The State of Washington's Attorney General filed a complaint against Uber Technologies, Inc., (Uber) yesterday related to the 2016 hack that exposed the personal data of 57 million riders and drivers. The suit is the first enforcement action under the 2015 amendments to Washington's data breach law, and the damages theory will likely amount to several millions of dollars.

Under Washington's revised data breach law, businesses are required to notify consumers within 45 days if their personal information was accessed by an unauthorized person. If the breach impacts at least 500 residents, the business must also notify the attorney general's office within 45 days. "Personal information" is defined as an individual's first and last name in combination with their social security number, driver's license number, or financial account information.

As has been well publicized, in November 2016, an individual contacted the ride-sharing company claiming that he had accessed the company's user information. Uber investigated and confirmed that the individual and one other person had in fact accessed Uber's files, which included the names, email addresses, and telephone numbers of about 50 million passengers worldwide. Uber also confirmed that the hackers had accessed the names and driver's license numbers of about 7 million drivers—600,000 who reside in the United States and at least 10,000 residing in the State of Washington.

When Uber learned of the breach, it did not notify law enforcement, consumers, or drivers, but instead paid the hackers $100,000 to delete the data they had stolen. Uber eventually disclosed the breach to the Washington Attorney General a year later—on November 21, 2017.

Because Washington's data breach law does not define "personal information" as including names, email addresses, and telephone numbers, the complaint filed by Washington Attorney General Bob Ferguson relates only to the Uber drivers residing in Washington. The complaint alleges that "Uber executives were aware of the breach as early as November 2016," but nonetheless failed to provide notification until November 21, 2017—far exceeding the 45-day deadline.

The complaint also noted that "Uber is aware of its responsibilities to provide notice of data security breaches," citing the fact that, in 2016, "the New York Attorney General fined Uber for failing to notify drivers and that office about a data breach that occurred in 2014."

Perhaps the most notable aspect of Attorney General Ferguson's complaint is its damages theory. Specifically, he is seeking civil penalties of up to $2,000 per violation—the maximum amount allowed under Washington's revised data breach law. However, Attorney General Ferguson contends that each day that Uber failed to report the breach to each of the drivers—as well as to his office—counts as a separate violation. Under such a theory, he argues that Uber should face a penalty of several millions of dollars.

Although several class actions have already been filed against Uber—as well as at least one suit filed by a municipality—the Washington enforcement action marks a new type of liability Uber will face in connection with the 2016 breach. With investigations under way by the attorneys general of Connecticut, Illinois, Massachusetts, Missouri, New Mexico, and New York, there will likely be more on this front soon.

Members of Ballard Spahr's Privacy and Data Security Group provide a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors and help clients around the world identify, manage, and mitigate cyber risk. Our team of nearly 50 lawyers across the country includes investigators and advocates with deep experience in cyber-related internal and governmental investigations, regulatory compliance and enforcement matters, cyber-related crisis management, and civil and criminal litigation.

Copyright © 2017 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practices