Last week Uber found itself caught up in another global media storm. It failed to disclose a serious data breach suffered over a year ago. And in doing so it demonstrated the thinking behind the swinging penalties in the new GDPR regulations, which are due to come into force in May 2018.
The cyberattack in question exposed the data of around 57 million drivers and passengers. Uber admitted paying the hackers $100,000 to delete the data and, most seriously, to keep the breach quiet. This allowed Uber to say nothing, to customers, to drivers or to the world at large.
In a statement on Tuesday CEO Dara Khosrowshahi acknowledged “none of this should have happened” and committed to “changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
But commitments to doing things differently won’t be enough from next May. Under the General Data Protection Regulation (GDPR), companies will have just 72 hours to notify the regulator and every single customer that their personal information has been compromised and which bits. This is no mean feat when that kind of detail often doesn’t become clear to a company until weeks after the breach is first detected.
But failure to abide by these rules could see fines of up to €20m or four per cent of global turnover, whichever is highest. In Uber’s case, the scale and secrecy of the breach would give the regulator good reason to err towards the top end of the scale, issuing likely fines of an eye-watering €220m.
Put simply, the stakes around data breaches are about to get significantly higher yet the government’s latest Cyber Governance Health Check shows just 6% of FTSE 350 boards are fully prepared for the new laws.
Cyber risk is a reputational and now financial issue, not purely an IT one.
So if, at the next boardroom discussion, someone asks: “Are we safe?”, they’re asking the wrong question and likely to get the wrong answer. Instead they need to ask the following questions to assess business-critical gaps:
1. The knowledge gaps
Do we know what customer data is collected, where it is stored, how it is used and for how long? Do we know what level of security is required to access customer information? Do we have the appropriate consent to use the information collected?
2. The relationship gaps
Navigating a post GDPR world successfully requires collaboration, understanding and accountability across Leadership, Business units, Communications, Tech, Legal and Customer teams. How often do these people get together? Do they know each other? Are they talking the same language?
3. The procedural gaps
How speedy and informed is our decision making? If we get hacked, how will we decide what to say and to who, how quickly and when? Who will talk to the media? Who will talk on background? How quickly can we publish to our website? Who has the passwords to the social channels in the middle of the night? What is our crisis monitoring?
4. The messaging gaps
In the event of a breach, how will we reassure customers, regulators and the media that we have taken our custodianship of their data seriously? Can we demonstrate an ongoing, internal awareness-raising and a culture of risk avoidance?
Once GDPR comes into effect, every executive at the boardroom table is accountable in the event of breach. If you can’t confidently get the answers to all these questions, it’s time to rethink your GDPR strategy.
Sign-up to receive Hinterland, our regular Friday round-up of the week’s most interesting news and views.