May 27, 2020

May 27, 2020

Subscribe to Latest Legal News and Analysis

May 26, 2020

Subscribe to Latest Legal News and Analysis

Uber Enters Into $148M Nationwide Settlement for Concealing 2016 Data Breach

On September 26, 2018, a record settlement was reached between Uber and the attorneys general of all 50 states and the District of Columbia over the company’s 2016 data breach. While this case presents an extreme example of corporate misconduct on behalf of its former management, this settlement is unique in the imposition of stringent privacy protection requirements that Uber must incorporate into its business practices.

Case Overview

In November 2016, prior to major management changes at Uber, Uber learned that hackers had gained access to personal information about its drivers and customers, including driver’s license information on 600,000 of its drivers, and email addresses and phone numbers from 57 million customers worldwide. Instead of notifying affected individuals and law enforcement as required by most state laws, Uber tracked down the hackers and attempted to cover up the data breach by paying the hackers $100,000 to remain silent and destroy the stolen information. Uber failed to report the breach to authorities and affected individuals until it was uncovered in 2017 during an internal investigation by its board of directors. After news of the data breach broke, attorneys general nationwide investigated Uber under their respective consumer protection and state breach notification laws, with some enforcing their statutes for the first time. On September 26, state attorneys general nationwide announced the proposed nationwide settlement, which in some states may still require approval by the applicable court. Under the proposed settlement, an example of which is available here, Uber is required to pay a total of $148 million to the 51 participating attorneys general and its own drivers. But the settlement is unique not just for the magnitude of the fines; for the first time ever, an AG’s office is requiring a company to reform its business practices to include the principles of “Privacy by Design” and to integrate privacy considerations and protections into every phase of its product's design and development lifecycle. California Attorney General Xavier Becerra stated that “Uber’s decision to cover up this breach was a blatant violation of the public’s trust. The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law. Companies in California and throughout the nation are entrusted with customers’ valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect their data.”

Data Breach Notification Requirements

All 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands now have data breach notification laws. While these laws are largely similar, they each have subtle distinctions regarding the definition of personal data, the level of harm required to trigger a breach, notification obligations to regulators and credit reporting agencies, and the amount of time to notify individuals of the breach. Organizations must ensure they follow the law in each state where the affected individuals are, regardless of the location of the organization.

Impact to Business

Incident Response Planning

An incident response plan consists of policies and procedures that are executed when a data breach occurs. It provides a single point of reference for personnel to follow to mitigate the effects and prevent the recurrence of a data breach, including a description of the responsibilities to make notifications to the affected individuals, regulators, the media, and other third parties as may be required under various breach notification laws.

Corporate officers and the board of directors should periodically review and approve their organization’s incident response plan, and incident response team members should receive constant training on their roles and responsibilities under the plan.

To paraphrase former FBI Director James Comey’s 2014 statements about cybersecurity incidents, it is not a matter of when an organization will be the victim of a cybersecurity attack, but when. While acknowledgement of data breaches was once a taboo subject for organizations, it is now simply a recognition that no security practices are fool-proof and that there is always room for improvement. Past actions from regulators suggest that little to no liability occurs when an organization takes its cybersecurity obligations seriously and implements cybersecurity measures that are reasonable, given the size of the organization, the resources it has, and the type of data it handles. However, Uber’s settlements with the state attorneys general shows how an organization’s potential liability can be compounded when it fails to timely comply with its obligations to protect the personal data of consumers and to notify consumers when their personal data has been compromised, and instead attempts to conceal a data breach. And the settlement amount likely tells only part of the story – Uber’s real costs as a result of the breach may be multiple times higher when indirect costs such as those associated with customer churn and reputational harm are included.

Organizations must take a proactive approach in addressing data breaches to avoid any undue delays in investigating and responding to such incidents; they should certainly never attempt to cover up or hide a data breach, especially one that may require reporting under federal, state, or international law. Instead, organizations should ensure that corporate officers and the board of directors fully understand their obligations to protect consumers' personally identifiable information and to promptly disclose breaches of personally identifiable information as may be required under each state’s laws. The organization’s corporate officers and board of directors must foster a culture of protecting personal data and disclosing security breaches, and should be fully prepared to make all required disclosures even in the face of short-term reputational harm in order to avoid significantly larger liability later. In addition, organizations should continually review their cybersecurity program and incident response policies in order to help avoid a cybersecurity incident and to quickly respond when one occurs.

© 2020 Foley & Lardner LLP


About this Author

Samuel Goldstick, Foley Lardner Law Firm, Chicago, Cybersecurity and Healthcare Law Attorney

Samuel (Sam) Goldstick is a data privacy and cybersecurity associate at Foley & Lardner LLP. He is a member of the firm’s Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices, as well as Technology and Health Care Industry Teams. He also is accredited by the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional in both the United States and Europe (CIPP/US and CIPP/E).

Prior to joining Foley, Mr. Goldstick was an associate at a prominent law...

Maxwell S. Harwitt, Foley Lardner Law Firm, Los Angeles, Technology Law Attorney

Maxwell Harwitt is an associate with Foley & Lardner LLP. He is a member of the firm’s Technology Transactions & Outsourcing Practice.

Prior to joining Foley, Mr. Harwitt was an associate with a boutique law firm in Pasadena, where he also served as a summer associate. He started his legal career as a trademark paralegal at a Santa Monica-based law firm and an intellectual property paralegal at a consumer products company.


Mr. Harwitt earned his law degree from UCLA School of Law (J.D., 2016), where he served as a research assistant, an editor for the UCLA Law Review, and president of the Art Law Society.

Mr. Harwitt earned an undergraduate degree in history and art history from the University of California, Los Angeles (B.A., 2006), where he served on the Student Advisory Committee for the Armand Hammer Museum.

Chanley Howell, Intellectual Property Attorney, Foley Law Firm

Chanley T. Howell is a partner and intellectual property lawyer with Foley & Lardner LLP, where his practice focuses on a broad range of technology law matters. He is a member of the firm's Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices and the Sports and Health Care Industry Teams.

Mr. Howell represents companies in a variety of technology law areas, such as:

  • Data Privacy and Security Compliance – Counsel and advise clients with respect to compliance...

James R. Kalyvas, Communication Attorney, Foley and Lardner Law Firm

James R. Kalyvas is a partner and transactional lawyer with Foley & Lardner LLP. Mr. Kalyvas advises companies, public entities, and associations on all matters involving the use of information technology, including structuring technology initiatives (e.g., outsourcing, ERP, CRM), vendor selection (RFP strategies, development and response review), negotiation, technology implementation (professional service agreements, SOWs, and SLAs), and enterprise management of technology assets. Mr. Kalyvas has extensive experience in structuring and negotiating outsourcing...

Steven Millendorf, Technology Attorney, Foley and Lardner Law Firm

Steven Millendorf is an associate and intellectual property lawyer with Foley & Lardner LLP. He has experience drafting, reviewing and revising technology agreements, including protections for privacy and data security. Mr. Millendorf regularly tracks changes to state breach notification laws and revises Foley’s nationally published state data breach notification database. He also has experience in defending electronics and telecommunications clients in IP litigation matters. Mr. Millendorf is a member of the firm’s Technology Transactions & Outsourcing,...