Uber's data breach handling provides lessons for others ahead of GDPR, says expert

Out-Law News | 22 Nov 2017 | 3:02 pm | 3 min. read

Businesses can learn lessons from the way that Uber handled a major data breach that hit the company last year, a data protection law expert has said.

Anna Flanagan of Pinsent Masons, the law firm behind Out-Law.com, said Uber's recent disclosure of the breach highlighted shortcomings in the approach the company followed in managing the incident.

Earlier this week Uber chief executive Dara Khosrowshahi issued a statement which confirmed that in "late 2016" two hackers managed to access the personal data of 57 million customers based around the world which was stored on a third party cloud computing platform the company uses.

Khosrowshahi admitted that he had only "recently learned" of the breach, despite others in the company knowing about the incident and taking action to "secure the data and shut down further unauthorised access" by the two hackers.

At the time, the company implemented new security measures to "restrict access to and strengthen controls on our cloud-based storage accounts", he said.

In addition, Uber managed to identify the hackers concerned and "obtained assurances that the downloaded data had been destroyed", the chief executive said. According to Bloomberg, Uber paid $100,000 to the hackers to achieve the data destruction.

Khosrowshahi said two staff members who led Uber's response to the breach at the time "are no longer with the company". Bloomberg reported that one of the individuals to have left the organisation is chief security officer Joe Sullivan.

The data breach was not disclosed to regulators at the time of the incident, but Khosrowshahi said the company was now notifying the authorities of the incident, in addition to the customers and drivers whose data was compromised in the attack. Free credit monitoring and identity theft protection has been offered to drivers whose data was downloaded, while the company has also flagged up customer accounts impacted by the breach "for additional fraud protection".

"None of this should have happened, and I will not make excuses for it," said Khosrowshahi in his statement. "While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."

Flanagan of Pinsent Masons said the case served to highlight the importance of organisations having "appropriate internal processes in place to report personal data breaches to the right people within their organisation as soon as possible".

Those processes will be particularly helpful to businesses in meeting new requirements on the notification of personal data breaches under the forthcoming General Data Protection Regulation (GDPR), she said. The GDPR will apply from 25 May 2018.

"Under the GDPR, many businesses will face new rules that force them, for the first time, to disclose major personal data breaches to data protection authorities, such as the UK's Information Commissioner's Office (ICO), and potentially affected data subjects too," Flanagan said. "The rules place a very short timeframe on notification, with breaches to be reported to the authorities within 72 hours of the organisation becoming aware of it."

"Businesses that fail to comply with the reporting requirements face potential fines of up to €10 million, or 2% of their annual global turnover, whichever is the highest. This emphasises the need for internal procedures to ensure that the appropriate decision-maker has the information in a very timely fashion," she said.

"Organisations that intend to appoint a data protection officer under the GDPR need to make sure that the DPO has access to all the information they need to report a breach in timely fashion," Flanagan said.

"Because of the financial and reputational risks around data breaches and any failure to report those breaches effectively under GDPR, the consequences for employees of failing to follow the right processes in handling and reporting data breaches will undoubtedly become more severe in future," she said.

In September, the UK's information commissioner Elizabeth Denham said the data breach notification regime under the GDPR "will raise the level of security and privacy protections across the board". She rejected suggestions that the new requirements are "all about punishing organisations".

"Personal data breach reporting has a strong public policy purpose," Denham said at the time.  "The law is designed to push companies and public bodies to step up their ability to detect and deter breaches. What is foremost in regulators’ minds is not to punish the organisations, but to make them better equipped to deal with security vulnerabilities."

Last month, new guidance on data breach notification was issued by a committee of data protection authorities from across the EU, of which the ICO is a part. The Article 29 Working Party's guidance clarified that, under the GDPR, businesses that outsource the processing of personal data to other companies will be said to be aware of data breaches experienced by those processors as soon as the processors themselves recognise the breach.

At the time, Kathryn Wynn, a data protection law specialist at Pinsent Masons, said that the Working Party's guidance could force technology suppliers to "contractually commit themselves to much shorter deadlines for reporting data breaches to their clients than they do currently".