The attorney generals from all U.S. states announced that California-based Uber was hit with a $148 million fine for failing to report a 2016 data breach. Uber initially tried to cover the breach up, eventually reporting it a year later. Criminal hackers breached the ride-hailing organization, stealing data on 57 million drivers and riders, and obtaining PII (personally identifiable information) such as names, email addresses, and driver license numbers.
Uber’s response to the attack
All 50 states and U.S. territories have laws requiring breaches to be reported within a certain timeframe. Uber did not only considerably exceed this deadline but also offered the criminals $100,000 to delete the information, which they accepted and alleged that the data was erased.
California Attorney General Becerra said:
Uber’s decision to cover up this breach was a blatant violation of the public’s trust. The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law. Companies in California and throughout the nation are entrusted with customers’ valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect their data.
After admitting its wrongdoings, Uber fired its chief security officer.
Potential SEC investigation
The SEC (U.S. Securities and Exchange Commission) requires all publicly traded companies to report material information, including major data breaches. Uber has yet to go public. But has plans to do so next year. Uber had a number of convertible bonds. Failure to disclose a material fact is fraud. It runs the risk of an investigation and a fine by the SEC under Rule 10b-5 of the Securities Exchange Act of 1934.
Four years ago, the SEC investigated Yahoo’s failure to report a breach in a timely fashion. The SEC launched a similar probe into Equifax after the breach it suffered in 2017. These are examples of failures to adhere to policies and procedures for good cyber security including incident response.
Nations around the world – and the EU (European Union) – are developing or have already enforced data protection and breach notification laws. The hallmark is the recently introduced EU GDPR (General Data Protection Regulation). This law applies to all organizations that monitor the behavior of, or offer goods and services to, EU residents – irrespective of the organization’s location or where the data is processed.
Data protection officer (DPO) as a service
While we wait for future U.S. legislation, there are steps you can take now. IT Governance USA’s DPO as a service is a practical and cost-effective solution for organizations that don’t have the requisite data protection expertise and knowledge in-house to fulfill their DPO obligations under the GDPR. By outsourcing DPO tasks and duties to a managed service provider, you get access to expert advice and guidance that helps you address the compliance demands of the GDPR while staying focused on your core business activities.
Organizations can learn more about their U.S., EU and global privacy and cyber security obligation by registering for IT Governance USA’s Global Compliance webinar series.
Take our west coast course
Los Angeles residents can now take our Certified EU General Data Protection Regulation Foundation (GDPR) Training Course in person on November 26, 9:00 a.m. 5:00 p.m. PST. You will a comprehensive introduction to the GDPR and a practical understanding of the implications and legal requirements for U.S. organizations in this one-day introductory training course. Register now.
