Over the past several months, our firm’s Cybersecurity and Data Privacy Practice team has had ample opportunity to report on a number of high profile security and data breaches. It appears that trend is going to continue as another massive cyber-breach was just reported. This time, it was Uber that had its network breached, and that breach impacted 57 million users of the ride sharing service, as well as 600,000 Uber drivers. Although paling in comparison to other recent breaches like that of Equifax and Yahoo in terms of the quantity of individuals whose data was stolen, the Uber breach is equally important in developing your own awareness of how to respond to data breaches, Uber provides another example of what not to do when a data breach occurs. Uber’s mistakes are numerous and could have long-lasting consequences. Here are a few of those mistakes, followed with some advice on how to avoid them.
Mistake #1: Uber fails to notify victims of the breach: Uber reported that its network was compromised in late 2016, yet Uber did not alert victims of the breach until November 21, 2017. The scope of the breach is apparently international, with data protection agencies in the United Kingdom, Australia and the Philippines looking into possible violations of their respective countries’ privacy laws. In the United States alone, there are forty-eight different state laws governing security breach notifications, many of which require notice to be provided as soon as possible. Waiting almost a year before providing notice to individuals whose information is unlawfully accessed likely exposes Uber to liability in a multitude of states and countries in which Uber can expect to be, and has already been sued. As of November 23, 2017, at least two class action lawsuits have been filed in California claiming that Uber “failed to implement and maintain a responsible security procedures and practices appropriate to the nature and scope of the information compromised in its data breach”. Attorneys General from Illinois, New York, Connecticut and Massachusetts have been reported as opening investigations and it is a practical certainty that dozens of their colleagues will soon follow their lead.
Mistake #2: Uber fails to notify governmental authorities of the breach: To make matters worse, in addition to not notifying individual victims of the data breach, Uber did not provide timely notice to governmental agencies until recently. In doing, Uber has potentially exposed itself to regulatory penalties, including fines and potential lawsuits, as well as likely having to appear at state and federal level inquiries, either voluntarily or through the use of subpoenas. Unfortunately for Uber, its explanation as to why it failed to notify the proper authorities is going to be aired to the public, likely in real time.
Mistake #3: Uber paid the hackers $100,000 for an “assurance” that the data was destroyed and appears to have tried to cover up the nature of the payment: Uber admitted that it paid the hackers $100,000 and in exchange, claims it received assurances the data was destroyed. Is there wisdom to Uber paying the $100,000 demand which is tantamount to extortion? Not according to law enforcement agencies, which commonly advise against paying a ransom as doing so makes your company a repeat target by showing a willingness to pay, as well as by funding further data privacy hacks by paying the wrongdoer. At least one media source reports that Uber actually went further than payment by locating the hackers, having them sign non-disclosure agreements in exchange for the payment and claiming that the hack was actually a “bug bounty”, which is a practice of a company hiring a hacker to attempt to hack the company’s data to uncover vulnerabilities in the target company’s network. It is very hard to believe that this was just a training exercise run by Uber.
While it was not illegal for Uber to pay the hackers the $100,000, doing so and trying to cover it up has consequences. First, Uber is now a target for future hackers who now have an expectation of Uber acceding to demands for payments that are really extortion. Second, Uber created the appearance that it was more concerned with destroying the data than advising the individuals whose data was stolen of the theft. Although Uber claims to have received assurances of the destruction of the stolen data, that likely provides little comfort to the individual victims, which likely would have appreciated timely notice so that they could take steps to protect their information.
Should your company be confronted with a situation like the one that has befallen Uber, do not respond in similar manner. Rather consider the following steps as part of any response to a breach:
- Consult with Legal Counsel immediately to determine what data breach notifications laws apply and who needs to be notified. If you do business across state lines or internationally, a data breach can expose your company to compliance with a number of different laws. The first step in responding to a breach is to understand whose data, as well as what kind of data, was accessed. Once you determine what jurisdictions’ laws apply, an analysis of the various notification requirements can be undertaken. That analysis will dictate how your response is prepared. Speak with professionals who can determine which laws apply, how to respond to each law and to what agencies should you provide notification.
- Do not wait to provide notification. In addition to most data breach laws possessing a time period in which notification must be made, whether by an definite time period or the more common “reasonable” period under the circumstances, it is crucial to act swiftly and be ready to provide complete, honest notification as soon as practicable. Even if your company is not required by a governing law or regulation to provide notice, a decision must be made whether to voluntarily disclose a breach in an effort to prevent reputational harm.
Hopefully, we can all learn from Uber’s mistakes and improve our own companies’ reactions in the face of a potential data compromise.