The near-daily reports of massive hacking incidents continue to demonstrate a shocking level of corporate incompetence. In September, we learned of the Equifax breach, which was breathtaking both in its scope and in Equifax’s disorganized response. In October we heard about the “Paradise Papers” breach of a Bermuda law firm, revealing details of how the super-rich avoid paying taxes. In November, we first heard about a breach at Uber that had actually occurred more than a year earlier. Uber’s amazingly derelict response managed to make Equifax’s poor response from September look well managed.
The details of Uber’s breach were not themselves shocking. In October 2016, Uber learned that its servers had been breached by hackers. The attackers first obtained credentials for a private GitHub site (a site used by programmers to collaborate on open source programming projects), and found in that code login credentials for an Uber server containing the stolen data. Though the breach impacted around 57 million people, the hackers did not obtain financial information. For the vast majority of the affected individuals, the stolen data included their names, email addresses, and phone numbers. For 600,000 individuals, the stolen data also included their drivers’ license numbers, which triggered an obligation for Uber to notify these impacted individuals of the breach. If Uber had notified these individuals in 2016, this breach would likely have been quickly forgotten in the wake of larger breaches involving far more financially sensitive information. Similarly, Uber’s legal exposure in 2016 would not have been significant, since it would have been difficult for any individual to prove injury as a result of the loss of the specific type of data stolen in this breach. However, Uber did not abide by its legal obligations in 2016. Instead, the ride-sharing company decided to hide the breach by paying the hacker a $100,000 ransom in return for a promise that the hacker would erase the stolen data.
Uber’s reaction is an almost perfect road map of how not to handle a breach. Uber’s decision to hide the breach violated several state laws, and may well have violated Uber’s own settlement with the FTC (itself the result of a prior data breach), which was only finalized a few months ago. This is likely to result in significant fines and civil settlements – far more than would have been necessary if the breach had been announced in 2016. As an example, the Attorney General of Washington has sued Uber for failing to notify those Washington citizens impacted by the breach, seeking the statutory fine of $2,000 for each day the notification was delayed, multiplied by the almost 11,000 individuals in Washington alone to whom notification ought to have been made. If granted by a court, this would amount to a daily fine of $22 million – multiplied by the 300+ days since the notification requirement came into play. Other states have also sued Uber over this same breach, and while it is likely that the total fines it will pay will not amount to the billions of dollars demanded by the Washington Attorney General, it is certain that the fines will be far higher than they would have been if Uber had abided by the law a year ago. One piece of good news for Uber is that the 2016 breach occurred before the effective date of the European General Data Protection Regulation (which was promulgated in 2016, but does not go into effect until May 2018). Assuming the breach impacted the personal data of Europeans as well as Americans, had GDPR been in effect Uber would also now be facing the possibility of fines in Europe of the greater of €20,000,000 or 4 percent of Uber’s global revenue – which for Uber could easily amount to hundreds of millions of dollars.
So what should Uber have done? Upon learning that it had a potential breach, it ought to have hired outside counsel to lead an investigation. This would have preserved any potential attorney-client privilege, and ensured that Uber was well advised of the complicated notification laws and liability schemes in the US, Europe, and beyond that it was facing. The investigation would have examined the causes and effects of the breach and determined whether notification to regulators or consumers was required. It would also have put Uber in a position to document what steps the company had taken to address its security flaws and reduce the risk to its consumers. The company would then have been able to notify consumers and regulators, and would have been prepared with a PR and customer relations strategy to address consumer concerns.
Ironically, the sheer volume of data breaches has meant that companies who make timely reports of breaches and have good strategies for addressing clients’ concerns have rarely faced long-term business or legal problems as a result of even the largest hackings. If there is one lesson for executives in the wake of Uber’s breach it is this: ignoring or hiding a reportable data breach is not a viable option.
A version of this alert also appeared in Security Magazine.