Data collectors have been struggling with the fact that they may be storing data that is subject to various local, state, and federal laws and regulations. [1] Not to mention the fact that data collectors will soon need to also make sure they are complying with international regulations when necessary. (European Union (EU) member states will begin enforcement of the General Data Protection Regulation (“GDPR”) on May 25, 2018 [2].)
Data collectors are not the only ones who may be struggling with this patchwork of laws. The agencies responsible for enforcing the various cyber security laws and regulations also have trouble determining exactly how the laws interact. This is now the central question in a case pending before the Circuit Court of Cook County, Illinois, where Uber Technologies, Inc. (“Uber”) argues that the City of Chicago and the State Illinois lack authority to prosecute a data breach case against it. Uber argues the authority to prosecute data breach cases (under Illinois state law) vests solely with the Illinois State Attorney General.
By way of background, in November of 2017, the City of Chicago and State of Illinois (“Plaintiffs”) filed a lawsuit entitled City of Chicago et al. v. Uber Technologies, Inc., Case No. 2017CH15594 (Nov. 28, 2017) [3]based on allegations that “[f]or the past several years, Uber has repeatedly failed to protect the privacy of its customers’ and drivers’ personal information.” More specifically, the plaintiffs assert Uber took steps to cover up its breach in an effort to avoid negative publicity. In essence, this lawsuit brought to light allegations of two separate breaches at the transportation company and the potential cover-up of those breaches.
In the first breach, the plaintiffs assert that in 2014, Uber left personal information of more than 50,000 users vulnerable to hackers. In particular, the plaintiffs claim an Uber employee left Amazon Web Services login credentials exposed to the general public. By September 17, 2014, Uber detected that its customers’ information had been accessed without authorization. After the 2014 breach, Uber entered into a settlement agreement with the federal government where Uber agreed to fix vulnerabilities and create safeguards to protect against future breaches.
As for the second breach, the plaintiffs claim that despite making “basic corrections to its data security platform,” Uber suffered another data breach involving 57 million users in October 2016. The Complaint alleged this second breach was similar to the first breach in that customer data was exposed when hackers obtained their passwords from Uber. While Uber put out a statement, the plaintiffs claimed Uber failed to inform the public that sensitive information may have been compromised, including drivers’ passwords, credit card and banking numbers and Social Security numbers.
Plaintiffs’ complaint seeks to enforce Chicago Municipal Code Section 2-25-090 which prohibits any “unlawful practice” under the Illinois Consumer Fraud and Deceptive Business Act (“ICFA”). In particular, the Plaintiffs asserted that Uber violated the Illinois Personal Information Protection Act (“PIPA”) when it failed to notify Chicago residents of the breaches.
When this case was filed, the threshold issue appeared to be limited to questions related to the information Uber provided to the public (or withheld from the public) concerning the first and second breach. Since that time, this case has taken a slightly different turn as Uber now argues in its motion to dismiss that it can only be prosecuted by the Illinois Attorney General and that the City of Chicago and the Cook County state’s attorney lacks standing to bring this action. (A copy of Uber’s Reply filed in support of its Motion to Dismiss can be found here) [4].
In particular, Uber frames the issue on its motion to dismiss as: “Are the City of Chicago and the Cook County State’s Attorney the proper parties to prosecute the claims asserted in the complaint, claims that the Attorney General of Illinois is investigating on behalf of the People of the State of Illinois?” In answering its own question “no,” Uber further argues that if the City of Chicago and Cook County can prosecute these claims, then “nothing would stop a host of cities and all 102 county State’s Attorneys from pursuing the exact same claims against Uber on multiple fronts, simultaneously and on behalf of overlapping groups of constituents, even while the Attorney General…pursues the matter statewide.”
In short, Uber attempts to persuade the Court that the Plaintiffs’ claims must yield to the ongoing Attorney General investigation and that they cannot simply grant “the authority to enforce ICFA, notwithstanding that ICFA expressly reserves such public enforcement authority to the AG and, in limited circumstances, the State’s Attorneys.”
Uber is not arguing at this time that it properly handled these breaches or whether it violated Illinois law. The parties have not reached the merits of the case yet. Rather, Uber is merely arguing that the Illinois Attorney General has the sole authority to enforce ICFA and PIPA. If Uber’s motion is successful, this action will be dismissed or stayed until the Attorney General’s investigation is complete. The hearing on Uber’s motion to dismiss was held on April 27, 2018 and the court is currently considering Uber’s motion to dismiss. Of course, we will continue to follow all developments in this matter.
Outside the dispute between Uber and the State of Illinois in this matter, this decision may offer a glimpse into how courts address situations where multiple privacy laws could realistically apply to the same cyber incident. In addition to seeing fewer municipalities attempt to create cyber security regulations, we may see a scenario where a court must decide a conflict of international, federal and state law just to get to the merits of a particular cyber case. We can expect to see these issues before the courts until the various cyber security laws and governing bodies are harmonized.