Regulators, Not Class Actions, Could Drive Legal Response to Uber Data Breach
In the race to hold Uber accountable for a massive data breach announced last week, consumer class actions might end up in the slow lane—but government regulators have a chance to speed ahead.
November 29, 2017 at 06:29 PM
15 minute read
In the race to hold Uber accountable for a massive data breach announced last week, consumer class actions might end up in the slow lane—but government regulators have a chance to speed ahead.
About a dozen class actions have been filed since Nov. 21, when Uber Technologies Inc. announced that hackers had stolen the personal information of 57 million drivers and riders back in 2016. Uber also admitted that it paid the hackers $100,000 to destroy the information.
But the lawsuits face standing issues, which have plagued data breach class actions in the past. And Uber's hack involved names, email addresses and driver's licenses—information that's replaceable and less lucrative to hackers than Social Security numbers or health information. As a result, lead plaintiffs could have a hard time establishing they were injured from the breach.
That's left local governments—many armed with new and amended data breach laws—to step up. On Monday, attorneys with the city of Chicago and Cook County, Illinois, filed a joint lawsuit against Uber alleging it failed to safeguard personal information and didn't disclose the breach promptly under Illinois data breach laws. Jay Edelson of Chicago's Edelson PC, who is working on the case on contingency, declined to comment.
Are class actions your jam? Check out Law.com's new briefing by Amanda Bronstad on class action and mass tort litigation. Click here for details and to sign up for a free trial.
On Tuesday, the state of Washington sued Uber. In a press release, Attorney General Bob Ferguson noted that the case, which seeks millions of dollars in penalties, was the first to be filed under the state's 2015 amendments to its data breach law. Those amendments now require that consumers and the attorney general in Washington be notified within 45 days of the breach.
“Washington law is clear: When a data breach puts people at risk, businesses must inform them,” Ferguson said in a statement.
Attorneys general in a handful of other states are investigating Uber.
“This is a company that is facing a lot of different litigation, a lot of different investigations by law enforcement, and they've been investigated by attorneys general and the FTC,” said Cari Laufenberg of Keller Rohrback, who filed a case on Nov. 22 in Northern California's federal district. “They don't have a good track record. They have a credibility problem already going into this. So I think everyone is going to look at this with a finer, granular microscope than they might with a company with an outstanding record.”
In a Nov. 21 statement, CEO Dara Khosrowshahi, who took over in August, insisted that more sensitive data like Social Security numbers, birth dates and credit card numbers hadn't been stolen. “None of this should have happened, and I will not make excuses for it,” he said. “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
The lawsuits against Uber allege negligence and violations of state data breach and consumer laws—all claims that have been brought before in cybersecurity class actions.
They face a common challenge in data breach cases: Establishing that the plaintiffs were injured from the hack. In 2015, U.S. Magistrate Judge Laurel Beeler of the Northern District of California dismissed a case over a similar 2014 breach at Uber, concluding that the lead plaintiff wasn't harmed in having his name and driver's license stolen. Even after Uber updated its notice to state that some Social Security numbers had been stolen, Beeler dismissed the case on Nov. 25, concluding there wasn't enough evidence that Uber's breach had caused immediate harm to the plaintiffs.
The plaintiffs attorney in that case, Tina Wolfson of Ahdoot & Wolfson in Los Angeles, who also filed a Nov. 21 class action over Uber's 2016 breach, did not respond to a request for comment.
Not having more sensitive data stolen could threaten the new round of lawsuits, said Ed McAndrew, co-chairman of the privacy and data security group at Ballard Spahr in Philadelphia.
“That's going to make it more difficult for the consumer plaintiffs to establish standing,” he said. “There will be motions to dismiss filed in virtually all these consumer class actions, and a number of them will go the way of past class actions, where less permanent data elements have been involved in the theft.”
But he acknowledged that the cases could have a strong argument that Uber misrepresented its security procedures to consumers. “That misrepresentation cause of action is going to be much more appealing to certain judges in a case like this than it would be where you just said you misrepresented the facts based on your website privacy policy statement,” he said.
Laufenberg acknowledged the limitations the type of hacked data could have in the cases. But she said that could change. And there's another red flag that makes the Uber case different.
“The big one that stands out of course is their having hid the breach for a year, having attempted to handle it on their own by paying a ransom to the hackers and supposedly having them attempt to destroy the data,” she said. “That's a big outlier in terms of fact patterns of these cases.”
Uber also knew of the breach while resolving a Federal Trade Commission investigation into its 2014 hack.
“This is perhaps the most problematic aspect for this for Uber,” said McAndrew. Under an Aug. 15 consent decree, he said, Uber agreed not to make misrepresentations about its security. He predicted that Uber could be facing $100 million in FTC penalties. “I wouldn't be surprised if this wasn't the largest FTC penalty related to data security we've seen.”
It's unclear whether the FTC, now under the Trump administration, plans to take any action. An FTC spokesman told law.com: “We are aware of press reports describing a breach in late 2016 at Uber and Uber officials' actions after that breach. We are closely evaluating the serious issues raised.”
Congress also is digging in. On Monday, four Republican U.S. senators and Sen. Mark Warner, D-Virginia, sent letters to Khosrowshahi asking for more information about the breach.
“I have long championed the innovation and potential of the on-demand economy,” Warner wrote. “However, Uber's conduct raises serious questions about the company's compliance with relevant state and federal regulations.”
In the race to hold Uber accountable for a massive data breach announced last week, consumer class actions might end up in the slow lane—but government regulators have a chance to speed ahead.
About a dozen class actions have been filed since Nov. 21, when Uber Technologies Inc. announced that hackers had stolen the personal information of 57 million drivers and riders back in 2016. Uber also admitted that it paid the hackers $100,000 to destroy the information.
But the lawsuits face standing issues, which have plagued data breach class actions in the past. And Uber's hack involved names, email addresses and driver's licenses—information that's replaceable and less lucrative to hackers than Social Security numbers or health information. As a result, lead plaintiffs could have a hard time establishing they were injured from the breach.
That's left local governments—many armed with new and amended data breach laws—to step up. On Monday, attorneys with the city of Chicago and Cook County, Illinois, filed a joint lawsuit against Uber alleging it failed to safeguard personal information and didn't disclose the breach promptly under Illinois data breach laws. Jay Edelson of Chicago's Edelson PC, who is working on the case on contingency, declined to comment.
Are class actions your jam? Check out Law.com's new briefing by Amanda Bronstad on class action and mass tort litigation. Click here for details and to sign up for a free trial.
On Tuesday, the state of Washington sued Uber. In a press release, Attorney General Bob Ferguson noted that the case, which seeks millions of dollars in penalties, was the first to be filed under the state's 2015 amendments to its data breach law. Those amendments now require that consumers and the attorney general in Washington be notified within 45 days of the breach.
“Washington law is clear: When a data breach puts people at risk, businesses must inform them,” Ferguson said in a statement.
Attorneys general in a handful of other states are investigating Uber.
“This is a company that is facing a lot of different litigation, a lot of different investigations by law enforcement, and they've been investigated by attorneys general and the FTC,” said Cari Laufenberg of
In a Nov. 21 statement, CEO Dara Khosrowshahi, who took over in August, insisted that more sensitive data like Social Security numbers, birth dates and credit card numbers hadn't been stolen. “None of this should have happened, and I will not make excuses for it,” he said. “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
The lawsuits against Uber allege negligence and violations of state data breach and consumer laws—all claims that have been brought before in cybersecurity class actions.
They face a common challenge in data breach cases: Establishing that the plaintiffs were injured from the hack. In 2015, U.S. Magistrate Judge
The plaintiffs attorney in that case, Tina Wolfson of
Not having more sensitive data stolen could threaten the new round of lawsuits, said Ed McAndrew, co-chairman of the privacy and data security group at
“That's going to make it more difficult for the consumer plaintiffs to establish standing,” he said. “There will be motions to dismiss filed in virtually all these consumer class actions, and a number of them will go the way of past class actions, where less permanent data elements have been involved in the theft.”
But he acknowledged that the cases could have a strong argument that Uber misrepresented its security procedures to consumers. “That misrepresentation cause of action is going to be much more appealing to certain judges in a case like this than it would be where you just said you misrepresented the facts based on your website privacy policy statement,” he said.
Laufenberg acknowledged the limitations the type of hacked data could have in the cases. But she said that could change. And there's another red flag that makes the Uber case different.
“The big one that stands out of course is their having hid the breach for a year, having attempted to handle it on their own by paying a ransom to the hackers and supposedly having them attempt to destroy the data,” she said. “That's a big outlier in terms of fact patterns of these cases.”
Uber also knew of the breach while resolving a Federal Trade Commission investigation into its 2014 hack.
“This is perhaps the most problematic aspect for this for Uber,” said McAndrew. Under an Aug. 15 consent decree, he said, Uber agreed not to make misrepresentations about its security. He predicted that Uber could be facing $100 million in FTC penalties. “I wouldn't be surprised if this wasn't the largest FTC penalty related to data security we've seen.”
It's unclear whether the FTC, now under the Trump administration, plans to take any action. An FTC spokesman told law.com: “We are aware of press reports describing a breach in late 2016 at Uber and Uber officials' actions after that breach. We are closely evaluating the serious issues raised.”
Congress also is digging in. On Monday, four Republican U.S. senators and Sen. Mark Warner, D-Virginia, sent letters to Khosrowshahi asking for more information about the breach.
“I have long championed the innovation and potential of the on-demand economy,” Warner wrote. “However, Uber's conduct raises serious questions about the company's compliance with relevant state and federal regulations.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllNew Class Action Points to Fears Over Privacy, Abortions and Fertility
Deception or Coercion? California Supreme Court Grants Review in Jailhouse Confession Case
5 minute readCourt rejects request to sideline San Jose State volleyball player on grounds she’s transgender
4 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250