On Nov. 21, 2017, ride-sharing giant, Uber, issued a press release stating that it had fallen victim to a cyberattack in late 2016. Per the release, the names and drivers’ license numbers of approximately 600,000 Uber drivers and the names and contact information of approximately 57 million Uber riders were “inappropriately accessed” by hackers from a third-party cloud-based service used by Uber. In Pennsylvania alone, at least 13,000 Uber drivers’ information is believed to have been compromised. While the magnitude of the breach grabbed headlines, it was Uber’s response to the breach that caught the attention of private litigants and governmental authorities.
According to a complaint filed against Uber by the city of Los Angeles, Uber paid the hackers $100,000 to destroy the stolen data, portraying the payment as a fee to test its system vulnerabilities, and required the hackers to sign nondisclosure agreements. Even more problematic, according to the city of Los Angeles, was Uber’s nearly year-long delay in reporting the breach to affected stakeholders. The lawsuit, filed within two weeks of Uber’s disclosure of the breach, alleges that Uber violated California law requiring companies to report cyberattacks “in the most expedient time possible” and “without unreasonable delay.” Chicago filed a similar lawsuit and a suit seeking class action status was filed in California within hours of Uber’s disclosure of the breach.
The consequences for Uber have not been limited to litigation. In addition to the resignation of three senior managers from its international business operations and physical security groups, Uber is being investigated by both foreign and domestic governments, including the Pennsylvania Attorney General’s Office.
On Nov. 30, 2017, Pennsylvania Attorney General Josh Shapiro issued a written demand to Uber seeking the exact date Uber discovered the attack; the number of affected drivers and riders in Pennsylvania and nationwide; and the specific kinds of information and data which were compromised. According to the Office of Attorney General, Uber’s response to Shapiro’s demand will enable the attorney general to determine if Uber violated Pennsylvania’s Breach of Personal Information Notification Act, as well as other potential violations of Pennsylvania’s Consumer Protection Law.
Signed into law in 2005, Pennsylvania’s Breach of Personal Information Notification Act, 73 P.S. Sections 2301 et seq., requires companies that have suffered a data breach to notify affected Pennsylvanians “without unreasonable delay.” A violation of the act constitutes an unfair or deceptive practice with the Office of Attorney General having exclusive authority to bring an action under Pennsylvania’s Unfair Trade Practices and Consumer Law.
Uber’s response to the attorney general was due by Dec. 15, 2017. While no information has been released relating to whether Uber has responded or the substance of any response, the attorney general’s demand on Uber already may have prompted another major corporation to disclose that it too suffered a cyberattack.
In early December, PayPal informed Pennsylvania’s Bureau of Consumer Protection of a data breach impacting 1.6 million PayPal users in the United States and Canada. In a related press release, Shapiro stated that “PayPal did the right thing in alerting our office of the breach, and now is working with us to protect Pennsylvania consumers. I expect other businesses that experience hacks or breaches moving forward will do the same. We will remain vigilant.”
What will come of the Office of Attorney General’s investigation into the Uber data breach remains to be seen, but it may test the “teeth” of Pennsylvania’s Breach of Personal Information Notification Act, which largely has gone untested since its adoption in 2005.
As the number of data breaches continue to rise, it has become clear that the manner in which breaches are handled can be just as problematic as the breaches themselves.
Whether big or small, companies who maintain individuals’ personally identifiable information are vulnerable to attack. It is imperative that corporate and outside lawyers counsel their clients on damage mitigation and breach notification.
As a necessary first step, lawyers should counsel their clients to maintain a written information security plan (WISP) and a data breach plan. Such plans help companies identify when a breach has occurred and to stop breaches from continuing.
A WISP sets forth the procedure for evaluating electronic and physical methods of accessing, collecting, storing, using, transmitting and protecting personal information. It allows the flow of data to be mapped so that potential gaps and vulnerabilities can be identified and accounted for in advance of a breach. In the event of a breach, companies can look to the most vulnerable sources of information and more quickly identify the source of the breach and, once detected, attempt to control the breach.
Lawyers also can help companies mitigate the potential damages from a breach by assisting in the creation of a data breach plan. A data breach plan envisions an array of different hypothetical circumstances where a breach might occur based on the delicate information a company maintains, and outlines a response plan to mitigate the costs of that breach. In turn, fewer individuals are affected and damages are mitigated.
Finally, lawyers must counsel their clients on the various notification requirements of the states in which they operate. In general, notification requirements dictate when and how companies must notify consumers who have potentially been affected by a breach. A primary aim of notification requirements is to allow consumers affected by a breach to take their own measures of protection, such as checking their bank records, credit reports, and placing a stop on their credit cards. Although notification requirements differ in language, the theme is consistent: companies affected by a data breach must notify all affected stakeholders as soon as legally possible.
Awareness of notification requirements only goes so far; lawyers should also assist clients in creating and maintaining notification procedures so that, in the event of an attack, a company is prepared to notify its customers and government authorities as efficiently as possible. For example, notification hotlines and email blasts can be used to contact customers who are potential victims and to inform them of the breach and the potential resources that are available to them. These are examples of how pre-breach notification procedures can assist potential victims in their efforts to mitigate their damages.
As society continues to grow more dependent on technology, so too does the likelihood that a cyberbreach will occur. In counseling clients who maintain large quantities of sensitive data, lawyers must make clear that the best way to face a cyberbreach is to do so head-on.
As the Uber data breach has shown, delaying notification of a breach only results in greater exposure. If consumers are properly notified, compliance with state notification laws will be better achieved, damages can be mitigated, and victims can begin the process of protecting themselves from further harm and regaining the trust in the company who was the initial victim of the breach.
Jeffrey T. Criswell is an associate in the Pittsburgh office of Thomas, Thomas & Hafer. He concentrates his practice in general civil litigation with a focus on the areas of municipal liability, civil rights and premises liability. Additionally, Criswell provides legal counseling on issues related to cybersecurity, including risk assessment and best practices for avoiding a potential breach.
Joseph Cardile is an associate in the Baltimore office of the firm. He represents businesses and individuals in litigation and arbitration arising out of product defects, fires, construction defects, contractual issues, motor vehicle accidents and premises liability.