December 6, 2022

Volume XII, Number 340


December 05, 2022

Subscribe to Latest Legal News and Analysis

Washington A.G. Sues Uber in First Enforcement Action Under Revised Data Breach Law

The State of Washington's Attorney General filed a complaint against Uber Technologies, Inc., (Uber) yesterday related to the 2016 hack that exposed the personal data of 57 million riders and drivers. The suit is the first enforcement action under the 2015 amendments to Washington's data breach law, and the damages theory will likely amount to several millions of dollars.

Under Washington's revised data breach law, businesses are required to notify consumers within 45 days if their personal information was accessed by an unauthorized person. If the breach impacts at least 500 residents, the business must also notify the attorney general's office within 45 days. "Personal information" is defined as an individual's first and last name in combination with their social security number, driver's license number, or financial account information.

As has been well publicized, in November 2016, an individual contacted the ride-sharing company claiming that he had accessed the company's user information. Uber investigated and confirmed that the individual and one other person had in fact accessed Uber's files, which included the names, email addresses, and telephone numbers of about 50 million passengers worldwide. Uber also confirmed that the hackers had accessed the names and driver's license numbers of about 7 million drivers—600,000 who reside in the United States and at least 10,000 residing in the State of Washington.

When Uber learned of the breach, it did not notify law enforcement, consumers, or drivers, but instead paid the hackers $100,000 to delete the data they had stolen. Uber eventually disclosed the breach to the Washington Attorney General a year later—on November 21, 2017.

Because Washington's data breach law does not define "personal information" as including names, email addresses, and telephone numbers, the complaint filed by Washington Attorney General Bob Ferguson relates only to the Uber drivers residing in Washington. The complaint alleges that "Uber executives were aware of the breach as early as November 2016," but nonetheless failed to provide notification until November 21, 2017—far exceeding the 45-day deadline.

The complaint also noted that "Uber is aware of its responsibilities to provide notice of data security breaches," citing the fact that, in 2016, "the New York Attorney General fined Uber for failing to notify drivers and that office about a data breach that occurred in 2014."

Perhaps the most notable aspect of Attorney General Ferguson's complaint is its damages theory. Specifically, he is seeking civil penalties of up to $2,000 per violation—the maximum amount allowed under Washington's revised data breach law. However, Attorney General Ferguson contends that each day that Uber failed to report the breach to each of the drivers—as well as to his office—counts as a separate violation. Under such a theory, he argues that Uber should face a penalty of several millions of dollars.

Although several class actions have already been filed against Uber—as well as at least one suit filed by a municipality—the Washington enforcement action marks a new type of liability Uber will face in connection with the 2016 breach. With investigations under way by the attorneys general of Connecticut, Illinois, Massachusetts, Missouri, New Mexico, and New York, there will likely be more on this front soon.

Copyright © by Ballard Spahr LLPNational Law Review, Volume VII, Number 333

About this Author

Edward McAndrew, Ballard Spahr, Philidelphia, Washington DC, Data Security, Privacy

Edward J. McAndrew is a counselor, investigator, and trial lawyer who helps clients navigate life in the digital world. He is the Co-Practice Leader of the firm's Privacy and Data Security Group.

Named a "Cybersecurity and Data Privacy Trailblazer" by The National Law Journal, Mr. McAndrew advises clients on cybersecurity, digital privacy, cyber-incident response, social media, online speech, defamation, commercial, employment, intellectual property, corporate governance, regulatory, and criminal matters. He also advises clients on cyber-based national security issues, as...

David Stauss, Ballard Spahr Law Firm, Denver, Privacy and Litigation Attorney

David M. Stauss focuses on complex business and commercial litigation in state and federal courts. He handles all aspects of litigation on a wide range of substantive matters for clients, including product liability, landowner liability, and commercial lending.

Mr. Stauss is head of the Denver office's privacy and cybersecurity practice group. He advises clients on regulatory and statutory compliance issues, third-party vendor management policies and contractual provisions, cyber liability insurance retention and coverage analysis, information...

Gregory Szewczyk, Ballard Spahr Law Firm, Denver, Privacy and Litigation Attorney

Greg Szewczyk is a litigator with experience serving as a member of several trial and arbitration teams. His responsibilities include examining witnesses at trial; drafting opening and closing presentations; drafting dispositive, discovery and pretrial motions, as well as appellate briefs; taking and defending depositions; arguing evidentiary and procedural issues; preparing witnesses for testimony; and drafting scripts for direct and cross-examinations. He is also a member of the Denver office’s cybersecurity practice group.