If you've ever caught an Uber, you will appreciate the ease of use and information that the application provides. While people have questioned the security of the rides (1, 2), until this week no-one doubted the security of their application. So the news story that they tried to conceal the loss of 55 million users' details may come as a surprise.
In light of this, the two pieces of guidance recently released by the Information Commissioner's Office (ICO) should be of special interest to them: the first on personal data breaches and the second on fines (3, 4). So what constitutes a personal data breach, and what could this cost?
A personal data breach is defined as 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed'. In addition, data breaches are grouped into one of three classifications: confidentiality, availability and integrity. Confidentiality is an unauthorised or accidental disclosure of, or access to, personal data; availability is an accidental or unauthorised loss of access to, or destruction of, personal data; and integrity is an unauthorised or accidental alteration of personal data. Given that very few details have yet been disclosed by Uber, it would appear that, at the very least, it has breached confidentiality.
So what fines can Uber expect, if any? The new regulations state that any action taken by a regulator should be 'effective, proportionate and dissuasive'. This will need to take account of the swiftness of action from the data controller, actions taken since the breach was identified to help affected individuals and action taken to prevent further breaches. As to whom the fine will be levied against (bearing in mind that GDPR data breach fines can be up to 4% of turnover for an economic entity), the guidance states that this is 'the parent company and all subsidiaries'.
Given the breach was over a year ago and Uber's behaviour since (including paying a ransom to hackers to delete the data), could we expect the first fine under the GDPR to be over £100 million?