Uber faces more potential legal consequences for waiting to make public a major hack until a over a year after it happened. The Pennsylvania Attorney General filed a lawsuit against Uber Monday for violating the state’s data breach notification law, which says hacks should be disclosed within a “reasonable” time frame. Uber didn’t merely keep quiet about the massive breach; it reportedly paid a $100,000 ransom to the perpetrators in exchange for their silence. And while experts say Uber will likely settle the case, it may be just the latest in a cascade of similar lawsuits.
The stolen Uber data included the names and driver’s license information of around 600,000 drivers—including at least 13,500 from Pennsylvania—as well as data belonging to 25 million users in the US. It impacted over 57 million people in total. “Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Josh Shapiro, the states’s attorney general, said in a statement. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year and actually paid the hackers to delete the data and stay quiet.” Under Pennsylvania’s data breach notice law, the attorney general may seek fines up to $1,000 for each violation, leading to a maximum penalty of $13.5 million for Uber.
Pennsylvania’s joins a growing line of lawsuits against the ride-share company. Both Washington state, and cities including Los Angeles and Chicago filed suits when the breach was first made public by the company’s new CEO Dara Khosrowshahi in November. Two class-action lawsuits were also filed in California days after the breach was first disclosed. Attorneys general from New York, Missouri, and Connecticut have also said they would look into the breach. Forty-eight states, (excluding South Dakota and Alabama) currently have laws on the books regulating how and when a data breach must be disclosed.
“Since starting on this job three months ago, I’ve spoken with various state and federal regulators in connection with the data breach pledging Uber’s cooperation, and I personally reached out to Attorney General Shapiro and his team in the same spirit a few weeks ago. While I was surprised by Pennsylvania’s complaint this morning, I look forward to continuing the dialogue we’ve started as Uber seeks to resolve this matter,” Tony West, Uber’s chief legal office said in a statement. “We make no excuses for the previous failure to disclose the data breach. While we do not in any way minimize what occurred, it’s crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or social security numbers, which present a higher risk of harm than driver’s license numbers. I’ve been up front about the fact that Uber expects to be held accountable; our only ask is that Uber be treated fairly and that any penalty reasonably fit the facts.”
The Pennsylvania lawsuit is also the first to cite a Senate hearing in February where John Flynn, Uber’s chief information security officer, testified in front of the Committee on Commerce, Science, and Transportation about the hack. Uber initially said the payment it made to the hackers responsible for the breach was not a ransom, but simply a payout under its existing bug bounty program, a system many tech companies deploy to reward security researchers for bringing vulnerabilities to their attention. But during the hearing, Flynn acknowledged that the agreement made with the perpetrators—as well as the $100,000 payment—were not typical for its bug bounty program, which usually compensates researchers only a couple thousand dollars.
“The fact that this was a multistep malicious intrusion, a downloading of data, and extortionate demands means this wasn’t consistent with the way that [the bug bounty] program normally operates,” Flynn testified. He also said that Uber “made a misstep not reporting to law enforcement.”
William McGeveran, a professor at University of Minnesota Law School who specializes in data privacy law, said it’s possible Uber will settle with Pennsylvania for a fraction of the total $13.5 million fine, and take on commitments to ensure a similar breach doesn’t happen in the future. “In these settlements many times regulators care more about fixing the problem than about being punitive,” says Mcgeveran. But more suits could follow from other states, especially because Flynn’s statements before the Senate committee provide state prosecutors with more evidence to work with.
“Given the alleged facts in this case, it wouldn’t surprise me at all to see more lawsuits,” says Woodrow Hartzog, a law and computer science professor at Northeastern University who studies privacy and data protection issues. “Oftentimes you will have state attorneys general that might even work together if that appears to be the best course of action. They’ll probably be using the facts in this case as an example of how not to respond to a data breach.”
Uber has also already faced disciplinary action from federal regulators twice, once for a separate hack in 2014 that exposed the information of 100,000 drivers, and once for misleading drivers about how much money they could make. The FTC said in November that it was also evaluating the “serious issues” raised by the 2016 breach.
Uber has yet to pay any fines to the federal government, and won’t have to if it makes good on its promises to protect its drivers’ and customers’ privacy. The agreement between the FTC and Uber lasts 20 years. If the FTC decides that the 2016 breach is considered a violation of that agreement, the ride-hailing company could face expensive consequences. In 2012 for example, the FTC fined Google $22.5 million for violating its 2011 settlement.
For now, no federal law exists requiring companies disclose a data breach within a certain time frame. But since nearly every state has a data breach law, Uber could still face a patchwork of further lawsuits. Some lawmakers are also pushing for federal legislation. In December, Democratic senator Bill Nelson introduced the Data Security and Breach Notification Act, which would require companies to report breaches within a month, or face up to five years in prison.
Federal laws punishing companies for failing to notify about a breach wouldn’t necessarily improve protections for consumers, however. “I would be skeptical of the claims that a unified data security protection law are going to provide clarity and better data protection at the same time,” says Hartzog, who has testified before Congress about data breach legislation. “A movement to have a single unified standard among the United States would be seen as an opportunity to water down those requirements.”
State laws also give attorneys general the chance to act if they perceive the Federal Trade Commission to be not aggressive enough. “I think we’re going to see more activity by state attorneys general in privacy and security cases because it’s not clear how much the FTC is going to do under its current management compared to previous,” says McGeveran. “These states have a better argument because they have specific requirements that you notify about a breach.”
Besides, it’s not hard for a major corporation like Uber to juggle multiple state regulations at once, especially because the ones governing breach disclosure mandate the same things. “Many of them are quite similar in their requirements, many of them have the same deference to industry standards,” says Hartzog. It’s far harder to navigate, say, every state’s regulations on taxis.