Shutterstock/Creative Caliph.

Many were shocked last week when it was revealed that Uber Technologies Inc. had suffered a massive data breach, which it reportedly covered up for more than a year. It was also widely reported that the ride-hailing company ponied up $100,000 to keep the hackers quiet.

The much delayed notification about the breach has made already embattled Uber the target of numerous new lawsuits and inquiries. It has also raised new questions around breach disclosure and underscored the question of whether companies can and should offer hackers financial incentives to keep stolen data under wraps.

In Uber's case, two employees were terminated last week following reports of the breach that impacted 57 million people. It remains to be seen how the courts will rule on whether or not Uber had the obligation to disclose the breach when it occurred last October, but the company, which did not respond to requests for comment for this article, is facing widespread criticism.

The Consequences

As of Thursday, just over a week after new Uber CEO Dara Khosrowshahi confirmed the breach in a company blog post, Uber's chief security officer Joe Sullivan and in-house attorney Craig Clark have been ousted. The company is also facing inquiries from U.S. senators who want to know more about the breach, including the timeline of events and what notifications were or were not made to the Federal Trade Commission and law enforcement. Additionally, attorneys general from at least five states have launched investigations into the hack.

Uber has also been named in a number of lawsuits that aim to hold the company accountable for the hack and the subsequent cover-up. One consumer fraud lawsuit brought on behalf of the people of Illinois claims the ride-hailing giant failed to adequately protect the data of customers and drivers. A second consumer protection suit was filed by the state of Washington Tuesday, claiming Uber violated the state's data breach law.

The company has additionally been hit by two separate suits brought in federal courts in Los Angeles and San Francisco, both claiming the company was negligent in failing to implement proper safeguards to protect the data and in not providing timely notice of the breach.

Keller Rohrback, the firm bringing the San Francisco suit, has been involved in similar breach litigation against Equifax Inc. and Sony Pictures Entertainment Inc. Cari Campen Laufenberg, a member of Keller Rohrback's complex litigation group, told Corporate Counsel in an email the facts in this case are “some of the most egregious” the firm has seen during her tenure. “Uber has acted in a completely underhanded and self-serving manner, paying a ransom to hackers to destroy the data and keep the breach secret—ultimately, denying their customers and drivers the ability to protect themselves for over a year,” she said.

And in a Nov. 22 suit seeking class certification in U.S. District Court for the District of Oregon in Portland, it's alleged that Uber “unjustifiably failed” to notify consumers in a timely manner and negligently failed to maintain safeguards to protect the accessed information.

Michael Fuller, lead attorney for the plaintiff, said state law requires breaches to be disclosed as soon as possible. “Obviously there are circumstances where, when you're working with state and federal law enforcement, you may not want to disclose immediately that you've been hacked, but this is not a case where Uber was working with anyone except for with the hackers,” he said.

All the while, the San Francisco-based company must also contend with another possible probe from the FTC. In November 2014, the agency initiated an investigation into a breach that allowed access to the personal data of roughly 100,000 drivers. In August of this year, Uber reached a settlement with the FTC, agreeing to submit to regular audits of its privacy protocols for the next two decades.

According to public records obtained by Corporate Counsel, while FTC staff were evaluating Uber's data security program and practices in response to this 2014 incident, the ride-hailing company was ordered to preserve all documents related to its data policies that “may be in any way relevant to a potential investigation, irrespective of whether Uber believes that such documents may be protected from discovery,” the FTC wrote in a March 2015 letter to Uber counsel.

Failure to preserve this information, the letter continued, could result in civil or criminal liability.

The FTC declined to answer Corporate Counsel's questions about whether it is formally investigating Uber and if the company is in violation of any laws for not disclosing the most recent breach during the commission's previous investigation. “We are aware of press reports describing a breach in late 2016 at Uber and Uber officials' actions after that breach,” an FTC spokesperson said in an emailed statement. “We are closely evaluating the serious issues raised.”

Big Missteps

Uber's revelations about the breach leave a number of unanswered questions, such as who else in the company knew about the breach and the subsequent cover-up, aside from the two departed employees.

According to The New York Times, the deal with the hackers was arranged by the “company's chief security officer and under the watch of the former chief executive, Travis Kalanick.” And yet, Reuters reports that while Kalanick learned of the breach in November 2016, neither he nor outgoing chief legal officer Salle Yoo “were involved in the cover-up.” Uber did not respond to request for comment on who knew what and when they learned it.

In the United States, 48 states and the District of Columbia have data breach notification laws that are triggered after a hack, though their specific provisions vary. On the federal level, the FTC often steps in when companies have “engaged in unfair or deceptive practices that put consumers' personal data at unreasonable risk.”

Given the many rules in play requiring notification, it doesn't make sense that Uber wouldn't have notified its customers and drivers, said Gregg Garrett, head of international cybersecurity at advisory firm BDO USA. “It's well understood … that there are existing requirements by the Federal Trade Commission to disclose information of a cyber breach and of course not to destroy information that could be pertinent to an investigation, that could be deemed evidence,” he said. “I don't believe that [Uber] didn't understand that what was disclosed was personally identifiable information.”

In some states, notification is not required if it's determined through either an internal investigation or consultation with relevant law enforcement agencies that there's no reasonable likelihood of harm. Because Uber tracked down the hackers and paid them to delete the data, could the case be made that in certain states, at least, notification wasn't required? Garrett said no, he doesn't “buy that” argument.

Garrett said it's also concerning how long Khosrowshahi seemingly knew about the breach before it was revealed last week. According to The Wall Street Journal, Khosrowshahi learned of the incident about two weeks after he stepped in as CEO on Sept. 5. Uber did not respond to request for comment on whether this timeline is accurate, but if true, it would mean the new CEO knew for more than two months before publishing the blog post that committed to learning from company mistakes.

Khosrowshahi was, in all likelihood, trying to wrap his head around all of the information and to come up with a game plan, Garrett said, “but that should take place in a matter of days, not weeks or months.” He added that Khosrowshahi is “certainly culpable for extending the delay.”

The Cover-Up

And then, of course, there's the cover-up. Along with the $100,000 payment to the hackers in exchange for deleting the info, Uber also reportedly pushed them to sign nondisclosure agreements and company execs made the payout seem like a “bug bounty” in which hackers are paid to attack a company's systems to identify weak spots. Uber did not respond to inquiries seeking confirmation of these details.

“This may be a case where the cover-up was worse than the initial action,” said Paige Boshell, a partner at Bradley Arant Boult Cummings and leader of the firm's cybersecurity and privacy team. “When you have your hackers sign nondisclosure agreements and pay them and then make it sound like it was a bug bounty, it makes it more sound like you are more involved on the side of the criminal than your consumers,” she said, adding that asking hackers to sign NDAs is not typical.

Boshell added, however, that with a number of facts still unknown, it's hard to definitively judge the payout. “A hundred thousand dollars is not a lot of money to a company like that, so if they thought they were acting to protect their riders and their drivers, there may have been a thought process that was reasonable.”

There's no doubt Uber isn't the only company to be confronted with the dilemma of whether to incentivize hackers. If and when a company faces this question, lawyers said the answer is fact-specific.

Behnam Dayanim, partner with Paul Hastings, declined to comment on Uber specifically but said that, generally, the No. 1 consideration for a company will be how critical the data is to the business enterprise and “how, if at all, the enterprise can function while the data are being held by the attacker.”

The next consideration is “the degree to which the company has confidence that if it pays the hacker, the data will be released to it and won't be misused or otherwise misappropriated,” he said.

“One fear, of course, is you pay the hacker and either then the hacker either doesn't release the data to you or the hacker will release data to you but then sells it or uses it for other nefarious purposes,” he said, noting there's no guarantee the attackers will honor the deal to release the stolen information. “It's a question of trust.”

Dayanim said there are other downsides to making these payments. One is if the company makes the payment, “you identify yourself as an easy mark, which might mean you attract repeat attacks in the future.”

Another downside, he said, is the more companies make these payments, the more these attacks will proliferate.

Even so, Dayanim said, “The FBI and law enforcement, of course, frown upon making these payments, but they're not unlawful.”

Shutterstock/Creative Caliph.

Many were shocked last week when it was revealed that Uber Technologies Inc. had suffered a massive data breach, which it reportedly covered up for more than a year. It was also widely reported that the ride-hailing company ponied up $100,000 to keep the hackers quiet.

The much delayed notification about the breach has made already embattled Uber the target of numerous new lawsuits and inquiries. It has also raised new questions around breach disclosure and underscored the question of whether companies can and should offer hackers financial incentives to keep stolen data under wraps.

In Uber's case, two employees were terminated last week following reports of the breach that impacted 57 million people. It remains to be seen how the courts will rule on whether or not Uber had the obligation to disclose the breach when it occurred last October, but the company, which did not respond to requests for comment for this article, is facing widespread criticism.

The Consequences

As of Thursday, just over a week after new Uber CEO Dara Khosrowshahi confirmed the breach in a company blog post, Uber's chief security officer Joe Sullivan and in-house attorney Craig Clark have been ousted. The company is also facing inquiries from U.S. senators who want to know more about the breach, including the timeline of events and what notifications were or were not made to the Federal Trade Commission and law enforcement. Additionally, attorneys general from at least five states have launched investigations into the hack.

Uber has also been named in a number of lawsuits that aim to hold the company accountable for the hack and the subsequent cover-up. One consumer fraud lawsuit brought on behalf of the people of Illinois claims the ride-hailing giant failed to adequately protect the data of customers and drivers. A second consumer protection suit was filed by the state of Washington Tuesday, claiming Uber violated the state's data breach law.

The company has additionally been hit by two separate suits brought in federal courts in Los Angeles and San Francisco, both claiming the company was negligent in failing to implement proper safeguards to protect the data and in not providing timely notice of the breach.

Keller Rohrback, the firm bringing the San Francisco suit, has been involved in similar breach litigation against Equifax Inc. and Sony Pictures Entertainment Inc. Cari Campen Laufenberg, a member of Keller Rohrback's complex litigation group, told Corporate Counsel in an email the facts in this case are “some of the most egregious” the firm has seen during her tenure. “Uber has acted in a completely underhanded and self-serving manner, paying a ransom to hackers to destroy the data and keep the breach secret—ultimately, denying their customers and drivers the ability to protect themselves for over a year,” she said.

And in a Nov. 22 suit seeking class certification in U.S. District Court for the District of Oregon in Portland, it's alleged that Uber “unjustifiably failed” to notify consumers in a timely manner and negligently failed to maintain safeguards to protect the accessed information.

Michael Fuller, lead attorney for the plaintiff, said state law requires breaches to be disclosed as soon as possible. “Obviously there are circumstances where, when you're working with state and federal law enforcement, you may not want to disclose immediately that you've been hacked, but this is not a case where Uber was working with anyone except for with the hackers,” he said.

All the while, the San Francisco-based company must also contend with another possible probe from the FTC. In November 2014, the agency initiated an investigation into a breach that allowed access to the personal data of roughly 100,000 drivers. In August of this year, Uber reached a settlement with the FTC, agreeing to submit to regular audits of its privacy protocols for the next two decades.

According to public records obtained by Corporate Counsel, while FTC staff were evaluating Uber's data security program and practices in response to this 2014 incident, the ride-hailing company was ordered to preserve all documents related to its data policies that “may be in any way relevant to a potential investigation, irrespective of whether Uber believes that such documents may be protected from discovery,” the FTC wrote in a March 2015 letter to Uber counsel.

Failure to preserve this information, the letter continued, could result in civil or criminal liability.

The FTC declined to answer Corporate Counsel's questions about whether it is formally investigating Uber and if the company is in violation of any laws for not disclosing the most recent breach during the commission's previous investigation. “We are aware of press reports describing a breach in late 2016 at Uber and Uber officials' actions after that breach,” an FTC spokesperson said in an emailed statement. “We are closely evaluating the serious issues raised.”

Big Missteps

Uber's revelations about the breach leave a number of unanswered questions, such as who else in the company knew about the breach and the subsequent cover-up, aside from the two departed employees.

According to The New York Times, the deal with the hackers was arranged by the “company's chief security officer and under the watch of the former chief executive, Travis Kalanick.” And yet, Reuters reports that while Kalanick learned of the breach in November 2016, neither he nor outgoing chief legal officer Salle Yoo “were involved in the cover-up.” Uber did not respond to request for comment on who knew what and when they learned it.

In the United States, 48 states and the District of Columbia have data breach notification laws that are triggered after a hack, though their specific provisions vary. On the federal level, the FTC often steps in when companies have “engaged in unfair or deceptive practices that put consumers' personal data at unreasonable risk.”

Given the many rules in play requiring notification, it doesn't make sense that Uber wouldn't have notified its customers and drivers, said Gregg Garrett, head of international cybersecurity at advisory firm BDO USA. “It's well understood … that there are existing requirements by the Federal Trade Commission to disclose information of a cyber breach and of course not to destroy information that could be pertinent to an investigation, that could be deemed evidence,” he said. “I don't believe that [Uber] didn't understand that what was disclosed was personally identifiable information.”

In some states, notification is not required if it's determined through either an internal investigation or consultation with relevant law enforcement agencies that there's no reasonable likelihood of harm. Because Uber tracked down the hackers and paid them to delete the data, could the case be made that in certain states, at least, notification wasn't required? Garrett said no, he doesn't “buy that” argument.

Garrett said it's also concerning how long Khosrowshahi seemingly knew about the breach before it was revealed last week. According to The Wall Street Journal, Khosrowshahi learned of the incident about two weeks after he stepped in as CEO on Sept. 5. Uber did not respond to request for comment on whether this timeline is accurate, but if true, it would mean the new CEO knew for more than two months before publishing the blog post that committed to learning from company mistakes.

Khosrowshahi was, in all likelihood, trying to wrap his head around all of the information and to come up with a game plan, Garrett said, “but that should take place in a matter of days, not weeks or months.” He added that Khosrowshahi is “certainly culpable for extending the delay.”

The Cover-Up

And then, of course, there's the cover-up. Along with the $100,000 payment to the hackers in exchange for deleting the info, Uber also reportedly pushed them to sign nondisclosure agreements and company execs made the payout seem like a “bug bounty” in which hackers are paid to attack a company's systems to identify weak spots. Uber did not respond to inquiries seeking confirmation of these details.

“This may be a case where the cover-up was worse than the initial action,” said Paige Boshell, a partner at Bradley Arant Boult Cummings and leader of the firm's cybersecurity and privacy team. “When you have your hackers sign nondisclosure agreements and pay them and then make it sound like it was a bug bounty, it makes it more sound like you are more involved on the side of the criminal than your consumers,” she said, adding that asking hackers to sign NDAs is not typical.

Boshell added, however, that with a number of facts still unknown, it's hard to definitively judge the payout. “A hundred thousand dollars is not a lot of money to a company like that, so if they thought they were acting to protect their riders and their drivers, there may have been a thought process that was reasonable.”

There's no doubt Uber isn't the only company to be confronted with the dilemma of whether to incentivize hackers. If and when a company faces this question, lawyers said the answer is fact-specific.

Behnam Dayanim, partner with Paul Hastings, declined to comment on Uber specifically but said that, generally, the No. 1 consideration for a company will be how critical the data is to the business enterprise and “how, if at all, the enterprise can function while the data are being held by the attacker.”

The next consideration is “the degree to which the company has confidence that if it pays the hacker, the data will be released to it and won't be misused or otherwise misappropriated,” he said.

“One fear, of course, is you pay the hacker and either then the hacker either doesn't release the data to you or the hacker will release data to you but then sells it or uses it for other nefarious purposes,” he said, noting there's no guarantee the attackers will honor the deal to release the stolen information. “It's a question of trust.”

Dayanim said there are other downsides to making these payments. One is if the company makes the payment, “you identify yourself as an easy mark, which might mean you attract repeat attacks in the future.”

Another downside, he said, is the more companies make these payments, the more these attacks will proliferate.

Even so, Dayanim said, “The FBI and law enforcement, of course, frown upon making these payments, but they're not unlawful.”