In one of the largest privacy settlements to date, the attorneys general from 50 states and the District of Columbia secured a $148 million settlement from their investigation into a November 2016 hack of driver data from Uber. As stated in a complaint filed by Iowa Attorney General Tom Miller, the investigation is a result of a 2016 hack of names and driver’s license information, where hackers accessed Uber information and then demanded payment to delete it. California Attorney General Xavier Becerra stated that the hackers demanded $100,000 to remain silent about the breach. According to Pennsylvania Attorney General Josh Shapiro, Uber did not report the breach until November 2017.

Attorneys general enforce data breach laws under two separate and distinct theories—data breach notification laws and laws prohibiting unfair and deceptive business practices—and both were present in this investigation.

Since the passage of the first data breach notification law by California in 2002, all states have now enacted data breach notification laws. Designed with an eye toward empowering consumers to take affirmative steps to protect themselves when their data has been compromised, application of these statutes does not require any intent or deceptive or unfair act on the part of a business. Rather, these statutes generally require companies to give notice to affected consumers within a set period of time. While conditions for what qualifies as a breach and the time periods for providing notice vary by state, the one-year delay between the ransom attack and the notice was clearly unacceptable to the attorneys general in this investigation.

In the lawsuit he filed as part of this investigation, Texas Attorney General Ken Paxton alleged that Uber violated the Texas Deceptive Trade Practices Act when it failed to implement reasonable security practices and failed to provide notice of the breach despite having made representations that consumers can “trust us with your information,” and that Uber “take[s] the security of your data seriously . . . [by using] technical safeguards like encryption, authentication, fraud detection, and secure software development to protect your information.” Deception cases under state laws usually do not require that the government show intent, but they do involve the government proving that the statements were material and likely to mislead a consumer.

As part of the settlement, Uber will have to:

  • Comply with state data breach and consumer protection laws;
  • Take precautions regarding data on third-party platforms;
  • Implement strict password policies for employees;
  • Develop and deploy an overall data security policy for all data that Uber collects;
  • Hire an outside third-party to assess and report on Uber’s data security efforts; and
  • Implement a corporate integrity program for employees to report issues that give them concern.

There are a few key takeaways for companies from this investigation. First, if you make any statements regarding your privacy policies and data security practices, you must follow through on them. The attorneys general were undoubtedly concerned by Uber’s statements that it could be trusted to handle private information. As to the notices, it is very important for companies to understand the full impact of their responsibilities in the event of a breach. The United States’ privacy laws are heavily dominated by the state-by-state patchwork of data breach notification laws. In the absence of an overarching privacy regime in the United States, state attorneys general take their roles in this space seriously. As mentioned above, the key goal under these laws is to get notice to consumers, and enforcers typically work well with companies that they see taking responsibility and taking action quickly.