September 27, 2018
Uber, a pioneer in ride-sharing technology, and attorneys general from all 50 states and the District of Columbia, announced today that Uber has reached a settlement agreement for fines in the amount of $148 million for the way it handled a data breach that occurred in 2016. For years, the conventional wisdom in legal circles has been that the risk of cybersecurity litigation is low, the theory being that in most cases the loss of data, while disconcerting, does not amount to any legally cognizable damages. However, modern developments have proved otherwise, with each state in the U.S. having developed a process for dealing with reporting requirements and remediation of data breaches, which includes steep fines for non-compliance. Thus, the danger of legal action after a data breach comes from not just a tort theory where data-owners might sue on a class action basis, but also from a government enforcement standpoint, where state prosecutors may pursue fines and civil penalties. This has the potential to skyrocket the real-world costs of a data breach, between dealing with the technical and business ramifications of a breach of public trust, to managing the legal risks that arise from the fallout.
Here, it was alleged that Uber discovered a breach of Uber drivers’ private data in November 2016, but failed to report this breech until November 2017. Drivers’ names and license numbers were compromised in the breach, numbering about 600,000 individual drivers. Each state varies in its requirements for handling data breaches, but generally the party maintaining the data must notify a person or business of any breach once it occurs. In New York State, an entity or person conducting business in New York must, in most cases, disclose any breach of data to residents of New York who owned that data. They must also notify the New York Attorney General, State Police and the State’s Division of Consumer Protection. Failure to notify can lead to substantial fines, up to $10,000 per instance of breech. Uber was accused of having, instead of reporting the breach, engaging with the hacker who has stolen the data and making a ransom payment to him of $100,000. The fines agreed to in this settlement dwarf what the breach was likely to have costed the company if it had followed appropriation post-breach protocols.
The resulting lawsuit, settlement and fine should been seen as a shot across the bow that all companies, even small and mid-size businesses, are on notice that reporting requirements for data breach are to be taken seriously and will be enforced by state governments across the country. To make matters more complicated, these notification requirements hinge not just on where the breach occurred, but where the people or businesses are that are affected by the breach. Thus, a single breach may cause 50 different notification processes and requirements. Without a fundamental understanding of the process, it is dangerous for companies to attempt to manage the post-breach process on their own, in-house.
Insurance carriers are moving into this space, recognizing the opportunity to manage risk for their clients, with data breaches becoming not a matter of “if” but “when.” McGivney Kluger, Clark & Intoccia is well positioned across 12 offices to assist small and mid-size businesses who are either concerned about their risk from potential breaches, or who have a breach to report. For more information about this aspect of MKCI’s practice, please contact Jim Long (jlong@mcgivneyandkluger.com) or Eric Gernant (egernant@mcgivneyandkluger.com).
The attorneys of McGivney, Kluger, Clark & Intoccia will continue to monitor filing trends, assess the nuances of case values, and navigate the changing juridical landscape of asbestos litigation in Madison County.