Uber's Data Breach Followed By Proposed Class Action: Lessons to be Learned
On February 27, 2015, Uber Technologies, Inc. disclosed that it was the victim of a cyber attack and suffered a data breach. In its’ statement, Uber said that on September 17, 2014, it discovered one of its databases could potentially have been accessed by a third party. After subsequent investigation, it learned that a one-time unauthorized access to an Uber database by a third-party occurred on May 13, 2014, and that the information of nearly 50,000 individuals (primarily taxi drivers employed by Uber) was compromised. The company disclosed that the files which were accessed only contained the names and driver’s license numbers of certain drivers. Uber did not say how it discovered the breach, but did admit it did not learn of the unauthorized access until several months after it had occurred.
As is typical with any major data breach announcement, a proposed class action was filed several weeks later. In Uber’s case, the lawsuit was filed in the United States District Court for the Northern District of California (San Francisco Division). The named plaintiff is Sasha Antman and he commenced the lawsuit individually and on behalf of all others similarly situated. Antman, a former Uber driver in San Francisco who received his last payment around September 2013, commenced the lawsuit against Uber for its failure to secure and safeguard its drivers’ names, drivers license numbers, and other personally identifiable information. The lawsuit alleges that on June 2, 2014, an unknown and unauthorized person used Antman’s private information to apply for a credit card which now appears on his credit report.
In the Complaint, Antman alleges two causes of action based upon California statutes: Count I - Violation of the Civil Code Section 1798.81.5 and 1798.82, and Count II - Violation of California Unfair Competition Law, Business and Professions Code § 17200, et seq. Specifically, Antman alleges Uber could have prevented the data breach, alleging that the company maintained the private information in an unencrypted form and that the hacker was able to access the information with a basic password. Antman asserts that Uber, among other things, intentionally, willfully, recklessly or negligently failed to take adequate and reasonable steps to ensure its data systems were protected. Further, Antman claims that Uber failed to provide timely and adequate notice to him and other class members that their private information had been stolen and to indicate precisely what information was obtained. Notably, Uber identified the data breach in September 2014 but did not disclose the breach until February 2015 –approximately 5 months later.
The lawsuit seeks (a) an order certifying the action as a class action; (b) equitable relief enjoining Uber from engaging in the wrongful conduct (misuse and/or disclosure of the class members’ private information and refusing to issue prompt, complete and accurate disclosures to Plaintiff and Class members); (c) equitable relief compelling Uber to utilize appropriate methods and policies with respect to its data collection, storage and safety practices; (d) equitable relief requiring restitution and disgorgement of the revenues wrongfully retained as a result of Uber’s wrongful conduct; (e) an award of actual, compensatory or statutory damages; and (f) an award of costs of suit and attorneys’ fees.
Because the action against Uber was recently filed, we cannot yet determine how the litigation will proceed or whether a class action will be certified. However, there are a few takeaways from this latest data breach. First, every company should review its’ information system protocols to ensure that minimum levels of data protection are implemented and followed by the entire organization. Second, every company should have a data breach response plan which, at the very least, requires prompt notification to any affected party of the compromise of personally identifiable information.
For additional information on these matters and steps your company can take to protect itself from a cyber event, please contact Sedgwick Jeanite (212.631.4413 | firstname.lastname@example.org), Jay Shapiro (212.714.3063 | email@example.com), or Josh Mooney (215.864.6345 | firstname.lastname@example.org).