Improving New Zealand’s Privacy Law After the Uber Breach

Written by

Privacy Foundation NZ

Published on

January 16, 2018

Commentary and Articles

Contributed by Reuel Baptista

After launching in 2009, Uber now operates in 82 countries, including five cities in New Zealand. Uber enables users to conveniently order and pay for a ride through its smartphone app. However, Uber gave its users an unwelcome early Christmas present in November 2017; it announced that it had suffered a data breach in October 2016 that affects riders worldwide and drivers in the United States. There is a lot we can learn from this incident, particularly around the need to establish a data breach notification requirement in New Zealand law.

 

The breach and response

According to information provided by Uber and the media, the attackers stole login details for Uber’s Amazon Web Services (AWS) account from the company’s developers. The attackers then accessed the AWS account and stole user data. Uber identified two unnamed individuals that it believes were responsible for the attack and paid them US$100,000 under Uber’s bug bounty programme to remain silent about the breach and delete their copies of Uber’s data [1]. Uber states that riders’ “names, email addresses and mobile phone numbers” were stolen along with “the names and driver’s license numbers” of Uber drivers in the United States” [2]. Fortunately, more sensitive information such as credit card details, location history or dates of birth did not appear to have been stolen.

 

On 21 November 2017, over a year after the incident, Uber acknowledged it had been breached. On the following day, Uber informed the New Zealand Privacy Commissioner about the breach [3], which affected approximately 100,000 riders in New Zealand alone [4].

 

Data breach notification requirement

Uber’s failure to disclose the breach in a timely manner is disappointing, and in countries with data breach notification laws, may even be illegal. These laws require organisations that have suffered a data breach to notify the affected individuals and take steps to mitigate the potential impact of the breach. Organisations that do not comply can face large fines. Notifying affected individuals about these incursions into their privacy provides them with an opportunity take appropriate precautions. It also encourages organisations to tighten their information security in order to avoid the embarrassment of falling victim to a data breach [5]. Currently, the Canadian Privacy Commissioner [6] and regulatory authorities in a number of American states [7] are investigating Uber’s failure to disclose the breach in accordance with their data breach notification laws.

 

With data breaches now a common occurrence, countries are implementing their own data breach notification requirements. Australia passed a data breach notification law that comes into effect in February 2018 [8]. The law requires an organisation that has suffered a data breach to notify affected individuals if a “reasonable person believes” that the breach is “likely to result in serious harm” to those individuals. In Europe, the General Data Protection Regulation (GDPR) – which comes into force in May 2018 – contains data breach notification rules. They require organisations worldwide, that hold the personal data of European Union (EU) citizens and suffer a data breach, to notify the affected individuals if the breach is “likely to result in a high risk to the rights and freedoms of natural persons” [9]. The Australian and European laws impose large fines on organisations that fail to meet the notification requirements.

 

In New Zealand, organisations that have suffered a data breach can voluntarily inform affected individuals and the Privacy Commissioner. Uber’s response to this data breach demonstrates the need for a mandatory data breach notification requirement in New Zealand. The Privacy Commissioner, John Edwards, said in a press release about the Uber data breach: [10]

“While I am pleased the local representative of Uber has notified my office of the issue, the one-year gap between the breach and notification shows why breach notification should be mandatory.”

A data breach notification requirement will help to further safeguard individuals’ privacy and bring our privacy law in line with international standards. The Privacy Commissioner has stated that this requirement should be implemented as part of the Privacy Bill that will update the existing Privacy Act 1993 [11].

 

While data breach notification laws overseas did not lead Uber to report its breach in a timely manner, they are nevertheless a useful way of fostering greater accountability and responsibility for information security amongst organisations that we entrust with our personal information.

 

 

[1] Eric Newcomer “Uber Paid Hackers to Delete Stolen Data on 57 Million People”, 22 November 2017, Bloomberg. 

[2] Dara Khosrowshahi “2016 Data Security Incident”, 21 November 2017, Uber Newsroom. 

[3] “Privacy Commissioner monitoring Uber data breach”, 23 November 2017, Office of the Privacy Commissioner. 

[4] Shannon Redstall “100,000 Kiwi Uber users hacked” 21 December 2017, Newshub. 

[5] Bruce Schneier “Breach Notification Laws”, 21 January 2009, Schneier on Security. 

[6] Matthew Braga “That Uber breach? Privacy commissioner is now investigating”, 11 December 2017, CBC News. 

[7] Nicole Perlroth and Mike Isaac “Inside Uber’s $100,000 Payment to a Hacker, and the Fallout” 12 January 2017, New York Times. 

[8] Privacy Amendment (Notifiable Data Breaches) Act 2017 (Australia). 

[9] Regulation 2016/679, General Data Protection Regulation, arts 33 and 34.

[10] “Privacy Commissioner monitoring Uber data breach”, 23 November 2017, Office of the Privacy Commissioner. 

[11] “Briefing for the Incoming Minister of Justice: Hon Andrew Little”, October 2017, Office of the Privacy Commissioner.