Lessons From the Record-Setting Uber Data Breach Settlement

by

Uber has had a hard time getting data security right. This past week, the ride-sharing company agreed to pay $148 million in a settlement with 50 state attorneys general and the District of Columbia after it intentionally concealed a 2016 data breach. According to the New York Attorney General, it is the largest settlement ever in a multi-state breach case. Uber was found to have breached notification laws by hiding the fact that hackers accessed the information of 57 million users. Uber then paid the hackers $100,000 to destroy the data, without publically disclosing the loss.

This isn’t Uber’s first time mishandling customer and driver personal information, and misleading the public. This spring, Uber agreed to expand an earlier settlement with the FTC, agreeing to additional conditions. “After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach,” acting FTC Chairman Maureen Ohlhausen said in April 2018. Just to be clear, Uber failed to report a data breach while in the midst of an ongoing FTC data breach investigation – not easy to believe, but true. Some of the lessons here are crystal clear. Others are still unfolding. But they will come to bear on all companies, not just Uber. Uber’s conduct creates a more highly charged environment for all companies. Here’s why.

  1. The cover-up is worse than the crime.  Uber guessed that it could cover up its mistakes , and it guessed wrong. Uber used its “bug bounty program” to try to hide the fact that it paid a ransom to have the data destroyed. It’s not even clear that a breach notice would be required under many state laws because the data that was stolen didn’t include personal financial information, even if it included what we now consider, broadly, personal information: names, mobile phone numbers, and email addresses of customers and, in the case of drivers, their driving license information. But in trying to hide the issue, Uber heaped problems on itself. Uber could have reported the issue up the line and let those with real authority decide how to handle it. Instead, the matter was hidden from Uber’s CEO for months, denying the company the chance to go to regulators and seek their guidance.
  2. Welcome to a stricter data regime—for all of us. As part of the settlement, Uber is now mandated to put in place more secure systems, and acknowledge breaches of a broad variety of personal information. It will undergo 20 years of audits, at significant expense, both monetary and in terms of human resources. The company is also required to provide records of its bug bounty reports relating to any vulnerability of consumer data, as well as turn over all third-party audits in full to the FTC. One could argue that the FTC is now running security at Uber, not the company. This is a new line in the sand; any company with less than stellar security programs should be on notice that if they don’t install state-of-the-art systems and processes, the government will be happy to direct them specifically how to do so. The FTC does not like to be fooled, and, while no lap dog in the past, the commission will surely not tolerate being trifled with again.
  3. The expansion of the definition of protected data. Up to this point, data breach notification laws have focused on financial data, such as credit card numbers or social security numbers, or other sensitive protected information, such as health records. This action has the possibility of enlarging the scope of protected data that must be reported if accessed or breached to include any information that can identify a person, much as the European Union has done through the General Data Protection Regulation, or California proposes in its recently-enacted Consumer Privacy Act. This means that the conditions that would merit government disclosure of a loss of information have greatly increased, perhaps exponentially.
  4. Look for more coordinated state actions. The coordinated action by all of the state Attorneys General may foreshadow additional joint action in the future, which could have an effect on pending federal proposals, and impact the FTC’s authority. The $148 million fine was paid directly to the states (California received $26 million), making large fines a powerful incentive for state regulators to jump on what it sees as egregious conduct. And seeing this kind of money on the table will only embolden class action counsel representing consumers whose data is compromised.

 

We’ve previously written how to handle ransomware attacks. What we didn’t mention in that post, because it seemed to go without saying, is that regardless of the amount of data stolen, or the seemingly innocuous sum requested to get it back, is that all breaches should be analyzed and acted upon as quickly as possible so that the responsible parties evaluate and minimize the risks from a breach. The fact that there may be a chance to secure the data, or ensure it is destroyed, or confirm it has not yet been misused, should not enter the equation. The risk in not acting on a breach is 100%. And getting more expensive by the day.


Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.