I am tempted to write something along the lines of “another month, another scandal at Uber,” but I do not think that would really help any compliance professional or business executive learn from the latest FUBARs announced by Uber. In mid-November, the company announced it had been the victim of a massive data hack, involving personal information of some 57 million customers and personal data from another 600,000 drivers (not employees but independent contractors).
Uber knew it had been hacked back in 2016. So much so that the now former chief information and security officer, who was also the deputy general counsel and the legal director of security and law enforcement were all in on the cover up; which created the scandal. Not only did Uber not notify those who had their data purloined but the company paid $100,000 to the hackers to destroy the information and to sign a confidentiality agreement about their hack. Former Chief Executive Officer Travis Kalanick personally approved the payment.
Then the last week of November, it was revealed in the federal court lawsuit by Alphabet against Uber for theft of trade secrets around its driverless car technology; Uber had set up an entire department to steal competitors trade secrets, target lawsuits against the company while using a technology which allowed its communications to self-erase. The federal judge was positively livid that the company had not disclosed this information since it had been presented to Uber’s General Counsel office in the late spring of this year.
At this point, Uber still does not have a CCO, nor does it have any compliance expertise on the board of directors. Yet, this is precisely what the company must obtain. It must hire a CCO who reports directly to the CEO Khosrowshahi and not to the general counsel. That CCO must work to change the values while putting in the infrastructure to support the backbone of a best practices compliance program. It must put a seasoned compliance professional on its board of directors. Sooner rather than later.