Washington State Attorney General Bob Ferguson filed a consumer protection lawsuit against Uber alleging thousands of violations of the state’s data breach notification statute arising out of Uber’s decision to conceal a significant data breach.
As widely reported by the New York Times and other news outlets, Uber revealed last month that hackers stole account information of 57 million drivers and riders. Uber failed, however, to disclose this significant security breach for more than a year, opting instead to deal with the hackers directly by paying a $100,000 ransom, and pushing the hackers to sign nondisclosure agreements. Uber’s chief security officer and an in-house attorney were fired for their role in concealing the data breach.
Last week, shortly after the data breach was revealed, Attorney General Ferguson filed a lawsuit alleging that the names and driver’s license information of at least 10,888 Uber drivers in Washington were accessed as a result of the breach. Specifically, the lawsuit claims Uber failed to timely notify the affected residents, as required by state law (RCW 19.255.010). Washington’s data breach law covers personal information, such as a Washington resident’s first name or first initial and last name, in combination with any of the following “data elements”:
- social security number;
- driver’s license number or Washington identification card number; or
- bank account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s account.
If the aforementioned information is compromised by a security breach, affected residents must be notified “in the most expedient time possible and without unreasonable delay, no more than forty-five calendar days after the breach was discovered.” When the breach affects over 500 residents, Washington’s attorney general must also be notified. Notably, the data breach statute also authorizes the attorney general to bring claims under Washington’s Consumer Protection Act if a company fails to timely notify residents of a breach. Based on the timeline that Uber has publicly disclosed (and a notification letter attached to the complaint), by waiting over a year to notify affected residents, Uber appears to have far exceeded the allowable notice period under the Washington’s data breach statute. The attorney general is seeking civil penalties of up to $2,000 for each violation.
The complaint filed by the attorney general’s office is available here.