LJN Cybersecurity Law & Strategy
The 2016 data breach involving 57 million Uber riders and drivers and the ensuing efforts to conceal the breach appears to have tapped into the public’s — and the government’s — frustration with a series of increasingly large data breaches experienced by some of our most visible companies and institutions.
Uber has incurred significant legal and reputational exposure as a result of the way that the company handled the breach. In the coming months, there will be a great deal of information and regulatory and judicial action that will act as guidance, or more precisely, a checklist of what-not-to-do, for companies that suffer a data breach.
Regaining Trust: The Chief Privacy Officer
The CEO has announced Uber’s intent to put integrity at the core of every business decision and to work to regain the trust of its consumer customers. That commitment, and the steps taken pursuant to that commitment, will be critical to mitigate its legal and reputational exposure and survive the impending inquiries and actions. One key to that commitment should be the development and maintenance of an independent privacy function at Uber.
Although we don’t yet know all of the Uber players involved in the breach cover-up, it appears that the breach response was directed by three Uber officers: the CEO; the CSO (chief security officer); and the inside counsel responsible for regulatory compliance and law enforcement. According to news reports, the privacy function was subsumed in the CSO’s duties, although presumably inside counsel was also involved in the consideration of the privacy issues posed by the breach. Uber does not, however, have a separate CPO (chief privacy officer).
How would a CPO’s involvement have impacted the breach response? It is not possible to know for sure without knowing more about the facts and the decision-making process, but looking at the core functions and motivations of each officer demonstrates a likely need for a CPO.
The Role of the CPO
The CEO’s primary duty is to plan and manage the overall business strategy for the company and to manage or oversee management of the related day-to-day activities of the company. The CEO reports to the Board of Directors and has responsibility to the company’s owners but, as Uber is not publicly-traded, there is no direct duty to shareholders and no direct regulatory oversight. In a privately-held company where the CEO is the founder and determines the culture and business strategies, it may not be uncommon for the CEO to make independent business decisions involving data breach response. The incentives are to protect the company and its value. This is oversimplified and does not take into account whether or not the CEO had the responsibility to consult with the Board or the investors in this case. The CEO’s focus would, however, have been on the company’s business objectives.
The CSO protects company data and systems. Generally, the CSO is data-neutral. The business function of the company assigns value to the data and the CSO works to protect it in accordance with the company’s objectives. In a data breach situation, the CSO’s focus is on containing the breach, protecting company systems, and recovering the data, or ensuring that there is no further disclosure of the data.
Inside counsel is responsible for determining and advising executive management regarding the applicable legal requirements and company compliance. The inside counsel’s incentives are to determine the legal requirements applicable to the company’s business strategies and practices.
This too is a generalization that does not address all of the counsel’s responsibilities in the data breach context, but it should be fair to state that, at a minimum, counsel’s focus in that context is on ascertaining the company’s legal obligations and advising the CEO and the CSO in that regard.
The CPO’s primary duty is to consider the privacy obligations and goals of the company and to align those with the company’s business goals. In a data breach situation, the CPO would advise the CEO, counsel and the CSO on developing and implementing the response strategy with respect to the privacy issues implicated by the breach. It is not clear whether or not Uber had a formal data breach response plan in place at the time of the breach, but a CPO would have ensured that there was one and that it addressed the roles and responsibilities of each member of the response team (including the CEO, counsel and the CSO) and provided a formal mechanism for decision-making during the response period.
In this breach response, the CPO’s role would have been to consider the legal guidance and the privacy values and objectives of the company. If Uber’s commitment had been to transparency and fairness in its privacy decision-making, this may have prompted the CPO to advise: notifying the consumers, even in those cases where notice may not have been technically required; reporting to regulators of U.S. states or municipalities with whom Uber had signed agreements regarding its privacy or security practices; notifying the regulatory authorities in other countries where such notice may have been required; and raising the breach and response with the Federal Trade Commission in the course of its enforcement action against Uber for a previous, and not entirely dissimilar, breach.
Further, an independent CPO works with and reports to the CEO but is ultimately responsible to the Board, much like an independent ethics or audit function. In this case, if the CPO had escalated these issues to the Board, there would have been additional oversight of the response strategy. It appears that there was not one person directly involved in the breach response whose sole, or primary, function was privacy.
Implementing the CPO Role
In order to address regulatory and consumer concerns, Uber should consider putting privacy in the core of its decision-making as well. A CPO and privacy team that reports separately to the CEO and the Board would ensure the independence of the privacy function and the commitment of the company to privacy. Stated privacy commitments to data minimization, fairness, transparency, access and redress with concomitant build-outs in process and infrastructure, would alleviate concerns about the reoccurrence of concealment efforts in response to a data breach and would also make proactive steps toward a privacy and consumer-focused service. Indeed, consumer riders want the following from Uber: ease and convenience of transport; reasonable pricing; physical safety; and data privacy. By affirmatively committing to enhanced privacy practices favoring consumers, Uber could improve the value of its service and brand.
An Action Plan
An incoming CPO would evaluate Uber privacy practices, including the following:
Uber has committed to tracking rider locations only while riders are using the Uber app. Is that limited to calling for a ride or requesting pricing on a ride, or is location tracked whenever the app is open?
Minimization of personal data collected and retained
Does Uber collect only the information that it needs to facilitate rides and payments for rides? This relates to the geolocation issue above. What does Uber need to know? The name of the person? Their contact number? Method of payment? Billing information? For example, currently, it appears that you can add payment methods to the app or change primary payment methods, but it is not readily apparent how such payment information may be deleted. This may result in Uber retaining more personal information than it needs to provide the service.
Currently, Uber appears to offer only an automated app response contact for customer care. The options for this care are limited. For example, there appears to be no way to reach a live person or to raise a concern not specified by the app. How does the rider raise a privacy concern? If you have a question about an Uber charge to your payment method, the app asks you for specific transaction information that you would not have if you did not order the ride. And, there is no way to dispute more than one charge at a time. The information fields have to be entered individually for each separate charge. It is easier to file a complaint with the FTC about Uber online than it is to register a complaint directly with Uber.
Uber has indicated that it masks the rider’s telephone number, affording the driver a way to contact the rider without having access to their individual number. How does this work? The driver has the rider’s name — is this limited to first name only? What other precautions are taken to protect disclosure of personal information to the driver? Is the transmission of personal information via the app adequately protected from third party interception? Is it encrypted? What other steps are taken during transmission? How is the information secured while maintained by Uber? Does Uber retain only the information necessary to continue providing rides? If a rider deletes the app, is their personal information deleted from Uber systems? If not, how can the rider ensure that this is done? Are there adequate administrative, physical, and technical controls to limit access to the personal information and to ensure its security and integrity?
The above is just a quick highlight of potential privacy issues; these may have already been considered or addressed by Uber. The intent is to illustrate that the CPO can conduct a thorough privacy assessment of current practices and develop a privacy framework and procedures for the company, which may not already be addressed by management or security or legal.
The recommendation is that Uber, and other companies, consider whether or not an independent privacy function would better protect the company from data breaches, botched responses, and other liability and reputational exposure and be used to bolster the company’s reputation and value.