For the firms that rule the roost in the data economy, their greatest asset is also their greatest liability. They need data to survive, but mistreating it could be their demise.
After a year of silence, Uber admitting it suffered a data breach of 57m names, email addresses, and mobile phone numbers appears all the more egregious.
The firm’s greatest mistake was paying a bribe to hackers and keeping it secret – acting as if it were above the law, pretending as if nothing happened.
Uber spans 84 countries – some 737 cities. The data which drives its success falls under so many compliance regimes, it borders the absurd that non-disclosure was even considered.
You’d hope someone was fired for such gross amateurism – and they were.
Breach disclosure is central to nearly every piece of data protection regulation the world round, usually backed up by a penalty structure. If a global firm fails in its most basic duty to protect its stakeholders, many questions, in many courts of law, must be answered.
In the US, federal courts are divided over how to treat data breach lawsuits. Most analysts this morning are saying penalties from various class action lawsuits could run into the hundreds of millions. In Australia, a maximum penalty of $1.8m is enforceable. In Brazil it’s 10 per cent of domestic gross income. The list goes on, and Uber is accountable to every jurisdiction.
As of next year, under the EU’s General Data Protection Regulation (GDPR), when handling EU citizen’s data, firms will be liable to pay four per cent of global group revenue for failing to notify of a breach within 72 hours. Uber knew about this for a year.
On gross bookings of $20bn (as of last available figures in 2016) and net revenues of $6.5bn, were the GDPR already enforced, Uber would be liable to pay $260m in penalties in the EU alone.
Add in the price of lawyers, consultants and other third parties brought into clean up its mess, and hypothetically (again, were the GDPR enforced), at a conservative estimate, this breach alone could cost the firm close to half a billion dollars.
It is likely no coincidence that the breach was announced now, rather than next year.
Firms like Uber need the data consumers provide them to generate profit. They are nothing without us. A value exchange exists – we give them data, they improve their service. Uber has stuck two fingers up to every driver and rider by not declaring a problem in the first instance.
Ignoring a problem doesn’t make it go away, it makes it a hundred times worse when it invariably surfaces – just ask Yahoo. The blow to Uber’s already tarnished reputation could cost it dearly.
This simply won’t pass for acceptable any longer, the stakes are too high. The giants of the data economy may rule the roost, but they are not above the law. Either play ball, or suffer the consequences.