In the race to hold Uber accountable for a massive data breach announced last week, consumer class actions might end up in the slow lane—but government regulators have a chance to speed ahead.
About a dozen class actions have been filed since Nov. 21, when Uber Technologies Inc. announced that hackers had stolen the personal information of 57 million drivers and riders back in 2016. Uber also admitted that it paid the hackers $100,000 to destroy the information.
But the lawsuits face standing issues, which have plagued data breach class actions in the past. And Uber’s hack involved names, email addresses and driver’s licenses—information that’s replaceable and less lucrative to hackers than Social Security numbers or health information. As a result, lead plaintiffs could have a hard time establishing they were injured from the breach.
That’s left local governments—many armed with new and amended data breach laws—to step up. On Monday, attorneys with the city of Chicago and Cook County, Illinois, filed a joint lawsuit against Uber alleging it failed to safeguard personal information and didn’t disclose the breach promptly under Illinois data breach laws. Jay Edelson of Chicago’s Edelson PC, who is working on the case on contingency, declined to comment.
Are class actions your jam? Check out Law.com’s new briefing by Amanda Bronstad on class action and mass tort litigation. Click here for details and to sign up for a free trial.
On Tuesday, the state of Washington sued Uber. In a press release, Attorney General Bob Ferguson noted that the case, which seeks millions of dollars in penalties, was the first to be filed under the state’s 2015 amendments to its data breach law. Those amendments now require that consumers and the attorney general in Washington be notified within 45 days of the breach.
“Washington law is clear: When a data breach puts people at risk, businesses must inform them,” Ferguson said in a statement.
Attorneys general in a handful of other states are investigating Uber.
“This is a company that is facing a lot of different litigation, a lot of different investigations by law enforcement, and they’ve been investigated by attorneys general and the FTC,” said Cari Laufenberg of Keller Rohrback, who filed a case on Nov. 22 in Northern California’s federal district. “They don’t have a good track record. They have a credibility problem already going into this. So I think everyone is going to look at this with a finer, granular microscope than they might with a company with an outstanding record.”
In a Nov. 21 statement, CEO Dara Khosrowshahi, who took over in August, insisted that more sensitive data like Social Security numbers, birth dates and credit card numbers hadn’t been stolen. “None of this should have happened, and I will not make excuses for it,” he said. “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
The lawsuits against Uber allege negligence and violations of state data breach and consumer laws—all claims that have been brought before in cybersecurity class actions.
They face a common challenge in data breach cases: Establishing that the plaintiffs were injured from the hack. In 2015, U.S. Magistrate Judge Laurel Beeler of the Northern District of California dismissed a case over a similar 2014 breach at Uber, concluding that the lead plaintiff wasn’t harmed in having his name and driver’s license stolen. Even after Uber updated its notice to state that some Social Security numbers had been stolen, Beeler dismissed the case on Nov. 25, concluding there wasn’t enough evidence that Uber’s breach had caused immediate harm to the plaintiffs.
The plaintiffs attorney in that case, Tina Wolfson of Ahdoot & Wolfson in Los Angeles, who also filed a Nov. 21 class action over Uber’s 2016 breach, did not respond to a request for comment.
Not having more sensitive data stolen could threaten the new round of lawsuits, said Ed McAndrew, co-chairman of the privacy and data security group at Ballard Spahr in Philadelphia.
“That’s going to make it more difficult for the consumer plaintiffs to establish standing,” he said. “There will be motions to dismiss filed in virtually all these consumer class actions, and a number of them will go the way of past class actions, where less permanent data elements have been involved in the theft.”
Laufenberg acknowledged the limitations the type of hacked data could have in the cases. But she said that could change. And there’s another red flag that makes the Uber case different.
“The big one that stands out of course is their having hid the breach for a year, having attempted to handle it on their own by paying a ransom to the hackers and supposedly having them attempt to destroy the data,” she said. “That’s a big outlier in terms of fact patterns of these cases.”
Uber also knew of the breach while resolving a Federal Trade Commission investigation into its 2014 hack.
“This is perhaps the most problematic aspect for this for Uber,” said McAndrew. Under an Aug. 15 consent decree, he said, Uber agreed not to make misrepresentations about its security. He predicted that Uber could be facing $100 million in FTC penalties. “I wouldn’t be surprised if this wasn’t the largest FTC penalty related to data security we’ve seen.”
It’s unclear whether the FTC, now under the Trump administration, plans to take any action. An FTC spokesman told law.com: “We are aware of press reports describing a breach in late 2016 at Uber and Uber officials’ actions after that breach. We are closely evaluating the serious issues raised.”
“I have long championed the innovation and potential of the on-demand economy,” Warner wrote. “However, Uber’s conduct raises serious questions about the company’s compliance with relevant state and federal regulations.”