Turning Bad Breach Response Up to 11: Uber Shows Us What (Else) to Avoid in Response to a Breach

At the recent 2017 GreyCastle Cybersecurity Symposium: Generation Cyber, I had the pleasure of presenting the “Top 10 Legal Pitfalls to Avoid in Relation to a Data Breach.”

My pitfall list included:

  • Going without legal advice
  • Failure to preserve the attorney/client privilege
  • Failure to prepare
  • Not knowing what data you have or where it resides
  • Not knowing where your data is from
  • Not knowing your regulators
  • Regulatory myopia (focusing too tightly on your primary regulator)
  • Failure to preserve evidence
  • Not following your plan
  • Not learning from the breach and how you responded

It was a lively conversation at the symposium, and I barely got through the first few pitfalls on my list, before the conversation took over the presentation.  Clearly, not enough thought is being given to the legal ramifications of a data breach.  I am always surprised by how some skilled and experienced security professionals can lack even a basic understanding of the benefits of the attorney-client privilege in conducting a risk assessment, for example, or the hyper-complexity of cybersecurity regulation in the U.S.

This is not necessarily the fault of the security profession, however.  In many organizations, security professionals are being asked to wear too many hats, including:

  • Legal - organizations often rely on their security professionals to provide legal advice concerning compliance obligations;
  • Internal Audit - organizations without (or sometimes even with) an internal audit function turn to their security professionals to fill gaps concerning internal compliance monitoring;
  • HR - security professionals are being asked to draft social media policies that comply with NLRB standards and otherwise undertake security training efforts without HR’s assistance; and
  • Privacy - as the lines between privacy and security blur, security professionals are expected or assumed to be privacy experts, although privacy is a different (albeit related) discipline entirely.

Too often, the legal aspects of a data breach are not considered until it is too late.  And these considerations are growing, although they are all too often based on simple common sense.  Case in point, the Uber breach, where it has been reported that certain Uber staff paid the hackers $100,000 to delete the stolen data, to cover up the extent of the breach.

Given this latest debacle, I am adding an eleventh pitfall to my list:

  • Covering up the breach

Of course, this pitfall should go without saying.  Uber staff paying off the bad guys to delete the data is like a bank manager paying off the bank robbers to burn the money they stole: it is both pointless and doesn’t erase the fact of the theft.

How to address this kind of panic-driven response in an organization: amnesty.  A data breach is the only situation in which your organization will be the victim of a crime, but treated as a pariah, both publicly and by your regulators.  Keep in mind, despite Uber’s catastrophic failure concerning this breach (which began through compromised credentials to a cloud hosting service), Uber was the victim in the first instance.  It lost any ability to claim victim status when certain of its staff undertook the cover-up to protect their own positions at the expense of the company.  Only by clarifying to every member of your organization, from the board room to the server room, that reporting a breach will never result in employee discipline or losing your position, will an organization hope to combat the kind of self-interest seen with Uber, which can—and in this case will—have catastrophic repercussions. 

Rise of the Plaintiff Jurisdictions - Local Editio...
Courts Becoming More Attuned to Identity Theft Ris...