Uber’s technology and business plan has consistently presented a number of interesting privacy issues. Another interesting privacy issue involving Uber came to light on November 28, 2017 when the City of Chicago and Illinois (“plaintiffs”) filed their Complaint in a case entitled City of Chicago et al. v. Uber Technologies, Inc., Case No. 2017CH15594 (Nov. 28, 2017). The Complaint is based on allegations that “[f]or the past several years, Uber has repeatedly failed to protect the privacy of its customers’ and drivers’ personal information.” More specifically, the plaintiffs assert Uber took steps to cover up its breach in an effort to avoid negative publicity. This case, regardless of whether the allegations are proven, should cause “data collectors” to consider what information they are putting (or not putting) out concerning any incidents prior to notification of the incident.
The First Breach
The plaintiffs assert that in 2014, Uber left personal information of more than 50,000 users vulnerable to hackers. In particular, the plaintiffs claim an Uber employee left Amazon Web Services login credentials exposed to the general public. By September 17, 2014, Uber detected that its customers’ information had been accessed without authorization. After the 2014 breach, Uber entered into a settlement agreement with the federal government where Uber agreed to fix vulnerabilities and create safeguards to protect against future breaches.
The Second Breach
Despite making “basic corrections to its data security platform,” Uber suffered another data breach involving 57 million users in October 2016. The Complaint alleges this Second Breach was similar to the First Breach in that customer data was exposed when hackers found exposed passwords. While Uber put out a statement, the plaintiffs claim Uber failed to inform the public that sensitive information may have been compromised, including drivers’ passwords, credit card and banking numbers and Social Security numbers.
The Alleged Cover Up
The Complaint further asserts that after the second breach, “Uber opted to cover up the breach, both inside and outside the company.” The plaintiffs contend that, in order to avoid “negative public attention, Uber paid hackers $100,000 to delete the data based on the hackers’ agreement to never speak publicly of the incident.” The plaintiffs claim the alleged cover up came to light because “criminal hackers couldn’t possibly be trusted to protect user data” and they ultimately disclosed the breach. The Complaint states that “Uber went so far as to even track down the criminal hackers and enter into nondisclosure agreements with them as if they were common business partners…” Further, the plaintiffs claim Uber made this payment so that it appeared to be related to its “bug bounty program” rather than a ransom payment. The Complaint asserts “[t]his concealment kept riders, drivers, and government agencies in the dark for over a year about Uber’s substandard security practices…”
The alleged cover up continued until November 21, 2017, when Uber’s Board of Directors investigated the practices of Uber’s security team. Uber has still not disclosed this incident to its customers or drivers.
The Plaintiffs’ Causes Of Action And Violations Of Illinois’ Personal Information Protection Act (“PIPA”)
Plaintiffs first seek a recovery under Chicago Municipal Code Section 2-25-090 which prohibits any “unlawful practice” under the Illinois Consumer Fraud and Deceptive Business Act (“ICFA”). In this regard, the plaintiffs claim “Uber intended that the public, including Chicago residents, rely on its deceptive representations and communications regarding the security of their personal information.” The plaintiffs also claim Uber violated the Illinois Personal Information Protection Act (“PIPA”) when it failed to notify Chicago residents of the breaches. Based on ten causes of action, the plaintiffs request the court fine Uber $10,000 for each day the Chicago Municipal Code was violated, $50,000 for violating the ICFA and $10,000 for each violation “involving an Illinois resident 65 years of age or older for each day such violation has existed and continues to exist.”
“Data Collectors” Must Put Thought Into Response If It Is Unclear If Formal Notification Is Necessary
This case, while only in the pleading stages, signals a shift in considerations for “data collectors” when responding to an incident. First, if true, it should be clear that paying off hackers and disguising the payment as a legitimate expense should be avoided. Beyond this alleged payment, these allegations demonstrate the difficult balance between providing information to the public but not unnecessarily causing negative publicity. For example, it is alleged that Uber put out a blog post in response to the 2016 incident that failed to address all the information that may have been compromised in the breaches. The Complaint refers to this blog post as being “notably vague.” Therefore, even if it is shown that Uber did not intentionally cover up these incidents, these allegations against Uber provide a reminder that a “data collector’s” response can create additional liability beyond the incident.