On Nov. 21, 2017, Uber Technologies, Inc., the embattled San Francisco ride-hailing company, disclosed that two hackers had stolen data concerning 57 million driver and rider accounts, including phone numbers, email addresses and names of Uber riders from a third-party server and demanded $100,000 to delete their copy of the data.
In a classic example of the “cover-up being worse than the crime,” Uber shockingly revealed that it acquiesced to the hacker’s demands by paying the $100,000 ransom and then engaged in a plan to cover-up the hack for more than a year wherein Uber’s customers and drivers were never informed that their personal information had been stolen. Uber’s inexplicable delay in informing the public and its customers of the 2016 data breach has placed it in the regulatory and legal cross-hairs of the Federal Trade Commission, at least three European government agencies, the National Privacy Commission of the Philippines, the New York State Attorney General’s office, the New Mexico Attorney General, and the Los Angeles City Attorney (through a lawsuit filed earlier this month).
Data breaches at companies large and small can and will happen, but Uber’s current and, likely future, regulatory and legal entanglements reveal that hiding, ignoring or covering up a data breach is far worse than simply addressing the breach when it occurs.
While recklessly irresponsible, Uber’s attempted cover-up of the 2016 hack and data breach sadly mirrors the approach utilized by many companies seeking to avoid their responsibilities under various data breach notification laws. Based on information currently available, Uber attempted to conceal the 2016 data breach that affected 57 million accounts. In addition to the names, emails and phone numbers of riders, about 600,000 U.S. drivers’ license numbers were accessed. In private, Uber acquiesced to the demands of the hackers and then went further by attempting to hide the breach.
Uber’s chief security officer, Joe Sullivan, under the watch of former chief executive, Travis Kalanick, arranged a deal with the hackers to pay the $100,000 ransom. According to the New York Times, Uber tracked down the hackers and pushed them to sign nondisclosure agreements. To further conceal the damage, Uber executives also made it appear as if the payout had been part of a “bug bounty” – a common practice among technology companies in which they pay hackers to attack their software to test for soft spots. The details of the breach and cyber-attack remained hidden until November 21, 2017 when Dara Khosrowshahi, Uber’s new CEO as of August, disclosed the breach to the public as part of an attempt to regain public trust in the company after Uber’s purportedly toxic workplace culture came under scrutiny under ousted CEO Travis Kalanick.
While Mr. Khosrowshahi seeks to get in front of Uber’s breach cover-up by voluntarily disclosing details of the hack and Uber’s failure to notify customers, the response by regulators shows that we are venturing into a world where a company’s failure to comply with data breach notification laws by ignoring or covering up the breach will no longer be tolerated. As a result of Uber’s efforts to conceal the data breach, Uber’s chief security officer was fired. A Federal Trade Commission spokesman said the agency is “closely evaluating the serious issues raised,” while Sen. Richard Blumenthal (D., Conn) said on Twitter that the Senate Commerce Committee should hold hearings to “demand Uber explain their outrageous breach – and inexplicable delay in informing its consumers and drivers.” According to The Wall Street Journal, the New York Attorney General’s office has opened an investigation.
In addition, New Mexico’s Attorney General issued a letter to Uber demanding that the company provide more information within 10 days and referred to the breach and Uber’s response as “gravely concerning.”
Overseas, Britain’s Information Commissioner’s Office, which oversees data protection in the country, said it would assess how the breach affected people in the U.K. and what steps Uber would need to take to better comply with data-protection requirements. The office has the power to fine Uber up to £500,000 ($665,000) for any wrongdoing. The deputy commissioner of the Information Commissioner’s Office noted that “[d]eliberately concealing breaches from regulators and citizens could attract higher fines for companies.” Likewise, data protection agencies and regulators in the Netherlands (the location of Uber’s European operations), Italy and the Philippines have launched investigations into the incident and were incensed by Uber’s lack of transparency and failure to adequately respond to protect customers once it learned of the data breach.
Here in California, Los Angeles City Attorney Mike Feuer filed a lawsuit earlier this month against Uber asserting that Uber violated California’s Data Breach Notification Law (California Civil Code Section 1798.82) by failing to promptly report the breach. Under California Civil Code Section 1798.82, California companies are required to report hacks “in the most expedient time possible and without unreasonable delay.” At a news conference at Los Angeles City Hall, Los Angeles City Attorney Feuer stated, “[w]e’re taking action because we believe very strongly in the importance of protecting consumers.”
While it is not yet known how many drivers in California were affected by the hack and Uber’s cover-up, the City of Los Angeles’ lawsuit seeks $2,500 for each violation of the law. It has been reported that about 600,000 U.S. Drivers’ license numbers were accessed in the attack. Even by conservative estimates, Uber’s exposure in the City Attorney’s lawsuit alone could reach tens, if not hundreds, of millions of dollars.
The Uber breach and cover-up is an ongoing and developing story that reinforces the importance of transparency and taking data breach notification laws seriously. We continue to advise our clients to take proactive and vigilant steps now to ensure personal information and critical data in their possession is adequately protected. We also stress the importance of correctly and lawfully responding to a data breach should it occur at our clients’ businesses. The first step is to develop and disseminate a basic privacy practice and strategy to reduce the risk of a data breach actually occurring. As a starting point, limiting the personal information collected and retained can provide the strongest protection since a hacker cannot steal data containing personally identifiable information if the company does not keep such data. Companies should next focus on securing any private or sensitive data that they must maintain to prevent any unauthorized access. The use and retention of highly trained information security professionals is essential at this stage.
Even with the most sophisticated security measures in place to protect the disclosure of private information, companies are at risk to a hack or data breach. For this reason, a data breach response plan is essential to guide a company if, and when, a breach occurs. For California corporations, the retention of legal counsel to prepare the data breach response strategy is highly recommended to ensure that all measures comply with California’s existing data breach notification law.
Uber’s recent regulatory and legal troubles regarding its failure to properly notify its drivers and customers of the 2016 data breach serve as a reminder that the cover-up is often worse than the crime.
Michael S. Little works for Poole & Shaffery, LLP.