Uber driver holding smartphone.
|

Managing cybersecurity risk has quickly become one of the biggest organizational concerns of the 21st century, especially when that risk is distributed across a number of employees, partners and third-party vendors. But in the new and steadily growing gig economy, that risk can be spread far and wide: across thousands, even hundreds of thousands, of contract workers.

Eversheds Sutherland partner and U.S. leader of the firm's global cybersecurity and privacy practice Michael Bahar explained that for enterprising hackers looking for personal information, a gig economy company presents an enormous trove of valuable data. “Some of these companies, like the Ubers, they become the iconic 'bank.' People know that there's a lot of personal information, both of the driver or the person moonlighting, as well as their customers,” he said.

Indeed, Uber Technologies Inc. has been subject to a barrage of data breach attempts, at least one of which exposed the names, email addresses and phone numbers of 57 million Uber users and the driver's license numbers of at least 600,000 drivers. A 2014 breach of the ride sharing company's data similarly exposed names and license information for upwards of 50,000 current and former drivers.

Risk of data exposure can be particularly precarious for gig workers themselves. Recent data collected by Harvard and Columbia University researchers found that many gig economy providers often require contractors to upload sensitive information, such as driver's license information, proof of insurance and location data, that can put them at serious fraud and safety risk if exposed.

The same study found that while companies tend to provide their employees with regular cybersecurity training, they often don't extend this training to contract workers, leaving many contractors relatively unaware of what they need to do to keep both their own and company data safe. Malicious hackers seem to have picked up on this trend, the researchers said, and have begun targeting gig workers with phishing attacks that can expose their personal information.

Hanson Bridgett attorney Everett Monroe explained that this dynamic can put companies in a weird place. “The individual companies don't have a lot of control, and the independent contractors don't have a lot of knowledge. You probably want your gig worker to have better data security, but there's not a lot of incentive and knowledge for them to build it,” he said.

One way to deal with this is by creating secured software channels, like an app, for gig workers to interact with company systems. Indeed, larger companies with broad independent contractors pools, the Ubers and Lyfts of the gig economy, typically manage contractors remotely, meaning that they often use similar kinds of contractor-facing technology as they do with consumer-facing ones. “Usually they're all going through some mobile platform. So as long as that's secure,” Bahar said, companies should be protected.

“The trick with contractors and third parties is that if they touch your network in a meaningful way, that provides a vector of attack such that if they're not secure, you're not secure,” Bahar added.

This too can have pitfalls. The research from Harvard and Columbia found that some the ways in which gig economy providers attempted to insure themselves against liability with gig workers, like requiring multiple identity verification, can be easily emulated and exploited by phishing schemes.

Bahar noted that for gig economy providers clamoring to be the next big thing and trying to impress venture funding, considering the cybersecurity concerns introduced by a gig-based business model often fall secondary to business development. “When you have a first-to-market approach, you're usually not first-to-security as well. The more things are the Uber of this and the Uber of that—everyone's racing to do that, which is endemic throughout the system, that they're not taking cybersecurity first to the system,” he said.

Although those filing litigation against gig economy providers for data breaches haven't been particularly successful thus far, that may not be the case forever. Danielle Urban, partner at Fisher & Phillips, said lawsuits in this area seem to be on the rise. “We've seen more lawsuits. The lawsuits haven't been particularly successful, although they continue to try novel areas of law, and I think there will be some inroads,” she said.

“It's very much unknown terrain legally. You don't want to look like you have too much control of your contractors,” Urban added.

In many ways, gig economy providers have nearly the same concerns and imperatives as your standard company operating in today's networked landscape. “I don't personally see any special issues, other than I think that much like employers, I think gig economy providers need to realize that their contractors are also a vulnerability,” Urban noted.

Monroe suggested that reframing cybersecurity as a concern located within people and the supply chain, rather than technology, can be an important way to go. “The way I would approach this is understanding that data security is quite often about how you are working with humans as opposed to a virus risk or some kind of advanced technology threat vectors. When you're keeping that in mind, first a comprehensive data security policy I think is just a must,” he said.

Urban flagged a few potential things gig economy providers can do to reduce their cybersecurity risk. “There are some best practices if you are a gig economy provider. I think you'd want to make sure that your contracts with contractors specify certain precautions that they would take,” she said, adding that specifying within contracts what procedures companies plan to take in the event of a breach can help reduce uncertainty.

“It's a fine line with gig economy providers, because they aren't your employees and you don't want to treat them as employees, but you'd want to make sure that the supply chain is as protected as it can be,” Urban said.