In November, Uber revealed that it had suffered a massive data breach, in which the personal data of 57 million users and drivers may have been exposed.
Although the breach was notable for its size, Uber’s response was even more newsworthy. The company admitted that it had failed to notify regulators and data owners, as required by US state laws. It also revealed that former executives had decided to pay hackers USD 100,000 to delete the stolen data.
The failure to report the data breach, which occurred in 2016, happened under the watch of Uber’s former Chief Executive Travis Kalanick, who left the technology company in June. Uber has since fired its Chief Security Officer, Joe Sullivan, and three other employees. In a blog, Uber’s new CEO Dara Khosrowshahi said there were no excuses for the company’s actions.
The company now faces multiple regulatory investigations in the US, UK and Australia, as well as legal actions in a number of US states. For example, the City of Chicago is suing Uber for damages on behalf of its citizens caught up in the breach, as well as calling for the firm to be fined under consumer fraud legislation. The company also faces a number of class actions in the US from those affected by the breach and shareholders.
NOTIFICATION DELAY LIABILITY
The incident highlights the importance of corporate culture and leadership in cyber security. It also shines a light on the emerging liabilities of delaying or failing to disclose or notify a data breach, and the potential implications for insurance coverage.
Equifax, in its recent data breach, took 41 days to disclose that hackers had accessed 143 million credit records. Yahoo recently revealed that it is being investigated by the Securities and Exchange Commission (SEC) for its two year delay in reporting a 2014 data breach involving 500 million users.
Publicly traded companies in the US must notify the SEC of any data breach that may have a material impact on their operations. However, the SEC recently admitted that it had taken eight months to disclose its own data breach in 2016 that may have allowed criminals to access and use non-public information for insider trading.
Law makers are looking at ways to ensure the prompt notification of data breaches, according to an article on the Directors & Officers (D&O) diary website. For example, as part of the Data Security and Breach Notification Act, the US Senate has proposed new criminal penalties on executives that intentionally conceal a data breach, including fines and up to five years imprisonment.
The EU is also looking to speed up the time taken to report a data breach. The General Data Protection Regulation (GDPR) will require organizations to notify the regulator of a data breach within 72 hours. Failure to comply with the GDPR comes with potentially large penalties - up to 4% of annual global turnover or Euro 20 million.
72 hours is not a long time to establish the facts of a data breach with confidence ahead of notifying regulators and potentially data owners. The D&O diary believes that the conflict between reporting requirements – the need to disclose to the regulator vs the risk of inaccurate disclosure – will be a challenge for organizations and their managers, as well as a source of significant liability.
Data breaches like Uber’s, where companies fail to notify the regulator as required by law, may not be covered by insurers.
In addition to late notification clauses, cyber insurance policies typically exclude the actions of rogue employees, although it is possible to buy-back cover for non-executives. Cyber policies will also exclude fraudulent and criminal acts, especially for senior management and heads of IT.
For further information please contact Martin Delaney, Senior VP, Leader, Cyber & Risk Management Services at ClientFirst@jltcanada.com