Uber is once again in the news for losing sensitive data. However, this round of data exposure is not the result of a facility breach at Uber. Earlier this year, assailants stole data from the New Jersey law firm Genova Burns, which was storing data about Uber’s drivers, including social security numbers, taxpayer identification, and other personally identifiable information (PII).
Why did the attorneys require access to PHI? The particulars are unclear. Officially, the firm needed the information to represent Uber in court. The only information in the public domain is the dates on which attackers bypassed the company’s security measures, the type of information taken, and the temporary security fix. Surely, this occurrence will become a riveting case study on third-party risk management. In this article, I will discuss three crucial lessons that businesses can learn from this cybersecurity incident.
The Importance of Business Partner Due Diligence
There is an obligation to conduct security due diligence on partner organizations. In the letter of acknowledgment sent to affected chauffeurs, the law firm stated that it had “secured the environment by changing all system passwords.”
That’s a warning sign. This statement raises suspicions that the company is not using multifactor authentication (MFA) or other best practices for passwords. It also raises questions regarding the length of time the company intended to retain the data and the procedure for data disposal.
The law firm may have had security vulnerabilities. Probably. However, Uber’s assessment of its security posture is limited to audits and responses received. Uber likely undertook a comprehensive process of due diligence before landing in an unfortunate situation. The nature of legal firms attracts the attention of malicious actors, highlighting the necessity of strengthening their cybersecurity defenses.
How to Determine Liability for Data Exfiltration
Liability is a pertinent subject. If the law firm had a legitimate need to access the sensitive data, they are responsible for the resulting damages. Nonetheless, if the PII wasn’t essential to their business operations, Uber’s disclosure of the information could be considered negligent.
This massive exposure of social security numbers will result in litigation. Uber and Genova Burns LLC will ultimately determine who is responsible for paying the damages. However, neither company’s payments are likely to come solely from their own pockets. Cyber liability insurance is available for such occurrences.
Managing the Brand Effects of Data Losses
Importantly, the impact on brand reputation can be long-lasting. This breach will undoubtedly hinder the law firm’s ability to recruit clients from large corporations. Observe, however, that none of the headlines included the phrase “Genova Burns, Loses Sensitive Data.” The household name always receives media attention. Uber has experienced multiple data breach incidents in the past, so they are familiar with reputational impact. It makes them suspicious of their coworkers.
In conclusion, continuous monitoring of third-party risk is essential. The evaluations should include the data accessed, its necessity for normal operations, and its security. In addition, the parties must determine liability in the event of a breach. In addition, a plan should be in place to address third-party breaches when they occur.