Uber may be a smooth ride for those looking to get downtown in a hurry, but its privacy policies are in desperate need of a mechanic. In March, I summarized many of the privacy issues facing the transportation company as it defends itself against a potentially massive class action suit (see Reviewing the Rules of the Road Following Uber's 2015 Data Breach Response). In that post, I explained how Uber faces a bumpy road in the press as increased reports of data breaches, lax cyber security protocols, and even outright abuses of data collecting features garner more and more attention: Uber suffered a data breach affecting approximately 50,000 of its current and former drivers but waited nine months to report; the security key used during the breach was allegedly made publicly available on the internet via app development webpages; Uber executives have casually informed members of the media that the company can acquire personal information about journalists that had written critical articles about Uber; Uber's New York City general manager breached the firm's privacy policy by spying on a Buzzfeed technology reporters using the company's in-house "God View" tool which allows employees to access customers' personal information. At the surface, a casual observer would be justified in thinking that Uber does not hold customer privacy in high regard. Coincidentally (or perhaps not), Uber is today operating at $470 million in operating losses, with $415 million in revenue.
After so many controversies, Uber hired a new mechanic: Sabrina Ross, Apple's counsel specializing in privacy law. Ross joins Katherine Tassi, the former head of data protection at Facebook, who joined Uber as its managing counsel for privacy last August. Ross is focusing on privacy aspects of regulatory and policy issues at Uber by reviewing the privacy practices of its partnerships with companies like Spotify, Starwood, and American Express. Her focus is on improving employee training and technical systems while adopting a culture of privacy at the company. All in all, it looks like Uber is making an effort to prioritize the role of data privacy at the company. Indeed, in January, Uber commissioned a review of its systems from privacy specialists. The review reported that "Uber has dedicated significantly more resources to privacy than we have observed of other companies of its age, sector, and size."
Uber's new privacy strategy is great. The results are terrific. But the company has been around since 2009. Uber waited six years, and endured many data privacy controversies, before it took steps to genuinely value the role of privacy at the company. Better late than never? Absolutely. But Uber's delay in adopting a culture of privacy provides a powerful lesson to all companies, especially startups and developing businesses.
Last week, FIC Partner Ron Raether spoke at ACI's 16th Advanced Global Legal & Compliance Forum on Cyber Security & Data Privacy and Protection (a mouthful, I know). Ron spoke at length about the importance of companies adopting a "privacy by design" approach to cybersecurity and data privacy. Originally an engineering concept, privacy by design is an approach that takes privacy into account at all stages of the engineering process: conception, planning, construction, testing, marketing, and selling. That concept can be applied to the business context as well. Companies that adopt a privacy by design approach take privacy into account at all stages and areas of the business. This means from the boardroom to the boiler-room a company plans and acts to develop strong administrative, technical, and physical safeguards to protect private information. Privacy by design is about recognizing that data privacy is more than just a problem for the IT department-- it is an essential component to all aspects of the business and should be treated as such.
The example I use when talking about privacy by design is fitness. Anyone who has been on a diet or tried to get in better shape knows that it is much easier to reach your goals when you make healthy eating and exercise a part of your routine and lifestyle. This means that you plan ahead on how to include more fruits and veggies in your meals. You schedule a dedicated time and place to work out responsibly. You urge your spouse to stop stocking the fridge with so many sodas and sugary drinks. Adopting that mentality and lifestyle is much more effective than going on a starvation diet for a week, or burning yourself out at the gym without a plan for how you want to tone or build muscle. In short, tacking on healthy habits here and there is just not as effective as developing a healthy lifestyle. Privacy by design is about adopting that healthy lifestyle for the company.
So how does this apply to Uber? Uber is like the guy who realizes he has a month until the wedding and he needs to lose ten pounds fast. He can pull it off, but starting earlier and with a holistic attitude would have been better. Uber is playing catch up and tacking on a bunch of security and privacy policies after years of paying only lip service. Are the security and privacy policies good? Absolutely. But they are being employed after the filing of class action lawsuits, negative publicity, and a large pool of customers now hesitant to use Uber's services for fear of identity theft dangers. By adopting a culture of privacy early in the company's existence, many of the privacy incidents outlined in my first post could have been avoided. Adopting a privacy by design approach focused on employee training at all levels would have greatly discouraged the use of a security key being placed on publicly accessible app development sites. Privacy by design would have also warned Uber's New York City general manager against spying on technology reports using a tool permitting company members to access customer consumer information. A privacy by design approach would have discouraged the use of such a tool in the first place. Plus, adopting privacy by design early would have been more cost effective than having to dramatically employ new privacy protocols after so many years of doing business.
It is never too late to adopt a culture of privacy at your business. It is essential no matter how long the company has been in existence. But the lesson here is that no reason exists to wait until after so much damage has been done before taking privacy seriously. The earlier that a company can adopt a privacy by design approach, the better equipped that company will be to respond to any security incident competently, swiftly, and responsibly. In turn, the investment in adopting a privacy-by-design approach early will pay off in dividends as companies avoid negative publicity, fines, and lawsuits, while maintaining the trust of its customers. Every company regardless of size, age, or industry should take this lesson to heart. But start ups and businesses just getting off the ground have a great opportunity to adopt a privacy by design approach early-- showing customers that the company values privacy as much as they do. The bottom line is simple: Companies want to make money. Privacy by design helps companies keep money.
