Whether it is breaking a window with a rock or suffering a massive cyberbreach, the common parental refrain still rings true: the coverup can be worse than the act. Unfortunately for Uber, the popular ride-sharing company, that lesson is being re-learned the hard way.
In the face of mounting lawsuits, from class action suits to government-initiated complaints, Uber’s failure to timely disclose a 2016 cyberattack has become a case study in what can go wrong if a company fails to implement and execute a data breach response plan.
Pennsylvania is the latest state seeking to hold Uber accountable. On March 5, Pennsylvania Attorney General Josh Shapiro filed suit in state court against Uber for Uber’s admitted failure to disclose a cyberattack that exposed the personal information of at least 13,500 Pennsylvania Uber drivers for over a year.
According to the complaint, filed in Philadelphia County, Uber’s delay in providing notice to Pennsylvanians affected by the cyberattack violates Pennsylvania’s Breach of Personal Information Notification Act’s (BPINA) requirement that notice be provided “without unreasonable delay.” Each failure to notify an affected individual constitutes a separate violation of BPINA, as well as a violation of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law (UTPCPL). Therefore, Uber is facing approximately 13,500 violations under the act.
Attorney General Shapiro is seeking both injunctive relief and civil penalties to the tune of at least $13.5 million, or $1,000 per affected individual. Civil penalties could escalate for affected individuals over the age of 60, in which case BPINA calls for a fine of $3,000 per person.
The lawsuit marks the first time that Shapiro has sued under BPIN_A on behalf of consumers and follows a growing trend of government-initiated lawsuits seeking to enforce similar breach notification laws. Los Angeles, Chicago, Illinois, and the state of Washington all have filed similar suits.
As Uber has admitted malfeasance, this suit appears to be an ideal test case for BPINA. The inherent ambiguity of BPINA’s “without unreasonable delay” notice requirement language would likely be a point of contention in suits where the delay is limited to a couple of days, or even a couple of weeks. However, Uber leaves little room for argument as its delay was admittedly, for one year.
Given Attorney General Shapiro’s aggressive stance on cybersecurity, the lawsuit is not unexpected, even if it is a first. Previous data breach cases, involving Target, Nationwide, and Lenovo, have all been settled out of court by Shapiro’s office.
While Uber is the first defendant of a BPINA lawsuit, Equifax may soon be joining the club. In October 2017, at the direction of Shapiro, Pennsylvania’s Bureau of Consumer Protection launched an immediate investigation into Equifax’s six-week delay in notifying the public of a data breach that Equifax learned of in July 2017. In an op-ed column written by Shapiro and published by FoxNews.com, Shapiro stated that the “Equifax is not just a data breach—it is a breach of trust. We have placed enormous trust in Equifax to handle our information carefully, yet this is how they’ve repaid us.” No suit has been filed to date.
In addition to state governments it also appears that the federal government is looking to crack down on companies who fail to timely notify their customers/clients after a data breach.
Immediately after Uber’s November 2017 press release admitting the year long notification delay, Florida Sen. Bill Nelson proposed the Data Security and Breach Notification Act. Senate Bill 2179—Data Security and Breach Notification Act, was first introduced on Nov. 30, 2017. The act seeks to employ nationwide notification requirements and replace the obscure and sometimes conflicting state laws presently in place. The bill looks to enforce criminal penalties on those convicted of “intentionally and willfully” hiding the occurrence of a data breach. The penalties could include fines and imprisonment.
In order to help avoid the lawsuits and potential federal penalties that may result from failing to timely notify customers/consumers of a data breach it is critical that lawyers counsel their clients on the different state notification laws and help prepare them to timely respond to and notify those who may have been effected by a breach. Lawyers should assist clients in creating and maintaining notification procedures so that a company is prepared to notify customers and government authorities as efficiently as possible. As the recent trend in data breaches reveals, the coverup can be just as bad as the act if companies are not prepared to properly respond.
Jeffrey T. Criswell is an associate in the Pittsburgh office of Thomas, Thomas & Hafer. He concentrates his practice in general civil litigation with a focus on the areas of municipal liability, civil rights and premises liability. Additionally, Criswell provides legal counseling on issues related to cybersecurity, including risk assessment and best practices for avoiding a potential breach.
S. Joseph Cardile is an associate in the Baltimore office of the firm. He represents businesses and individuals in litigation and arbitration arising out of product defects, fires, construction defects, contractual issues, motor vehicle accidents and premises liability.