Chicago Hires Class Action Firm to Sue Uber Over Data Breach

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Chicago has retained a plaintiffs’ litigation firm that focuses on technology and privacy cases to file a class consumer fraud lawsuit against Uber Technologies Inc. over a recently disclosed breach that exposed the data of potentially hundreds of thousands of Illinois residents.

That move was closely followed by an announcement that Washington state has filed its own lawsuit against the ride-hailing company.

Uber should be accountable for the new breach because it failed to live up to promises it made in a 2014 data breach settlement with the city to correct information system vulnerabilities, according to the complaint filed Nov. 27 in Cook County Circuit Court in Illinois ( Chicago v. Uber Techs., Inc. , Ill. Cir. Ct., No. 2017-CH-15594, complaint filed 11/27/17 ).

The city looks at issues on a case-by-case basis and sometimes hires outside counsel, depending on the city’s capacity to carry out such litigation and the available expertise and resources of outside law firms, a spokesman for Chicago told Bloomberg Law on background Nov. 28. There isn’t yet an estimate of the total damages the city is seeking, the spokesman said.

Uber never made basic corrections to its data security platform it had agreed to in the 2014 settlement, the complaint said. The company experienced another data breach in October 2016, which allegedly exposed the data of more than 57 million users and drivers. The company’s “substandard security practices” compromised information included names, email addresses, and phone numbers. Uber tried to conceal the 2016 data breach by paying hackers $100,000 to delete the compromised data, according to the complaint.

Outside Counsel

Chicago Mayor Rahm Emanuel (D) and State’s Attorney Kimberly M. Foxx (D) announced in a Nov. 27 statement that Chicago-based plaintiffs’ litigation firm Edelson PC will represent Chicago and Cook County, Ill., where the city is located.

The Edelson firm will recover fees as an undisclosed percentage of any damages recovered in the lawsuit, according to the statement.

Edelson has represented clients in lawsuits against the city and the county, according to Bloomberg data.

Jay Edelson, founder and CEO of Edelson PC, declined Bloomberg Law’s request for comment.

Widening Fallout

Fallout from revelations about the 2016 data breach has been extensive. Uber is facing a similar lawsuit by San Francisco, as well as direct class claims from consumers and state attorneys general.

Washington Attorney General Bob Ferguson (D) filed a state court complaint Nov. 28 on behalf of state residents that may have been affected by the breach ( Washington v. Uber Techs., Inc. , Wash. Super. Ct., Case number unavailable, complaint filed 11/28/17 ).

The complaint alleges that Uber violated the Washington data breach notification statute by not timely notifying the attorney general or consumers whose data were breached. A 2015 amendment to the state law requires that companies notify consumers within 45 days of discovery of a breach and notify the Attorney General’s Office within 45 days if a breach affects 500 or more state residents.

U.S. and overseas regulators have opened investigations into the breach and alleged cover-up.

Uber didn’t immediately respond to Bloomberg Law’s email request for comment.

To contact the reporter on this story: Jimmy H. Koo in Washington at

To contact the editor responsible for this story: Donald Aplin at

For More Information

The Chicago complaint is available at

The Washington state complaint is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security