The One Minute Takeaway
Uber’s international cover-up of a major data breach where 57 million driver and rider personal records were stolen is a lesson for all businesses. It’s not just Uber’s data breach but the decision to hide it that will cost the global rideshare powerhouse millions at least – and global regulatory and reputational challenges.
The only thing worse than a data breach, in which 57 million records were stolen, is covering it all up. Yet, that’s what Uber did. A year later, we’re told that the names, phone numbers and email addresses of 50 million Uber users, and the drivers license numbers of seven million Uber drivers, were exposed.
Now there’s a lot more at stake than the $100,000 Uber gave the hackers to destroy their stolen data. Several public and private-sector organizations are suing Uber, including major municipalities and state governments, asking for thousands of dollars each day Uber failed to report the breach. Large class action suits and several international government investigations have commenced as well.
The amount of time and money this will ultimately cost Uber is unknown. What is clear is that this is just the beginning, and the Uber data breach cover up will have a major impact on their bottom line and worldwide reputation.
So, what does this have to do with you?
As a business owner or operator, it’s time to face a stark reality. Data breaches are no longer a matter of “if,” but “when.” According to the Identity Theft Resource Center, 2017’s 1,339 total data breaches exposed 174,402,528 records. At big and small organizations alike. In every market sector. Being prepared for the inevitable has never been so important.
If there’s one lesson to be learned from the mistakes of the leading global rideshare company, it’s that the cover up is always worse than the crime. Here’s a few more lessons learned:
Don’t trust hackers. Negotiating with hackers to secure the data they stole from you, and trusting them to follow your specific requests isn’t a good idea. Bottom line: Hackers are criminals, and can’t be trusted.
Report the breach. Not reporting or covering up a crime is a crime itself. Plus, a cover-up can have lasting legal and financial repercussions, including loss of cyber insurance coverage for expert representation and expenses.
Get experts involved. Report a data breach immediately to your attorney and insurance broker, who can quickly assemble a team of cyber breach experts to handle the mechanics of your recovery, investigation and regulatory compliance. Expert involvement is critical to ensuring you recover – quickly. According to the 2017 Cost of Data Breach Study by IBM Security and the Ponemon Institute, the cost of a data breach is reduced by $1 million on average for organizations that can contain their breach within 30 days.
Have a plan. Every business needs a cyber incident response plan. This plan will lay out the exact steps to follow when a breach occurs, and will take the guess work out of what’s next. Company leadership should help develop the plan, identifying those responsible for each phase of implementation. Create it, test it, put it into action. It’s never too late to establish a cyber response plan.
Get Insured. Your first line of defense against a costly cyber attack is cyber insurance. Cyber insurance covers your privacy attorney, IT forensic investigation, breach notification costs, any resulting federal and state fines and penalties and even a class action or third-party lawsuit that materializes down the road. Without it, these costs will come directly off your balance sheet. Because cyber insurance is so new, there’s no standard policy. Only an experienced cyber broker will make sure you’re adequately insured.
When the lawsuits start coming – and they will – alleging that you failed to prevent the data breach, directors and officers (D&O) insurance will protect your business, employees and leadership. D&O insurance covers defense costs and damages should any of your employees be named in a lawsuit, regulatory action or face allegations of misrepresentation or breach of fiduciary duties. Without it, your employees could be held personally liable for their actions on behalf of the organization. Think of D&O insurance as corporate and personal asset protection for your principal decision makers.
Learn from Uber’s Data Breach mistakes
Plan ahead now. Have a cyber incident response plan ready to go and make sure you understand the parameters of your cyber policy including the potential costs of breach to your business. Finally, act honestly. It just might pay off in the long run.