Businesses cannot be trusted to act in the interest of consumers, say experts.
Uber's cover-up of a massive breach involving the personal details of about 57 million passengers and drivers has drawn global concern, and lent further support to calls for tougher privacy rules.
Cyber security and privacy experts, including lawyers, argue that commercial entities cannot be trusted to act in the interest of consumers, and must be compelled by law to inform customers and the authorities when data breaches occur.
It came to light on Tuesday (Nov 21) last week that ride-hailing firm Uber fell victim to a major security breach last year. The breach compromised the names, phone numbers and e-mail addresses of 57 million account holders globally, including the licence data of seven million drivers.
Instead of alerting users and the authorities, Uber paid the hackers US$100,000 (S$134,000) to delete the compromised data and keep quiet about the attack.
"Commercial entities cannot be left to decide whether to disclose data breaches to customers. Regulatory guidance is a must," said lawyer Rajesh Sreenivasan, a technology and telecoms partner at Singapore law firm Rajah & Tann.
Mr Shlomo Kramer, founder and chief executive of Israeli cyber-security start-up Cato Networks, agreed, saying governments and lawmakers play an increasingly important role in protecting consumers' data.
"Companies cannot be trusted to do the right thing because they have a self-preservation interest, which is in conflict with consumer interest," said Mr Kramer.
The situation in the United States is complicated. While there is an absence of federal laws governing such breaches, each of the 50 states has its own laws to govern breaches and, separately, the loss of customers' personal data.
But they are sector specific. One example is the Health Insurance Portability and Accountability Act, which regulates people's medical information.
In Europe, the obligation to inform consumers and the authorities promptly will apply to all member states under the European Union's new General Data Protection Regulations (GDPR), come next May. Organisations can be fined up to 4 per cent of their annual global turnover for breaching the GDPR or €20 million (S$32 million).
Nations where personal data breach disclosure is mandated by overarching privacy legislation include Australia and South Korea.
In Singapore, the privacy watchdog in July proposed major changes to the Personal Data Protection Act, to require organisations to notify consumers as soon as a breach is discovered.
If the breach involves 500 or more individuals, the Personal Data Protection Commission must also be told within 72 hours, so that it can manage breaches at the national level.
And if the breach involves critical infrastructure - including the energy, telecommunications and transport sectors - Singapore's Cyber Security Agency (CSA) must be informed, according to a proposed Bill for cyber security, which is expected to be tabled in Parliament for debates next year.
CSA chief executive David Koh said: "We have seen how successful cyber attacks overseas have disrupted essential services and affected the lives of citizens.
"We cannot afford to take a laissez faire approach."
While Uber has an office in nearly every country it operates in, including Singapore, it is not clear if local laws that require organisations to protect personal data apply to Uber.
"It depends on which Uber outfit owns and processes consumers' personal data," said lawyer Gilbert Leong, a senior partner at Dentons Rodyk & Davidson. He added: "Without mandatory disclosure requirements, consumers' position is considerably weakened."
In revealing the breach last week, Mr Dara Khosrowshahi, who became Uber chief executive in September, said hackers had found the username and password to access Uber user data in GitHub - a third-party site that engineers and companies use to store code and track projects. The Uber user data is stored in an Amazon server.
Mr Ian Yip, chief technology officer at McAfee, Asia-Pacific said accountability should always rest with the organisation in question. "Ceding responsibility to a third party is not advisable. Any system that holds important data, regardless of its location or designation, should be classified as corporate infrastructure and protected accordingly," said Mr Yip.
McAfee is a global computer security software firm.
Mr Yip was responding to a statement Uber put out last week, which said: "The incident in 2016 did not breach our corporate systems or infrastructure."
Uber said it had informed regulators around the world and the affected drivers. However, the authorities in several states in the US, as well as Britain, Italy, Australia, the Philippines and Singapore now want answers on how many of their citizens were affected.
When contacted by The Straits Times, Uber would not comment on its ongoing discussions with the authorities.
Even though some users, including those in Singapore, had complained about alleged fraudulent charges to their credit card for phantom rides, Uber maintained that "payment information is encrypted" and the transactions were unrelated to the breach.
Meanwhile, the first lawsuit has been filed in a Los Angeles court by a Uber customer against the firm for failing to protect personal data, said a Bloomberg report.
Even in the absence of mandatory breach disclosure laws, deliberately concealing breaches from regulators and citizens could attract higher government sanctions under laws that require personal data to be secured, experts said.
And failure to protect consumers' data can also lead to a fine, as Sony Computer Entertainment Europe found out in 2013, when it was fined £250,000 after a breach of PlayStation data that occurred two years earlier.
"These figures do not take into account reputational cost , customer sentiment and whether any of those customers vote with their wallets," said Mr Tony Jarvis, chief strategist at security software firm Check Point Software Technologies, an Israeli multinational company.
In terms of scale, the attack on credit bureau Equifax earlier in the year was even bigger.
The names, credit card accounts and social security numbers of over 145 million Americans, and tens of thousands of British and Canadian citizens, were stolen in the Equifax attack. The firm has since attracted dozens of lawsuits from bankers and consumers in the US.
"It's clear that companies have a huge visibility problem; they simply cannot see what is happening inside their own networks," said Mr Sanjay Aurora, British cyber security services firm Darktrace's Asia-Pacific managing director. He made a case for the use of artificial intelligence (AI) software to keep crooks at bay.
This is because hackers are also increasingly using AI to vary their strategies, to better penetrate corporate networks.
He said: "While Uber is the focus of today's story, all companies are vulnerable. Using machine learning to implement an 'immune system' model of security will play a critical role in allowing organisations to keep up with threats, in today's heightened cyber climate."
Copyright: The Straits Times/Asia News Network