Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By George Lynch
Pennsylvania is the third state to sue Uber Technologies Inc. under its state data breach notification law, following a widespread 2017 hacking incident that the ride-hailing company kept under wraps for over a year, according to a claim filed March 5 in Pennsylvania District Court.
As many as 43 state attorney generals are investigating Uber in relation to the breach.
Pennsylvania’s move is likely to trigger lawsuits by other state attorneys general, who are coordinating their investigations, Ed McAndrew, privacy and data security partner at Ballard Spahr LLP in Philadelphia, told Bloomberg Law.
The lawsuit makes Pennsylvania the third state, after Washington and Massachusetts, to sue over the breach, which exposed the personal information—including names, email addresses, and driver’s license numbers—of 57 million drivers and consumers. Los Angeles, San Francisco, and Chicago also have sued Uber.
Pennsylvania’s lawsuit alleges Uber violated its state’s data breach notification law, which requires organizations affected by a data breach to notify persons whose data they hold “without unreasonable delay.” It marks the first lawsuit brought by Pennsylvania Attorney General Josh Shapiro under the statute on behalf of consumers, he said in a statement.
“While I was surprised by Pennsylvania’s complaint this morning, I look forward to continuing the dialogue we’ve started as Uber seeks to resolve this matter,” Tony West, Uber’s chief legal officer told Bloomberg Law. “We make no excuses for the previous failure to disclose the data breach. While we do not in any way minimize what occurred, it’s crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or social security numbers.”
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Shapiro said. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year—and actually paid the hackers to delete the data and stay quiet,” the state attorney general said.
Under the law, Shapiro’s office may seek remedies of up to $1,000 for each violation. With at least 13,500 Uber drivers impacted by the breach, the attorney general’s legal team can seek civil penalties as high as $13.5 million from Uber, Shapiro said.
A second claim in the lawsuit alleges the company’s conduct violated the Pennsylvania Unfair Trade Practices and Consumer Protection Law.
In addition suing for an alleged failure to notify in a timely manner, other states have sued Uber for allegedly failing to maintain reasonable security. Pennsylvania doesn’t have a reasonable security law.
Failure to notify is an easier claim to make than reasonable security, McAndrew said. The one year it took Uber to report the breach would seem to fall outside the “without unreasonable delay” standard, he said.
To contact the reporter on this story: George Lynch in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Barbara Yuill at email@example.com
Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)