Answer all the following questions.
Based on the two reports attached regarding Uber’s recent news on the 2016 data breach in their organization, you need to analyze the event using the ethical framework mentioned in chapter-8, Figure 8.1 on page 228 of your MIS300 textbook (slide 7 of chapter 8 presentation). Indicate the entities (people and organizations) affected by this data breach and discuss the level of ethical violation you consider this data breach and its cover-up to be. Support your argument based on your analysis of the six aspects related to the ethical structure indicated in the above-mentioned figure.
Attachments:
- Uber Newsroom Report: 2016 Data Security Incident
- FT-News on Uber’s data breach
Figure 8.1 page 228

Attachments




Different level in Ethics: p.228 Consequences Society's Opinion Relatedness Very Serious Ethical Violations Likelihood of Effect Serious Ethical Violations Minor Ethical Violations Time to Consequences Reach of Result
The Uber data breach has implications for us all Europe is at a turning point when it comes to the regulation of personal details JULIA APOSTLE Uber's decision to pay a ransom to delete stolen data will have a negative impact on all digital service providers NOVEMBER 27, 2017 Julia Apostle Uber last week revealed its latest own goal, spectacular for its lack of judgment, even by the ride- hailing company's standards. Dara Khosrowshahi, the chief executive, announced that in 2016 the company experienced a massive data breach, resulting in the theft of information about 57m users and drivers worldwide Instead of disclosing the incident when it was discovered, senior executives decided to pay a ransom of $100,000 to delete the stolen data. It is hard to imagine a worse response to a data breach, and Uber will suffer heavy consequences. Data privacy regulators in the US, UK and Italy have announced plans to investigate, and a class- action lawsuit has been filed in California against the company. Uber has apologised for the breach, which happened under the watch of former chief executive Travis Kalanick. "None of this should have happened, and I will not make excuses for it," Mr Khosrowshahi wrote. But this latest scandal is not just bad for Uber. By handing those in favour of stricter privacy regulation a new stick with which to beat the tech companies, Uber's behaviour will have a negative impact on all digital service providers. Rightly so, some will argue. The distinction between the Silicon Valley tech companies and traditional industries has become increasingly blurred. Europe is experiencing a turning point when it comes to the regulation of personal data. The EU'S General Data Protection Regulation comes into force next year and its impact on companies that process personal data will be substantial. According to a study conducted by the International Association of Privacy Professionals and EY, members of the Fortune 500 will spend a combined $7.8bn on compliance measures. Cost is probably the most straightforward aspect of the compliance regime created by GDPR. The scope of the obligations imposed on data controllers is nothing less than daunting. But the law is a fait accompli, with the text set in stone before the boards of most companies even knew the law would apply to them.
There is more to come. Still in the pipeline is an expanded Regulation on Privacy and Electronic Communications (ePrivacy Regulation), which will replace the 2002 ePrivacy Directive. The final text of the regulation has not yet been agreed but the European Parliament last month approved the most recent draft of the law. Whereas GDPR focuses on general uses of personal data, the ePrivacy Regulation will supplement it with additional rules targeted at electronic communications services, the use of cookies, online behavioural advertising, direct marketing and machine-to-machine communications (the "internet of things”). Fines for violations will be as high as under GDPR – potentially into the millions. And let us not forget the Directive on Security of Network and Information Systems, the first piece of EU-wide legislation on cyber security. It was adopted in July 2016, and member states have until 2018 to enact it. Given the global scope, significant costs and compromises required to achieve compliance under these new laws, it is surprising how little serious public debate there has been as to whether the means adopted are proportional to the desired ends – namely the protection of individual privacy and modernisation of the data protection framework. This is why the Uber data breach and how it was handled is not just a problem for the company. Bad news makes good headlines, but it also makes bad law. The temptation to cite Uber's failings as the justification for tougher privacy rules, or a stricter interpretation of existing laws, should be resisted and more scrutiny should be applied to what our legislators are already doing. The writer is former lead counsel at Twitter UK Copyright The Financial Times Limited 2017. All rights reserved.
US - Nov 21, 2017 2016 Data Security Incident Written by Dara Khosrowshahi, CEO Sharef 84 As Uber's CEO, it's my job to set our course for the future, which begins with building a company that every Uber employee, partner and customer can be proud of. For that to happen, we have to be honest and transparent as we work to repair our past mistakes. I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure. Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded. However, the individuals were able to download files containing a significant amount of other information, including: • The names and driver's license numbers of around 600,000 drivers in the United States. Drivers can learn more here. Some personal information of 57 million Uber users around the world, including the drivers described above. This information included names, email addresses and mobile phone numbers. Riders can learn more here. At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it. What I learned,
I've asked Matt Olsen, a co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center, to help me think through how best to guide and structure our security teams and processes going forward. Effective today, two of the individuals who led the response to this incident are no longer with the company. • We are individually notifying the drivers whose driver's license numbers were downloaded. We are providing these drivers with free credit monitoring and identity theft protection We are notifying regulatory authorities. While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection. None of this should have happened, and I will not make excuses for it. While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers. Share this post