I am tempted to write something along the lines of “another month, another scandal at Uber” but I do not think that would really help any compliance professional or business executive learn from the latest FUBAR announced by Uber Technologies (Uber) Last week, the company announced it had been the victim of a massive data hack, involving personal information of some 57 million customers and personal data from another 600,000 drivers (not employees but independent contractors). The scandal does not come from the hack because, as James Comey once said, there are two types of companies; “those who have been hacked and those who don’t know they have been hacked.”
Uber definitely knew it had been hacked back in 2016. So much so that the chief information and security officer, who was also the deputy general counsel and the legal director of security and law enforcement were all in on the cover up; which created the scandal. Not only did Uber not notify those who had their data purloined but the company paid $100,000 to the hackers to destroy the information and to sign a confidentiality agreement about their hack. Former Chief Executive Officer (CEO) Travis Kalanick personally approved the payment.
According to the New York Times (NYT), the “hackers stole data about the company’s riders and drivers — including phone numbers, email addresses and names — from a third-party server and then approached Uber and demanded $100,000 to delete their copy of the data, the employees said. Uber acquiesced to the demands”. But Uber did not stop there as they “tracked down the hackers and pushed them to sign nondisclosure agreements, according to the people familiar with the matter. To further conceal the damage, Uber executives also made it appear as if the payout had been part of a “bug bounty” — a common practice among technology companies in which they pay hackers to attack their software to test for soft spots.” Uber did not notify state, national or foreign regulators as required under relevant laws.
Yet, according to the Financial Times (FT), the company did notify their investor Softbank as part of the negotiations for their investment dollars. The FT went on to note, “The revelation about the data hack has come at a crucial moment for Uber’s valuation because the company is on the brink of a deal with the SoftBank-led consortium. SoftBank will soon name its price for buying a large chunk of shares from existing shareholders — a price that will serve as an early verdict on the current state of the company.”
All of this came to light as a part of the Uber Board of Directors investigations into the company’s business practices, as the continuing fallout from the blog post by Susan Fowler about discrimination and harassment at the company. Her blog post, ongoing investigations and continued fallout led to the resignation of then CEO Kalanick back in June. But the bad news and bleeding has not stopped for Uber and its new CEO Dara Khosrowshahi.
There is still an ongoing Foreign Corrupt Practices Act (FCPA) investigation. Given the business practices, ethos and corporate culture under Kalanick, it would not be too great a stretch to think the company may have paid bribes. Early next year, the lawsuit by Alphabet’s subsidiary Waymo, over alleged theft of trade secrets for a driverless car, is scheduled to go to trial. The sitting federal judge in the case has already referred some portion of it over to federal prosecutors for review. That is certainly never a good sign.
At this point, Uber still does not have a Chief Compliance Officer (CCO). Bloomberg reported in September that “Global Head of Compliance Joseph Spiegler, resigned last week after a year and a half on the job, according to two people familiar with the matter. While Spiegler reported to the company’s top lawyer, Uber is searching for a replacement who would report directly to new Chief Executive Officer Dara Khosrowshahi.” Of course, Uber also does not have any compliance expertise on the Board of Directors.
Khosrowshahi has certainly tried to say the right things. In a statement regarding the data breach he said, “None of this should have happened and I will not make excuses for it.” He has also jettisoned the former corporate values and included one that says, “doing the right thing period.” All of this is being done while trying to right the Uber ship, which has been introduced as Uber 2.0 or life after former CEO Kalanick. I once heard a CCO say his was to prevent, find and fix problems while the company was flying with the speed of a 767 airliner. For Uber, I would say the analogy does not go far enough as the repairs to the company are ongoing while the company is flying at the speed of the space shuttle hurdling into parts unknown. There has never been a company like Uber and any CCO would have to create an entire compliance program for the company.
Yet this is precisely what the company must do. It must hire a CCO who reports directly to the CEO Khosrowshahi and not to the General Counsel. That CCO must work to change the values while putting in the infrastructure to support the backbone of a best practices compliance program. My sense is that Khosrowshahi wants to do this and do it sooner rather than later. He clearly has some period of time to pin the blame for these actions on the prior administration of Kalanick. But that grace period will only last so long. At some point, Kalanick’s problems will become Khosrowshahi’s problems.
More importantly Khosrowshahi will have to certify the company is in compliance with relevant security laws when it goes public. This includes not only accurate financial controls under Sarbanes-Oxley (SOX) but also effective compliance internal controls under the FCPA. At this point the company still is aiming towards a 2019 initial public offering. Uber needs to create the infrastructure of a company while trying to engage in one of the most dramatic corporate cultural changes required of a company valued at $68bn. All of this must be done in the public eye. But it all begins with hiring a CCO and putting an experienced, seasoned compliance professional on the Board of Directors.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2017