Thus far, they're not scoring many points in the credibility department. In fact, the law firm did not "thoroughly examine how we safeguard rider data." It examined how Uber is supposed to safeguard rider data, not what Uber actually does. That's the problem.
A few other notable elements of the report:
" "New personnel must agree to the Company's policies relating to the appropriate handling of Consumer Data prior to obtaining access to that data." Sigh! How is getting a new employee to sign that document going to protect customers? Is it one sheet among 40 that the employee is blindly signing, somewhere between a 401(k) allocation form, medical benefit choices and a direct deposit authorization?
When a situation crops up nine months later where it would be useful to know the travel history of a customer, will that signature have any impact? Will it discourage the kind of employee who will be tempted to bend the rules?
" "We understand that after issues with accounts are resolved, standard cancellation procedures are followed, which include deleting personally identifiable information from Company databases containing Consumer Data."
This is the kind of comment that lawyers love because it sounds like it solves the issue. But as IT knows, once data gets into those databases and gets repeatedly backed up and loaded onto thumb drives and mobile devices and employees take files home and work on them on home computers, well, you can't get the IT toothpaste back into the database tube.
" But the award for the most tone-deaf utterance in any privacy report goes to this: "Tone at the top cascades from the senior executives through other layers of management and is judged by the words and actions of individual employees at all levels."This report was prompted by senior execs and senior managers engaging in blatant privacy violations. The most senior exec involved, Emil Michael, Uber's senior vice president of business, who was the one who said he wanted to investigate a reporter, eventually issued an apology, but was neither fired nor publicly disciplined. The actions of the CEO — who issued a statement about the comments and would presumably have made the decision about any punishment — do indeed speak loudly about the company's view of privacy.
The report didn't explore germane questions: How many employees have been disciplined for privacy violations? What was the nature of that discipline? That is how you set the tone from senior management. Employees look and see what happens to people who violate those rules.
Sign up for Computerworld eNewsletters.