Considering the U.S. government has opened at least five criminal probes into the company since Uber’s founding in 2009, a long road lies ahead towards regaining the public’s trust. In Chief Legal Officer Tony West’s statement regarding the settlement, he noted that measures have been taken to improve safety and security. CEO Dara Khosrowshahi also requested that the CSO at the time of the breach submit his resignation, and hired a new Chief Privacy Officer and a Chief Trust and Security Officer.
While these steps are primarily reactive measures, I hope that Khosrowshahi will recognize that the root cause is weak risk management governance processes, and that more proactive steps need to be taken to move towards an effective risk management program to prevent more scandals in the future. Further, although today’s news is a failure in risk management in security and privacy, their failures in risk management have been happening in multiple business areas and share the same common root cause of a weak risk management program, process, and lack of an ERM system.
An ERM system could not only identify and fill gaps in their cybersecurity policies and procedures, but Uber’s new line of management would not have to worry about being in a position of negligence either. Enterprise risk management enables companies to act against risks that are 100% preventable. It is up to companies such as Uber to take responsibility.