Uber reached a deal with the 50 states and the District of Columbia to pay a record $148 million fine following last year's disclosure of a data breach, which took place in 2016. As part of the settlement Uber has to adopt breach notification and data security standards; implement a corporate integrity program; and hire a third-party to audit Uber's data security portfolio.
Last November, Uber disclosed a data breach had compromised the personal identifiable information of 57 million users and drivers. The PII includes sensitive information like driver's license numbers and mobile phone numbers. Since then, the company has worked on settlements with regulators like the Federal Trade Commission regarding its deception on privacy and data security policies.
- The states attorneys generals, in addition to punishing the breach, highlighted the severity of failing to disclose in a timely manner. "Uber's decision to cover up this breach was a blatant violation of the public's trust," said California Attorney General Becerra in a statement. "Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law." Each state and Washington will receive a part of the settlement. California will receive $26 million as part of the settlement, one of the largest penalties. The settlement will also allocate $5.1 million to New York, $5.8 million to Washington state and $2.6 million to the District of Columbia.
Arguably, data breaches have become commonplace. But what makes Uber stand out in a world riddled with cyber risk is the company's effort to hide its trail, covering up the initial incident and paying hackers to delete the compromised data.
It is standard practice for bleeding edge companies to ask for forgiveness rather than permission. As technologies are deployed at scale, it can create tension among consumers and regulators, with outcries over business or ethical violations. But corporate negligence does not go unnoticed, and the repercussions to incidents are becoming more severe.
The record fine certainly sends a message to the industry that law enforcement and regulators are "very serious about transparency," said Avivah Litan, VP and distinguished analyst at Gartner, in an interview with CIO Dive.
The fine against Uber was so steep "largely because they kept it secret for so long," she said. As a results, what we're seeing is a "bigger stick punishing companies when they can for things like this."
Investments in security are driven by enforcement, fines and reputation. As more companies are heavily fined and face repercussions for business shortcomings and failing customers, more executive leadership will take notice of the necessity for security.
The lesson from Uber is failure to disclose has a negative impact, a message to big tech firms and companies like Uber that they are not above the law, according to Litan. "Regulators are happy to make that clear."
The fine against Uber may appear disproportionately large. The average breach costs company $3.86 million dollars, with each lost or stolen record costing a company $148, according to a Ponemon Institute study sponsored by IBM Security.
Put in that context, Uber is getting away with a deal considering the personal information of 57 million accounts were compromised. But with 75 million current riders and 3 million drivers, the breach could have been far worse.
The company has a long way to go to regain trust in its security and privacy portfolio. To help, Uber has brought on a chief trust and security officer to replace its former CIO, who was fired in wake of the breach revelations. The company also hired a chief privacy officer and installed additional security features that promote the "physical and digital safety" of its customers.