Pennsylvania Becomes Third State to Sue Uber Over Data Breach

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

Pennsylvania is the third state to sue Uber Technologies Inc. under its state data breach notification law, following a widespread 2017 hacking incident that the ride-hailing company kept under wraps for over a year, according to a claim filed March 5 in Pennsylvania District Court.

As many as 43 state attorney generals are investigating Uber in relation to the breach.

Pennsylvania’s move is likely to trigger lawsuits by other state attorneys general, who are coordinating their investigations, Ed McAndrew, privacy and data security partner at Ballard Spahr LLP in Philadelphia, told Bloomberg Law.

The lawsuit makes Pennsylvania the third state, after Washington and Massachusetts, to sue over the breach, which exposed the personal information—including names, email addresses, and driver’s license numbers—of 57 million drivers and consumers. Los Angeles, San Francisco, and Chicago also have sued Uber.

Pennsylvania’s lawsuit alleges Uber violated its state’s data breach notification law, which requires organizations affected by a data breach to notify persons whose data they hold “without unreasonable delay.” It marks the first lawsuit brought by Pennsylvania Attorney General Josh Shapiro under the statute on behalf of consumers, he said in a statement.

Uber: `Surprised’ by Lawsuit

“While I was surprised by Pennsylvania’s complaint this morning, I look forward to continuing the dialogue we’ve started as Uber seeks to resolve this matter,” Tony West, Uber’s chief legal officer told Bloomberg Law. “We make no excuses for the previous failure to disclose the data breach. While we do not in any way minimize what occurred, it’s crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or social security numbers.”

“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Shapiro said. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year—and actually paid the hackers to delete the data and stay quiet,” the state attorney general said.

Under the law, Shapiro’s office may seek remedies of up to $1,000 for each violation. With at least 13,500 Uber drivers impacted by the breach, the attorney general’s legal team can seek civil penalties as high as $13.5 million from Uber, Shapiro said.

A second claim in the lawsuit alleges the company’s conduct violated the Pennsylvania Unfair Trade Practices and Consumer Protection Law.

In addition suing for an alleged failure to notify in a timely manner, other states have sued Uber for allegedly failing to maintain reasonable security. Pennsylvania doesn’t have a reasonable security law.

Failure to notify is an easier claim to make than reasonable security, McAndrew said. The one year it took Uber to report the breach would seem to fall outside the “without unreasonable delay” standard, he said.

To contact the reporter on this story: George Lynch in Washington at

To contact the editor responsible for this story: Barbara Yuill at

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security