SAN FRANCISCO — Uber Technologies Inc.’s push to hold someone accountable for a 2014 data breach has focused heavily on an unnamed Lyft Inc. employee. Now Lyft is saying its market-leading rival has gone too far, launching a discovery effort that amounts to a “witch hunt.”
Lyft on Thursday filed a motion for a protective order that would prevent Uber from learning more about a Lyft employee, who is not named in court papers but who has previously been named in the press as a high-ranking executive. Lawyers for Lyft said that Uber has ulterior motives in its numerous subpoenas for information that it filed to try to beat back a lawsuit by a driver who says he was a victim of the data breach.
“Uber is abusing this court’s discovery power to harass a third party, X, and to uncover internal, confidential, trade-secret information about Lyft—X’s employer and Uber’s chief competitor,” wrote Lyft’s lawyers at Keker & Van Nest, entering their first appearance in the driver’s lawsuit, in which the company is neither plaintiff or defendant. “The court must put a stop to Uber’s unbounded discovery campaign, which now includes at least 11 third-party subpoenas targeting information from X and Lyft.”
Keker & Van Nest partner Rachael Meny, who signed the brief, did not return a phone call seeking comment. Gibson, Dunn & Crutcher partner Michael Li-Ming Wong, who defends Uber in the suit by the driver, declined to comment.
A Lyft spokesperson provided the following statement: “There is no evidence that any Lyft employee downloaded the Uber driver information or database, or had anything to do with Uber’s May 2014 data breach.”
The unnamed Lyft employee is the subject of the discovery even though Lyft is not a party to the litigation because Uber is attempting to find out the identity of those responsible for the 2014 breach that affected the information of up to 50,000 Uber drivers. Uber filed suit in federal court in San Francisco against a John Doe defendant, seeking to find the identity of anyone involved. A Reuters report in October said Uber identified its primary suspect as Lyft’s chief technology officer, Chris Lambert. Lyft’s attorneys only refer to the targeted worker as “employee X.”
Lyft says the broad-ranging, burdensome discovery” includes inspection of the employee’s electronic devices, Google searches and communication between the employee and Lyft. U.S. Magistrate Judge Laurel Beeler approved the subpoenas in December, saying that “the ‘breadth’ of material they ask for, the ‘time period’ they cover, and the ‘particularity’ with which they describe the target material—are, for the most part, appropriately limited to information related to the data breach that underlies the plaintiff’s case.”
The active discovery efforts come even after Beeler dismissed the former driver’s suit, with leave to amend. In March, 2015, Sasha Antman, sued the company, claiming the breach allowed someone to fraudulently take out a credit card in his name. Uber’s lawyers at Gibson Dunn argued that it was impossible to put the blame on Uber, as only names and driver’s license numbers were compromised in the data breach. Beeler agreed, saying that, “without a hack of information such as Social Security numbers, account numbers, or credit card numbers, there is no obvious, credible risk of identity theft that risks real, immediate injury.”
Beeler said Antman could amend his complaint, but Uber moved to delay the litigation, rare for a defendant in a case.
Keker & Van Nest attorneys called the tactic suspicious.
“Lyft has not found a single reported case in which a defendant has won a motion to dismiss and then proceeded to stall dismissal of the case to conduct its own discovery,” the Keker lawyers wrote. “Clearly, Uber saw an opportunity to exploit this case for its own purposes and proceeded to do so.”
In asking Beeler to rein in the discovery, Keker’s Meny blasted Uber.
“Uber is using this case, this plaintiff and this court’s subpoena power to conduct its own witch-hunt, to distract attention from its long and storied history of data breaches, to harass X, and to dig into its competitor’s internal, confidential and trade-secret information,” Meny wrote. “Enough is enough.”
A hearing is set for March 24.
Contact the reporter at firstname.lastname@example.org.