*Reassuringly dull cyber security

To disclose or not to disclose a data breach?

Back
disclose data breach

BBC News has reported that Uber’s former chief security officer (‘S’) has been accused of trying to cover up a data breach that exposed the details of 57 million Uber drivers and passengers.

Uber has previously admitted to paying a group of hackers a $100,000 (£75,000) ransom to delete the data they had stolen, and S is accused of approving the payment, which was made in bitcoin, to stop the Federal Trade Commission (FTC) from finding out about the hack. (The payment was apparently disguised as a “bug bounty” reward, used to pay cyber-security researchers who disclose vulnerabilities so that they can be fixed).

On the surface it’s understandable that some organisations wouldn’t want to admit they have suffered a data breach – it’s embarrassing and likely to result in loss of reputation. After all, who wants to trust their personal information to an organisation that can’t protect it? As Mark Zuckerberg once said “We have a responsibility to protect your information. If we can’t, we don’t deserve it”. In addition, there is the possibility of being fined. Quite a lot of money.

In Uber’s case, as a result of the breach becoming known, it eventually paid out an eye-watering $148m (£113.5) to settle claims by US regulators. Ouch!

Any company that either operates within the EU, or which offers goods and services to customers or businesses within the EU, must comply with the GDPR. And under the GDPR, an organisation suffering a data breach can be fined up to €20 million or 4% of turnover, whichever is the higher. Double ouch! For a reminder of the provisions of the GDPR and what it means for UK businesses, download our quick guide here.

So, best not mention it then? Whoah – stop right there! That’s like jumping from the proverbial frying pan into the fire, as failing to report a breach is itself a breach of the GDPR – one that can result in a fine of up to €10 million, or 2% of turnover. Plus, a fine for the actual breach on top. Mucho ouch!

But here’s the thing. If you have adequate security controls in place (as per Article 32 of the GDPR), you have no reason not to notify the ICO of a data breach. Breaches are only made public IF enforcement action is taken. And enforcement action is only taken IF adequate controls have not been implemented in accordance with the GDPR.

The moral of the story? While it’s natural for an executive who discovers their organisation has suffered a data breach to want to conceal it, they should immediately suppress that urge. Honesty is always the best policy when it comes to cyber security and personal data breaches.

Instead, invest in both organisational and technical security measures that will not only help to prevent a breach in the first place, but will also drastically reduce the likelihood of enforcement action – and therefore public disclosure – of any subsequent breach.

A spokesman for Mr S stated that he denies the charges. He was fired by Uber and currently works as chief information security officer at a cyber security firm.

To find out more about the norm. Cyber Security as a Service (CSaaS) solution, which directly addresses the security controls laid out in Article 32 of the GDPR, click here.

If you’d like to know more about cyber security and personal data breach response, you can visit the website here.


Robert Wassall

Written by Robert Wassall
Robert Wassall is a solicitor, expert in data protection law and practice and a Data Protection Officer. As Head of Legal Services at NormCyber Robert heads up its Data Protection as a Service (DPaaS) solution and advises organisations across a variety of industries. Robert and his team support them in all matters relating to data protection and its role in fostering trusted, sustainable relationships with their clients, partners and stakeholders.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager
Marmalade

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO
Perpetuum

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group