The Uber Hack: How not to respond to a data security breach
News has just broken that Uber concealed a major data security breach in which names, email addresses, and phone numbers associated with around 50 million customers were leaked, along with similar personal information of 7 million drivers. Given the scale, it seems likely that the personal data of UK and EU citizens has been accessed by the hackers – how the authorities react will be worth watching for all data-oriented companies going forward.
Uber may consider itself lucky that this breach took place well before the May 2018 implementation of the incoming General Data Protection Regulation (GDPR), which would have allowed for fines of up to 4% of global turnover: an eye-watering ceiling of some $260million USD based on Uber’s reported revenue of $6.5 billion in 2016. With so many eyes on this, it is a useful case study for comparing the current and future regimes in the UK. For businesses that experience a data security breach pre-GDPR:
- There is no obligation to report, but the Information Commissioner’s Office (ICO) does recommend reporting “serious” breaches. If you don’t report it might count against you! Uber’s breach was serious.
- The ICO can fine anyone for a data protection law breach up to £500k. Even if you do report, you may still be fined: TalkTalk lost over 150,000 customer’s personal data, including dates of birth, and despite actively reporting it was still fined £400,000 – 80% of the maximum. Uber’s position doesn’t look too good on this front.
- However in the vast majority of cases, the ICO will not fine you. According to the ICO’s 2016 – 2017 operational statistics, of 2,565 self-reported breaches only 17 resulted in a civil monetary penalty.
- If you fear a loss of reputation/trust – note that the ICO doesn’t normally publicise a reported breach unless they take action against you. Even then, it’s preferable to have been up-front about it – Uber’s CEO had no choice but to admit “None of this should have happened, and I will not make excuses for it”.
From May 2018, the GDPR comes in and things change substantially:
- There will be an automatic obligation to report breaches unless they are “unlikely to result in a risk to the rights and freedoms of data subjects” – how far this exception goes is uncertain and you should get professional advice if planning to rely on this.
- For any breach of the data protection law, regulators will have the power to fine up to €20 million or 4% of global turnover! If the same 80% of max. were applied to TalkTalk in that case it would have been around £60 million – but regulators might exercise their discretion a little differently when dealing sums that vast. What will be interesting is what the regulators say about how Uber’s non-disclosure affects their decision-making.
- Remember, Brexit does not mean that the GDPR won’t apply. The UK plans to adopt GDPR-equivalent protections once outside the EU – they want to try to keep the free flow of information to/from the continent. Furthermore, if you’re controlling or processing EU citizen’s data, then the GDPR provisions will apply to you regardless and EU regulators may come after you for breaches. How exactly this will work post-Brexit is not settled yet, so certainly worth keeping an eye on for data business.
- The GDPR doesn’t just apply to security breaches – there are a host of other compliance requirements. If you control or process personal data, you will need to keep those requirements in mind. You may want to consider appointing a Data Protection Officer (required for certain businesses under the GDPR) to guide you through the compliance requirements. If that’s not feasible, sensible professional help may be the way to go.