Data collectors have been struggling with the fact that they may be storing data that is subject to various local, state, and federal laws and regulations. Not to mention the fact that data collectors will soon need to also make sure they are complying with international regulations when necessary.  (European Union (EU) member states will begin enforcement of the General Data Protection Regulation (“GDPR”) on May 25, 2018.)

Data collectors are not the only ones who may be struggling with this patchwork of laws.  The agencies responsible for enforcing the various cyber security laws and regulations also have trouble determining exactly how the laws interact.  This is now the central question in a case pending before the Circuit Court of Cook County, Illinois, where Uber Technologies, Inc. (“Uber”) argues that the City of Chicago and the State Illinois lack authority to prosecute a data breach case against it.  Uber argues the authority to prosecute data breach cases (under Illinois state law) vests solely with the Illinois State Attorney General.

By way of background, in November of 2017, the City of Chicago and State of Illinois (“Plaintiffs”) filed a lawsuit entitled City of Chicago et al. v. Uber Technologies, Inc., Case No. 2017CH15594 (Nov. 28, 2017) based on allegations that “[f]or the past several years, Uber has repeatedly failed to protect the privacy of its customers’ and drivers’ personal information.”  More specifically, the plaintiffs assert Uber took steps to cover up its breach in an effort to avoid negative publicity.  In essence, this lawsuit brought to light allegations of two separate breaches at the transportation company and the potential cover-up of those breaches.

In the first breach, the plaintiffs assert that in 2014, Uber left personal information of more than 50,000 users vulnerable to hackers. In particular, the plaintiffs claim an Uber employee left Amazon Web Services login credentials exposed to the general public.  By September 17, 2014, Uber detected that its customers’ information had been accessed without authorization.  After the 2014 breach, Uber entered into a settlement agreement with the federal government where Uber agreed to fix vulnerabilities and create safeguards to protect against future breaches.

As for the second breach, the plaintiffs claim that despite making “basic corrections to its data security platform,” Uber suffered another data breach involving 57 million users in October 2016. The Complaint alleged this second breach was similar to the first breach in that customer data was exposed when hackers obtained their passwords from Uber.  While Uber put out a statement, the plaintiffs claimed Uber failed to inform the public that sensitive information may have been compromised, including drivers’ passwords, credit card and banking numbers and Social Security numbers.

Plaintiffs’ complaint seeks to enforce Chicago Municipal Code Section 2-25-090 which prohibits any “unlawful practice” under the Illinois Consumer Fraud and Deceptive Business Act (“ICFA”).  In particular, the Plaintiffs asserted that Uber violated the Illinois Personal Information Protection Act (“PIPA”) when it failed to notify Chicago residents of the breaches.

When this case was filed, the threshold issue appeared to be limited to questions related to the information Uber provided to the public (or withheld from the public) concerning the first and second breach.  Since that time, this case has taken a slightly different turn as Uber now argues in its motion to dismiss that it can only be prosecuted by the Illinois Attorney General and that the City of Chicago and the Cook County state’s attorney lacks standing to bring this action.  (A copy of Uber’s Reply filed in support of its Motion to Dismiss can be found here).

In particular, Uber frames the issue on its motion to dismiss as: “Are the City of Chicago and the Cook County State’s Attorney the proper parties to prosecute the claims asserted in the complaint, claims that the Attorney General of Illinois is investigating on behalf of the People of the State of Illinois?”  In answering its own question “no,” Uber further argues that if the City of Chicago and Cook County can prosecute these claims, then “nothing would stop a host of cities and all 102 county State’s Attorneys from pursuing the exact same claims against Uber on multiple fronts, simultaneously and on behalf of overlapping groups of constituents, even while the Attorney General…pursues the matter statewide.”

In short, Uber attempts to persuade the Court that the Plaintiffs’ claims must yield to the ongoing Attorney General investigation and that they cannot simply grant “the authority to enforce ICFA, notwithstanding that ICFA expressly reserves such public enforcement authority to the AG and, in limited circumstances, the State’s Attorneys.”

Uber is not arguing at this time that it properly handled these breaches or whether it violated Illinois law.  The parties have not reached the merits of the case yet.  Rather, Uber is merely arguing that the Illinois Attorney General has the sole authority to enforce ICFA and PIPA.  If Uber’s motion is successful, this action will be dismissed or stayed until the Attorney General’s investigation is complete.  The hearing on Uber’s motion to dismiss was held on April 27, 2018 and the court is currently considering Uber’s motion to dismiss. Of course, we will continue to follow all developments in this matter.

Outside the dispute between Uber and the State of Illinois in this matter, this decision may offer a glimpse into how courts address situations where multiple privacy laws could realistically apply to the same cyber incident.  In addition to seeing fewer municipalities attempt to create cyber security regulations, we may see a scenario where a court must decide a conflict of international, federal and state law just to get to the merits of a particular cyber case.  We can expect to see these issues before the courts until the various cyber security laws and governing bodies are harmonized.

The post Uber Claims Municipal Cyber Security Regulations Run Over State Attorney General’s Authority appeared first on Privacy Risk Report.

As the number of hacks and breaches increase in the news, people are not just becoming more accepting of data breaches, they are expecting to see data breaches. Now businesses are also expecting to see their competitors attempt to hack them.

For example, in early 2014, Uber discovered a breach involving the names and license numbers of nearly 50,000 drivers. By March 2014, Uber filed a lawsuit in the U.S. District Court for the Northern District of California against an unknown party related to the breach. In its Complaint, Uber claimed a “security key” was used without its authorization to gain access to its list of drivers. Count One of Uber’s Complaint, based on a violation of the Computer Fraud and Abuse Act, seeks damages for the unauthorized access to Uber’s driver database. Count Two of Uber’s Complaint, based on alleged violations of California’s penal code, seeks damages for the theft of information from Uber’s proprietary database. As this case proceeds through court, the unknown defendant, identified as “Subscriber,” filed various documents under seal. It appears the litigation will continue for a while as the court recently held that it was “reasonably likely” that Uber’s investigation would uncover the identity of the party referred to as “Subscriber.” The court has set a case management hearing for January 28, 2016.

While the Uber litigation does not mention Lyft in the allegations, recent information indicates Uber expects to find Lyft to be the source of the hack. In addition to Uber’s lawsuit, this breach has also spurred a investigation by the U.S. Department of Justice (DOJ). The DOJ has found that the source of the breach may be traced back to Uber’s main competitor, Lyft. Access to the compromised driver database was found on GitHub, a code-development website. After being contacted by Uber, GitHub determined only one IP address associated with the Uber hack that did not belong. Specifically, Reuters reports that Lyft’s technology chief, Chris Lambert, may have had his internet address come up in the investigation of the breach.

This is not the first time these two companies have been found competing outside the car-service apps. For example, Uber’s “playbook” for sabotaging Lyft was published online in August 2014. Uber has been accused of having its employees order and cancel rides and recruiting Lyft drivers in an effort to slow Lyft’s growth in new markets.

Secondly, consumers are expecting to see more hacks from the businesses they deal with. In addition to the privacy issues created by this litigation related to Uber drivers, there are also questions as to whether hacks at Uber and Lyft are compromising the safety of customers. For example, it has been recently reported that a “Rogue Lyft Driver” became angry when a woman in Chicago refused a ride. In a recent Facebook post, a Lyft customer described the following incident:

My driver was supposed to be an older black woman in an SUV. I got the notification saying my driver arrived. Went up the car window to check that the driver matched the picture and saw it was a man in his 40s. Car was different too. As I turned away to go back inside, he said, “Brittany? Get in the car!” I said, “You’re not my driver. I’m going inside.” But he kept shouting that “it doesn’t matter” and to get in the car. “I can drive you.”

About 10 seconds later, my actual Lyft driver, the woman, pulls up and asks what’s going on and who he is. At that point, the man speeds away. I leave eventually with the original woman and the man comes back and follows us for two or three blocks before we lose him at a light.

The Lyft customer believes the “rogue” driver may have hacked into the Lyft app and saw she was looking for a driver. Denying a hack of its system, Lyft has responded that the “Rogue Driver” showed up because the Lyft customer cancelled the low-rated driver before placing an order for the second Lyft driver. Even if this incident turns out to be unrelated to a hack, it demonstrates that Lyft customers are considering hacks as part of the marketplace when using technology.

Consequently, cybersecurity is now a consideration in how businesses interact with competitors, as well as how they deal with customers. The Uber incident demonstrates that businesses expect competitors to attempt to hack them. Likewise, the “Rogue Driver” situation, even if it was not caused by a hack or a breach, shows that consumers are prepared and actually expect to see businesses hacked.

The post Uber and Lyft Demonstrate How Cybersecurity Changes the Way Businesses Deal With Each Other and Customers appeared first on Privacy Risk Report.