After admitting that they paid $100,000 to hackers in exchange for their silence regarding a data breach, Uber is now being sued over the breach that resulted in the theft of approximately 57 million people’s personal information and the disclosure of 600,000 Uber drivers’ license numbers.

Uber has already had its fair share of legal woes this year.  The company is under siege from plaintiffs with complaints that include sexual harassment, bribery, theft of trade secrets, and discriminatory pricing.  In response, the beleaguered company recently removed founder Travis Kalanick in June, and after this latest debacle, Uber also dismissed chief security office and deputy general counsel, Joe Sullivan, due to management of the data breach.  Experts following the case have been especially critical of Sullivan’s decision to pay off the hackers as Sullivan had previously served as the top security executive at Facebook, Inc., and was also, at one time, a federal prosecutor.

Now Uber is facing the possibility of three possible class-action lawsuits and is under investigation by at least five different state attorneys general.  The plaintiffs are claiming that Uber failed to implement and maintain reasonable security measures to ensure the protection of customer and driver personal information.  Because of Uber’s lax security measures, the plaintiffs claim that hackers were able to gain access to Uber’s proprietary information by exploiting access to information stored on GitHub, an open service that allows engineers to share and collaborate on coding software.

The company’s handling of the data breach has been further criticized because the company waited for over a year before disclosing to the public that such a breach had occurred.  The Uber data breach included the theft of personal information that included, but was not limited to, names, addresses, phone numbers, drivers’ license numbers, and email addresses.  While at least five states are conducting investigations into Uber’s conduct regarding the data breach, they demurred to state the exact nature of the cases they intend to build against Uber.

While U.S. federal agencies are currently not involved in litigation against Uber, the Federal Trade Commission has acknowledged that they are closely following the lawsuits and Uber’s handling of the situation.  If the federal government were to act, the Federal Trade Commission would have both jurisdiction and precedent to take action against Uber’s failure to disclose the data breach because it has pursued other businesses that failed to safeguard consumers’ personal data in the past.  Moreover, experts note that government officials are especially concerned with Uber’s decision to pay off the hackers instead of disclosing the breach because if other companies were to follow suit, experts fear that companies would always choose their own financial security over the protection of consumers’ personal data.

As many know, data breaches have become increasingly common in today’s age of technology and the Internet.  Large companies such as Home Depot, Target, and Google have all been under fire for their mishandling of consumer data.  While the courts are quickly trying to determine how best to punish companies that fail to provide adequate security measures, it would behoove companies to consult experienced intellectual property counsel in order to help avoid such costly data breaches.  Attorneys well-versed in cybersecurity can educate clients on what safeguards should be in place, what kind of contracts may help lessen liability, and act as defense counsel if any lawsuits proceed to trial.

Related articles:
Is a Simpler Life More Important Than Consumer Security?

For more information on this topic, please visit our Data Breaches & Hacking service page, which is part of our Technology & Data Practice.

Klemchuk LLP is an Intellectual Property (IP), Technology, Internet, and Business law firm located in Dallas, TX.  The firm offers comprehensive legal services including litigation and enforcement of all forms of IP as well as registration and licensing of patents, trademarks, trade dress, and copyrights.  The firm also provides a wide range of technology, Internet, e-commerce, and business services including business planning, formation, and financing, mergers and acquisitions, business litigation, data privacy, and domain name dispute resolution.  Additional information about the technology & data law firm and its technology & data attorneys may be found at www.klemchuk.com.

Klemchuk LLP hosts Culture Counts, a blog devoted to the discussion of law firm culture and corporate core values with frequent topics about positive work environment, conscious capitalism, entrepreneurial management, positive workplace culture, workplace productivity, and corporate core values.


Also published on Medium.