The State of Washington's Attorney General filed a complaint against Uber Technologies, Inc., (Uber) this week related to the 2016 hack that exposed the personal data of 57 million riders and drivers. The suit is the first enforcement action under the 2015 amendments to Washington's data breach law, and the damages theory will likely amount to several millions of dollars.
Under Washington's revised data breach law, businesses are required to notify consumers within 45 days if their personal information was accessed by an unauthorized person. If the breach impacts at least 500 residents, the business must also notify the attorney general's office within 45 days. "Personal information" is defined as an individual's first and last name in combination with their social security number, driver's license number, or financial account information.
As has been well publicized, in November 2016, an individual contacted the ride-sharing company claiming that he had accessed the company's user information. Uber investigated and confirmed that the individual and one other person had in fact accessed Uber's files, which included the names, email addresses, and telephone numbers of about 50 million passengers worldwide. Uber also confirmed that the hackers had accessed the names and driver's license numbers of about 7 million drivers—600,000 who reside in the United States and at least 10,000 residing in the State of Washington.
When Uber learned of the breach, it did not notify law enforcement, consumers, or drivers, but instead paid the hackers $100,000 to delete the data they had stolen. Uber eventually disclosed the breach to the Washington Attorney General a year later—on November 21, 2017.
Because Washington's data breach law does not define "personal information" as including names, email addresses, and telephone numbers, the complaint filed by Washington Attorney General Bob Ferguson relates only to the Uber drivers residing in Washington. The complaint alleges that "Uber executives were aware of the breach as early as November 2016," but nonetheless failed to provide notification until November 21, 2017—far exceeding the 45-day deadline.
The complaint also noted that "Uber is aware of its responsibilities to provide notice of data security breaches," citing the fact that, in 2016, "the New York Attorney General fined Uber for failing to notify drivers and that office about a data breach that occurred in 2014."
Perhaps the most notable aspect of Attorney General Ferguson's complaint is its damages theory. Specifically, he is seeking civil penalties of up to $2,000 per violation—the maximum amount allowed under Washington's revised data breach law. However, Attorney General Ferguson contends that each day that Uber failed to report the breach to each of the drivers—as well as to his office—counts as a separate violation. Under such a theory, he argues that Uber should face a penalty of several millions of dollars.
Although several class actions have already been filed against Uber—as well as at least one suit filed by a municipality—the Washington enforcement action marks a new type of liability Uber will face in connection with the 2016 breach. With investigations under way by the attorneys general of Connecticut, Illinois, Massachusetts, Missouri, New Mexico, and New York, there will likely be more on this front soon.
