Corporate governance: how to avoid doing an Uber

Uber’s corporate governance practices are in the spotlight following the company’s mishandling of a data hack that took place at the end of 2016. But what went wrong and what lessons can UK corporates learn from the situation?

It has been revealed that Uber suffered a serious data security breach in November 2016, exposing the personal information of around 57m users to potential misuse. This is not surprising in itself – many large companies have faced similar attacks and managing the risk of data theft is now part and parcel of corporate life. What is surprising however is that instead of owning up to the data breach and dealing with it in a transparent way, individuals at the company attempted to push it under the carpet and paid the hackers to keep quiet about it.

Reflecting on these events, it seems quite naïve for those responsible to believe they could keep a breach on this scale under wraps indefinitely - it was bound to come to light at some stage. The fact that the cover up took place at all also suggests the culture and values of the organisation are flawed fundamentally.

A report published by former attorney general, Eric Holder, in September last year highlighted the need for greater corporate accountability at Uber, calling for changes in senior leadership and for cultural values to be rewritten to ‘reflect more inclusive and positive behaviours’. More recently, Uber’s CEO, Dara Khosrowshahi, who took office in August 2017, has spoken out about the data breach and cover up, promising that the organisation will learn from past mistakes and put ‘integrity’ at the heart of its decision making.

When businesses fail to do the right thing, or react in the right way, the cause is often more embedded than might at first appear. In this case, Uber had experienced rapid growth and senior managers within the business may have lacked the experience or gravitas to lead the organisation in troubled times. Their attempt to hide the breach from General Counsel and the Board also indicated a deep-seated lack of transparency and cultural desire - probably inspired by those at the top of the organisation - to get ahead at any cost.

In fast-growing companies, there can be a tendency for senior managers to view regulatory controls as ‘obstacles’ that need to be overcome and proper operating procedures can easily become overlooked. This lack of regard could leave the organisation exposed to a wide-range of compliance-related issues that could have serious financial and/or reputation repercussions.

For Uber, the true cost of its data breach and subsequent mishandling could run to many millions of dollars as the company is already facing a number of legal actions in the US, with the prospect of more to follow following investigations by regulators in the UK and Europe, Australia, the Philippines and elsewhere. This is likely to leave a significant dent in the company’s valuation for some time to come as it seeks new investment.

For corporates doing business in the EU that want to avoid getting into a similar situation, there is action they can and should be taking. Ensuring compliance with General Data Protection Regulation (GDPR), which is due to take effect across the EU (including the UK, Brexit or no Brexit) from 25 May 2018, is an important first step and includes the requirement for organisations to disclose any data security breach to the relevant authorities within 72 hours. It is worth noting that had Uber’s data breach taken place after this date, it could have faced a fine of up to 4% of global annual turnover.

All corporates need to be prepared for a potential cyberattack and have processes and procedures in place to deal with any events and guide the organisation’s response efficiently and transparently.

For example, the company should, in appropriate cases, prioritise communicating information about the data security breach to any affected stakeholders as quickly as possible, spelling out what information has been lost and any precautionary action that might be required.

The company should also carry out an investigation to find out how the breach occurred and to establish whether it could have been prevented. Forensic specialists may help to establish exactly what happened and identify areas of procedural weakness. A report should be produced explaining how all ‘reasonable steps’ are being taken to prevent a similar event from happening again, which could also help to minimise the company’s exposure to potential legal claims.

While most board-level decision makers understand the importance of data protection, a minority may still prefer to believe a data loss (whether from a cyberattack or lost laptop) won’t happen to them. This is a high-risk strategy and could leave the company exposed to significant financial and reputational damage in the future. For Uber, much is resting on the success of its current damage limitation strategy and in the meantime, its governance-related misdemeanours could end up driving customers into the arms of more accountable competitors.

Kim Walker is a partner and corporate governance specialist at legal firm Shakespeare Martineau.