To disclose or not to disclose a data breach?

unlocked padlock on a laptop

BBC News has reported that Uber’s former chief security officer (‘S’) has been accused of trying to cover up a data breach that exposed the details of 57 million Uber drivers and passengers.

Uber has previously admitted to paying a group of hackers a $100,000 (£75,000) ransom to delete the data they had stolen, and S is accused of approving the payment, which was made in bitcoin, to stop the Federal Trade Commission (FTC) from finding out about the hack. (The payment was apparently disguised as a “bug bounty” reward, used to pay cyber-security researchers who disclose vulnerabilities so that they can be fixed).

On the surface it’s understandable that some organisations wouldn’t want to admit they have suffered a data breach – it’s embarrassing and likely to result in loss of reputation. After all, who wants to trust their personal information to an organisation that can’t protect it? As Mark Zuckerberg once said “We have a responsibility to protect your information. If we can’t, we don’t deserve it”. In addition, there is the possibility of being fined. Quite a lot of money.

In Uber’s case, as a result of the breach becoming known, it eventually paid out an eye-watering $148m (£113.5) to settle claims by US regulators. Ouch!

Any company that either operates within the EU, or which offers goods and services to customers or businesses within the EU, must comply with the GDPR. And under the GDPR, an organisation suffering a data breach can be fined up to €20 million or 4% of turnover, whichever is the higher. Double ouch! For a reminder of the provisions of the GDPR and what it means for UK businesses, download our quick guide.

So, best not mention it then? Whoah – stop right there! That’s like jumping from the proverbial frying pan into the fire, as failing to report a breach is itself a breach of the GDPR – one that can result in a fine of up to €10 million, or 2% of turnover. Plus, a fine for the actual breach on top. Mucho ouch!

But here’s the thing. If you have adequate security controls in place (as per Article 32 of the GDPR), you have no reason not to notify the ICO of a data breach. Breaches are only made public IF enforcement action is taken. And enforcement action is only taken IF adequate controls have not been implemented in accordance with the GDPR.

The moral of the story? While it’s natural for an executive who discovers their organisation has suffered a data breach to want to conceal it, they should immediately suppress that urge. Honesty is always the best policy when it comes to cyber security and personal data breaches.

Instead, invest in both organisational and technical security measures that will not only help to prevent a breach in the first place, but will also drastically reduce the likelihood of enforcement action – and therefore public disclosure – of any subsequent breach.

A spokesman for Mr S stated that he denies the charges. He was fired by Uber and currently works as chief information security officer at a cyber security firm.

Robert wassall

Written by Robert Wassall
Robert Wassall is a solicitor, expert in data protection law and practice and a Data Protection Officer. As Head of Legal Services at NormCyber Robert heads up its Data Protection offering and advises organisations across a variety of industries. Robert and his team support them in all matters relating to data protection and its role in fostering trusted, sustainable relationships with their clients, partners and stakeholders.