Greetings from Brussels!
There was an interesting privacy enforcement development emanating from the U.S. this week that I think has much global appeal. Uber, the peer-to-peer ride-sharing, taxicab, food-delivery, bicycle-sharing, and transportation network company (yes, it is now all that) agreed to pay a $148 million settlement to U.S. states for failing to disclose a sizable data breach back in 2016. That is quite some fine.
The settlement itself comes on the heels of a 10-month investigation led by state attorneys general across the United States focusing on whether Uber had violated data breach notification laws (at the state level) by not informing consumers that their information had been compromised. The breach exposed the personal information of 57 million customers and drivers globally, with about half the breach subjects residing outside the United States. By comparison, think back to the highly publicized multistate settlement with Target Corporation in 2017 over a data breach involving the theft of 41 million customer records; the settlement in that case was $18.5 million. It pales in comparison. This amount is the new precedent for attorneys general settlements in privacy cases.
Uber’s incoming chief executive, Dara Khosrowshahi, disclosed the breach to authorities back in November 2017, more than a year after the company was hacked under his predecessor. Khosrowshahi had said publicly at the time that the breach should have been notified back in 2016. However, as it transpired, rather than disclosing the breach, Uber made a payment to the hacker concerned, as part of its security-testing program that awards individuals for discovery and disclosure of software flaws and dealing with the matter behind closed doors. Deeming it bad decision-making under previous management and ethically questionable in its construct, Khosrowshahi announced it as a “failure” and two employees were dismissed — top security officers — for their involvement in the decision.
Clearly, this new CEO is having none of it. Under new vision and leadership, it is important to stress a new strategic approach to the organizational culture within Uber and, in particular regards, privacy and data protection. We are already seeing significant strides reflective of a new era at the company. Last month, Ruby Zefo, a longtime member of the IAPP and a current board member, was appointed as Uber’s first CPO. Zefo comes with pedigree, having previously led Intel’s global privacy and security legal team. Uber has also recently hired Simon Hania as its data protection officer, as mandated under the EU General Data Protection Regulation. Hania, who will report directly to Uber’s chief legal officer, Tony West, will be responsible for ensuring that Uber complies with EU privacy law. There’s more: Add to that the appointments of a new chief security officer and a new chief trust officer, and it is apparent that Uber is seriously shifting gears.
The recent settlement terms levied at Uber also sees changes to the company business practices aimed at preventing future breaches. For example, Uber will be required to report any data security incidents to state authorities on a quarterly basis for the coming two years and includes the implementation of a comprehensive information security program with oversight from the company from the board of directors.
West said of the settlement, “We’ll continue to invest in protections to keep our customers and their data safe and secure, and we’re committed to maintaining a constructive and collaborative relationship with governments [and regulators] around the world.”
If you want to comment on this post, you need to login.