In the pantheon of lame data security excuses, "we grew too fast" ranks near the top. Advisen reports that Uber is falling back on this excuse to explain some of its questionable practices in data privacy and poor security. It must be tough to be a company with a billion-dollar valuation.
Snark aside, rapid growth is an excuse that many companies use to explain their faulty cyber security. In reality, it's not so much rapid growth that causes security lapses, as it is poor planning and lack of security infrastructure.
To help you understand what you and your clients need to do before there's a public relations disaster or data breach, let's look at what Uber has done wrong.
4 Mistakes Uber Made with its Data Security
By now, you've probably heard about the Uber's "God View" that allows it to track user locations – a feature one Uber exec used to spy on a journalist critical of the company. While the company's blatant disregard for customer privacy is shocking, there are several underlying causes that enabled this abuse of power to occur.
- No mandatory security training. Months after the "God View" incident, Uber has announced that it will make all its employees undergo mandatory data security training. This has led to many InfoSec people scratching their heads and asking, “Why weren't you doing that before?”
- No effort to monitor third-party use of their data. A security audit revealed that Uber didn't monitor how its business partners were using its customer data. When you share data with third parties – whether it's for marketing or other reasons – you have a responsibility to make sure the other company is using this data securely.
- Lack of a clear privacy policy. Tech companies are required to disclose how they use customer data (and whether or not they share it with other companies). Uber is currently in the process of updating its Privacy Policy to accurately reflect how it uses this data. See our sample IT contracts for a free Privacy Policy template.
- Access creep. Too many of Uber's employees had the ability to access private data of its customers – this is what led to one executive's misuse of "God View." All companies need to limit how much access they give to their employees. Problems often occur when employees are promoted or move to new departments but retain privileged access to other data.
IT Consultants Can't Afford to Make Uber's Data Security Mistakes
So should we let Uber off the hook? Uber's PR team says the company grew too fast to implement better data security protocol, but the truth is that the four points we mentioned above are some of the most basic aspects of data security. In other words, Uber botched its security from the beginning.
All companies, big or small, need to have…
- Clear privacy policies.
- Security training.
- Policies to limit access creep.
- Monitor third-party data usage.
That's beginner level stuff. As an IT consultant, if you failed to do any of these things, a client could claim you failed to fulfill your professional duties (to learn about covering your lawsuit risk, see Professional Liability Insurance).
Like many other companies, Uber simply took its data security for granted. In reality, many of your clients probably have similarly lax data security policies and no mandatory training. Your clients might think "access creep" would be a great name for a Radiohead song, but have no idea that their organization suffers from this problem. As you work with clients, you may need to teach them data security basics to help institute procedures to make sure their employees know the risks they face.
For help you teaching your clients about data security, see our free Customer Education Packet, which teaches small-business owners the basics about identity theft prevention, data breach responses, and cyber security.
