Uber privacy chief on moving past scandals to global readiness

Dive Brief:

Uber Chief Privacy Officer Ruby Zefo is looking to move past mistakes the company has made — including paying hackers $100,000 to cover up a breach and spying on users' ride information with an internal tool — and establish a more positive stance on data privacy, according to an interview with Law360. Zefo led the launch of privacy principles, which is less a legal document and more like groundwork for what the company is doing.
With GDPR compliance handled, Zefo is focusing on a "global readiness program," where the same principles are extended to all users despite regulatory differences across borders, and to what's next in the customer experience. Zefo and Uber are trying to make privacy features and notices more accessible for users, playing with measures such as messaging notices with easily accessible information or contextual prompts that show how enabling location data could improve a feature like rider pickup.
In response to widespread criticism of the internally-dubbed "God view" tool that allowed employees to spy on users, Uber has implemented a privacy review process with privacy impact assessments, according to Zefo. New features go through the review process, and access controls are installed before launch.

Dive Insight:

Uber racked up steep penalties for its 2016 data breach: The company was responsible for a $1.2 million fine by European regulators and a $148 million settlement settlement with American states. But some mistakes are more difficult to quantify, such as the toll the breach took on the 57 million impacted users' and drivers' confidence.

In 2017, the company was still dealing with a 2014 data breach that affected tens of thousands of drivers, when it also disclosed the 2016 breach. The disclosure took place after a change of CEO leadership.

While repeated security incidents can hurt public trust, hiring its first chief privacy officer shows a step in the right direction, according to Anurag Kahol, CTO and co-founder of Bitglass, in a statement provided to CIO Dive. By complying with data privacy laws and living up to its promised data privacy and security principles, it is likely Uber will reinstate consumer trust.

Executive hires in the fields of data protection and security indicate a company taking these issues more seriously. Zefo's hire was announced in July, along with the appointment of Simon Hania as data protection officer, a required position for GDPR compliance. Uber also hired a new chief security officer in August, Matt Olsen, a cybersecurity entrepreneur and FBI and NSA veteran.

Zefo came to Uber from Intel, where she capped off a 15-year career with the company as group counsel for the AI products group. She previously worked at Sun Microsystems for seven years in counsel positions.

Many organizations are still struggling with basic GDPR compliance, which has forced them to rethink how they store and process consumer information.

There are many other data privacy regulations, in effect and in the works, that require companies to meet high levels of compliance and accountability, Kahol said. Zefo speaks to implementing systematic approaches to high levels of security instead of minimum levels of compliance.

"In other words, regulatory demands should be seen as floors for security rather than ceilings," Kahol said.