Management Information System 4

mis411.pdf

Home >Information Systems homework help >Management Information System 4

Uber’s decision to pay a ransom to delete stolen data will have a negative impact on all digital service providers NOVEMBER 27, 2017 Julia Apostle

Uber last week revealed its latest own goal, spectacular for its lack of judgment, even by the ride- hailing company’s standards. Dara Khosrowshahi, the chief executive, announced that in 2016 the company experienced a massive data breach, resulting in the theft of information about 57m users and drivers worldwide.

Instead of disclosing the incident when it was discovered, senior executives decided to pay a ransom of $100,000 to delete the stolen data.

It is hard to imagine a worse response to a data breach, and Uber will suffer heavy consequences. Data privacy regulators in the US, UK and Italy have announced plans to investigate, and a class- action lawsuit has been filed in California against the company.

Uber has apologised for the breach, which happened under the watch of former chief executive Travis Kalanick.

“None of this should have happened, and I will not make excuses for it,” Mr Khosrowshahi wrote.

But this latest scandal is not just bad for Uber. By handing those in favour of stricter privacy regulation a new stick with which to beat the tech companies, Uber’s behaviour will have a negative impact on all digital service providers. Rightly so, some will argue. The distinction between the Silicon Valley tech companies and traditional industries has become increasingly blurred.

Europe is experiencing a turning point when it comes to the regulation of personal data. The EU’s General Data Protection Regulation comes into force next year and its impact on companies that process personal data will be substantial. According to a study conducted by the International Association of Privacy Professionals and EY, members of the Fortune 500 will spend a combined $7.8bn on compliance measures.

Cost is probably the most straightforward aspect of the compliance regime created by GDPR. The scope of the obligations imposed on data controllers is nothing less than daunting. But the law is a fait accompli, with the text set in stone before the boards of most companies even knew the law would apply to them.

Opinion Data protection

The Uber data breach has implications for us all

JULIA APOSTLE

Europe is at a turning point when it comes to the regulation of personal details

https://www.ft.com/stream/c84188d7-f251-3f54-9413-a1fac2bfcb30

https://www.ft.com/content/d890585e-d102-11e7-9dbb-291a884dd8c6

https://www.ft.com/content/f3896f40-8e5b-11e7-a352-e46f43c5825d

https://www.ft.com/content/20d98370-cf68-11e7-9dbb-291a884dd8c6

https://www.ft.com/data-protection

https://www.ft.com/content/d890585e-d102-11e7-9dbb-291a884dd8c6

https://www.ft.com/content/84f402ac-bfc0-11e7-b8a3-38a6e068f464

https://www.ft.com/content/8e502b6e-794d-11e7-a3e8-60495fe6ca71

https://www.ft.com/content/0d47ffe4-ccb6-11e7-b781-794ce08b24dc

https://www.ft.com/data-protection

https://www.ft.com/stream/c84188d7-f251-3f54-9413-a1fac2bfcb30

There is more to come. Still in the pipeline is an expanded Regulation on Privacy and Electronic Communications (ePrivacy Regulation), which will replace the 2002 ePrivacy Directive. The final text of the regulation has not yet been agreed but the European Parliament last month approved the most recent draft of the law.

Whereas GDPR focuses on general uses of personal data, the ePrivacy Regulation will supplement it with additional rules targeted at electronic communications services, the use of cookies, online behavioural advertising, direct marketing and machine-to-machine communications (the “internet of things”).

Fines for violations will be as high as under GDPR — potentially into the millions. And let us not forget the Directive on Security of Network and Information Systems, the first piece of EU-wide legislation on cyber security. It was adopted in July 2016, and member states have until 2018 to enact it.

Given the global scope, significant costs and compromises required to achieve compliance under these new laws, it is surprising how little serious public debate there has been as to whether the means adopted are proportional to the desired ends — namely the protection of individual privacy and modernisation of the data protection framework.

This is why the Uber data breach and how it was handled is not just a problem for the company. Bad news makes good headlines, but it also makes bad law. The temptation to cite Uber’s failings as the justification for tougher privacy rules, or a stricter interpretation of existing laws, should be resisted and more scrutiny should be applied to what our legislators are already doing.

The writer is former lead counsel at Twitter UK

http://help.ft.com/help/legal-privacy/copyright/copyright-policy/