The legal fallout from ridesharing service Uber's 2016 data breach, which affected approximately 57 million riders and drivers, has been significant.
In November, the Washington State Attorney General filed a lawsuit demanding $2,000 per violation for each Washington resident who did not receive adequate notice from Uber. Chicago filed a similar lawsuit amounting to a fine of at least $3.65 million in the same month. Now, Uber faces a fine of $13.5 million in Pennsylvania for inadequate breach notification.
The Pennsylvania Attorney General's lawsuit alleges that Uber failed to timely notify affected Pennsylvania residents and the state attorney general's office as required by Pennsylvania's data breach notification law. The suit further argues that Uber hid the incident for more than a year while it paid the criminals responsible for the breach to delete the data and stay quiet.
The Uber breach underscores every company's need to prepare for a risk-based response to cybersecurity incidents, including those that rise to the level of a data breach. Companies must act quickly, and should closely consider the legal ramifications of not notifying individuals who were affected, or delaying notification. The requirement to provide timely notification is often at odds with the need to fully understand a breach and its scope, however. Nonetheless, many states' breach notification laws allow for a delay for breach investigation.
In fact, many state breach notification statutes require a risk-based approach. For example, a Michigan company must notify any individual whose personal information was subject to unauthorized access unless the security breach is not likely to cause substantial loss, injury, or identity theft to the affected individuals. Companies should address other risks in their breach response plan as well, including risks to the company's reputation among customers, vendors, partners, and employees.