The theft of personal data by malicious employees or third parties does not have to be a disaster. With appropriate PR and legal advice, and proactive engagement and input from senior management, an organisation can minimise the negative consequences and may even be able to strengthen client relationships. The key is transparency – you to need to own the breach, and demonstrate a proactive, strong response.
To have concerns about the impact of publicity regarding a cyber breach is natural. Many note that, at least here in the UK, there is usually no obligation to report an incident to a regulator (though that is shortly to change with the incoming General Data Protection Regulation). Disclosure could impact share price, result in a loss of customer confidence, and damage your brand. However, each of those problems is magnified tenfold when a breach which has been concealed by management is publicised.
Following a slew of negative press, Uber is once again in the spotlight after a Bloomberg story broke the news that in October 2016, the unencrypted personal data of 57 million employees and customers was downloaded by hackers. After tracking down the hackers, Uber paid them to destroy the downloaded data (which comprised names, email addresses, and phone numbers), and apparently obtained written confirmation that the data would not be further disseminated. Regulators were not notified, despite obligations to do so existing in some of the jurisdictions involved.
Now Uber is facing the fallout, with regulators across the USA, the UK, Australia and even the Philippines launching investigations. In the UK, The National Cyber Security Centre is investigating. The UK's Information Commissioner (ICO) has confirmed that the attempt to conceal the incident will result in higher fines – time will tell, but given the number of data subjects, the fact the data was unencrypted, and Uber's attempts at secrecy, it may be that a new record fine will be imposed.
So what should have been done?
When Uber became aware of the breach, the ICO and other relevant regulators should have been informed. As the data was both unencrypted and provides some basic building blocks for identify fraud, serious consideration should have been given to notifying the data subjects. Indeed, in some of the jurisdictions involved, Uber would have protected itself against liability to data subjects simply by making that notification. The company's external-facing message should have also been determined. To lessen reputational damage, the message could have been focussed on the steps taken to contain the breach, efforts made to minimise risk for those affected, and confirmation that relevant authorities had been informed and are receiving full cooperation.
Companies collect, process and store vast quantities of data, and must ensure that they are ready to respond should a breach occur. A timely and appropriate response often depends on the existence of a practical and coherent crisis management plan. However, a surprising number of companies and other entities have yet to develop one. With the increase in cyber attacks, and the imminent increase in fines for non-compliance with data protections requirements, now would be a good time.
Comments