no cases can be brought under the GDPR yet, a claim by 5,500 current and former Morrisons employees concerning a 2014 data security breach is presently proceeding through the High Court and may shed some light on relevant principles and the amount of compensation available to UK citizens.  Other data protection issues a company may face include customers requesting copies of their personal data or asking that their data be deleted – requests that will need to be complied with unless an exception applies, and in terms of correspondence alone may be costly.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

Pub
  • 10 December 2024
  • Corporate and M&A

The Business Boardcast: Company Secretarial Updates

Join Stuart Mullins from Clarkslegal and Nicky Goringe Larkin from Goringe Accountants and Succession Planning as they discuss helping business owners and directors stay compliant with key company secretarial updates.

art
  • 10 December 2024
  • Corporate and M&A

The value of cyber security for mergers and acquisitions

Developing a robust cybersecurity strategy is essential to ensuring value retention, securing sensitive data, minimising risks and a seamless transfer during and after the merger or acquisition.

Pub
  • 10 December 2024
  • Privacy and Data Protection

UK Data Protection: What happened in 2024 and what’s in store in 2025?

It’s been a year of political change and uncertainty for data protection. Join our data protection webinar, where we will discuss the implications of the Data Protection and Digital Information Bill not passing and the upcoming Digital Information and Smart Data Bill from the King’s Speech, which will affect existing laws.

art
  • 09 December 2024
  • Corporate and M&A

UK Directors’ Responsibilities

On becoming a director of a company, directors undertake to comply with various duties and responsibilities. which are specified in the Companies Act 2006. In this article, we will explain how you can comply with these practical responsibilities.

art
  • 09 December 2024
  • Commercial Real Estate

What happens to a sublease when the headlease is surrendered, forfeited or disclaimed?

The intermediate tenant under the headlease falls away and the tenant under the sublease becomes the direct tenant of the superior landlord.

art
  • 09 December 2024
  • Employment

Mistletoe and Missteps: Preventing Harassment at Christmas Parties

As the festive season approaches, offices are coming together for their annual Christmas parties, offering a chance to unwind and celebrate the year’s achievements. However, whilst these events provide a necessary release and recognition of employee’s contributions, they also present a heightened risk of inappropriate behaviour, particularly sexual harassment.