Uber has agreed to pay $US148 million in fines after a settlement with US state law enforcement officials. The fine was triggered by the company’s attempt to conceal a 2016 data breach which affected 57 million Uber riders globally and 600,000 US Uber drivers.
In November 2017, Uber revealed that it had paid off hackers the year before who had gained access to their system, attaining names, email addresses, phone numbers and driver’s license numbers. For some, even location data, hashed passwords and Uber ID’s were stolen. Uber quietly paid the hackers $100,000 to destroy the information that had been stolen.
As part of this settlement, the company has also agreed to adopt better data security and breach notification policies, and to develop a ‘corporate integrity program’ that will enable employees to report ethics concerns more easily. The New York Attorney General, Barbara Underwood, said she hoped the record settlement would send a clear message of “zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation”. Lisa Madigan, Illinois’ Attorney General called the year-long delay inexcusable, labelling it as one of “the most egregious cases we’ve ever seen in terms of notification”.
State consumer protection laws in America are designed to safeguard personal information and hold companies responsible for immediately notifying authorities of a breach. They also require companies to establish measures to protect user data being stored on third-party platforms and to design strong password protection policies.
Impact of GDPR
Interestingly, had this incident taken place after 25 May 2018, Uber would also be at the mercy of the EU’s General Data Protection Regulation (GDPR) regulations. Any institution which collects, processes or stores the personal data of any EU citizen, or that holds offices in an EU country, is required to comply with the GDPR. Because the hack affected consumers in Europe, Uber would have been held accountable to the GDPR rules. The fundamentals of these rules are accountability and compliance, as well as notoriously high fines for non-compliance.
Under the GDPR rules, companies have 72 hours to confess to breaches. When they fail to do so, fines can be up 20 million pounds or 4% of the company’s annual global turnover.
Facebook Setting the Example
This would mean a fine of GBP1.25 billion for Facebook after their September security breach, which put approximately 30 million accounts at risk. People were quick to label the breach the first major test of the GDPR’s power after Facebook revealed that personal data including email addresses, phone numbers and even information such as education, work, location and device information may have been stolen after attackers exploited a loophole in Facebook’s security.
However, a fine is unlikely. In reality, Facebook did everything required by the GDPR rules, which are designed precisely to encourage companies to immediately report problems and warn their users. The moment the cyberattack was noticed, Facebook users were warned and required to sign in again to verify their identity.
The extreme fines exist for companies that hide or sit on their breaches, like Uber. The GDPR laid out clearly that companies can do the right thing to avoid fines, and it looks like Facebook has done everything by the book. Because of this, the only likely reason Facebook may be slapped with a GDPR fine is if it’s found that their technology posed a danger or if an absurd oversight allowed for exploitation. Likely, this will prove to have been an unavoidable and sophisticated attack.
The difference between Uber and Facebook’s recent security breaches neatly demonstrates why companies should hold themselves responsible for the data they collect, at least to avoid shame and extortionate fines. Inevitably, the GDPR will be on the lookout for an example. Hence, companies big and small must be wary of their responsibilities under these rules as well as their local consumer protection laws.