Uber faces mounting scrutiny over massive data breach

Uber faces mounting scrutiny over massive data breach
© Greg Nash

Uber is facing mounting scrutiny from lawmakers, states and several countries after revealing a massive data breach affecting information on 57 million customers and drivers.

The company notified regulators on Tuesday of the breach, which took place in October 2016, after more than a year of keeping the incident quiet.

By Wednesday, the attorneys general of New York, Illinois, Massachusetts and Connecticut confirmed they were probing the breach. Other investigations are being launched in the United Kingdom, Australia and the Philippines.

Here are four areas the firm faces potential scrutiny:

Breach notification laws


The data breach affected accounts around the world and likely ran afoul of an assortment of international laws requiring firms to notify consumers or government agencies after breaches.

In the United States, those laws are handled by the states, with every state except Alabama and South Dakota enacting laws protecting their citizens.

"This would have triggered the notification laws in all 48 states," said Ed McAndrew, a former federal cyber crime prosecutor who co-heads the Privacy and Data Security Group at the Ballard Spahr law firm. 

It would also violate rules in Washington, D.C., and Puerto Rico. 

Breach notification laws apply to whichever state an account holder lives in, regardless of the location of the company or servers. Though Uber's corporate offices are in California, a driver in Virginia is protected by the laws of the commonwealth, not those in California.

Different states require different notifications in different time frames. Depending on the state, notification should have taken place within 90 days, or as quickly as practical.

While all states would require notifications be sent to drivers after their license numbers were stolen, nearly two-thirds of states require a notification to be sent to a state official, typically an attorney general.

Under several state statutes, the fine for violating these laws can range into the hundreds of thousands of dollars.

Federal regulators

Rep. Frank Pallone Jr.Frank Joseph PalloneDems ask FTC if it needs more money to protect privacy Trump officials take bold steps on Medicaid Divisions emerge over House drug price bills MORE (N.J.), the top Democrat on the House Energy and Commerce Committee, called on the Federal Trade Commission (FTC) on Wednesday to investigate the Uber breach.

While Uber kept quiet about the 2016 breach, the FTC was investigating the firm for a similar breach in 2014.

The silence continued even after the FTC and Uber settled the investigation with terms requiring the company not to "misrepresent in any manner, expressly or by implication," how the firm "monitors" or "protects" personal information. 

"The biggest potential problem Uber faces is the FTC," said McAndrew, adding that he expected potential fines from the FTC in the hundreds of millions of dollars for misrepresenting its security by omission.

In 2015, in a case McAndrew said was comparable in content but smaller in scope, LifeLock was ordered to pay $100 million for violating an FTC order concerning user privacy. 

The FTC settlement requires Uber to have independent audits of its privacy and data protection systems every two years, with the first audit due by February.

McAndrew speculated this might mean Uber was getting ahead of the issue by disclosing a breach that an audit might turn up three months later.

An Uber spokesperson said in a statement Wednesday that the company has "been in touch with several Attorney General Offices and the FTC to discuss" the 2016 breach "and we stand ready to cooperate with them going forward."

An FTC spokesperson said Wednesday that it was "closely evaluating the serious issues raised."

Class-action lawsuits

A stateside class-action lawsuit may be a tough to pursue, said Scott Vernick, an attorney at Fox Rothschild, as it is difficult to prove any person has standing to sue over a data breach. 

"Standing always turns on proving harm and it isn't easy to prove harm," he said. 

Though McAndrew said that judges have been more willing in recent months to allow a data breach class-action suit to go to trial, he was unaware of any receiving a favorable verdict. Rather, he said, those cases settled.

Vernick also noted that Uber is not a publicly traded company and not subject to U.S. Security and Exchange Commission (SEC) notification procedures requiring that investors be informed of potential liabilities. 

International considerations

Uber's growth strategy has frequently been to enter a market with existing regulations for taxi services, claim those regulations do not apply to its service and force localities to adapt.

Despite wide support among consumers for the ride-hailing company, Uber has seen pushback from multiple governments, including an outright ban on its low-cost service in Germany.

Data privacy missteps do not technically have any bearing on how localities around the world view the legality of Uber's services. But the new breach might risk upsetting the delicate balance between the company and some governments.

Europe has gone to war with other technology behemoths, like Facebook and Google, over privacy concerns in the past.

"Every time you suffer a blemish — in particular a security blemish — it hurts you with Europe," said Vernick.


– Ali Breland contributed