In Recent Record Settlement with Uber, State Attorneys General Issue Clear Message: Sweep a Breach Under the Rug and It Will Cost You

You don’t have to be a user of its ride-sharing services to know that in 2016, Uber was the victim of a massive data breach involving the theft of personal information belonging to about 57 million of its riders and drivers, including names, phone numbers, and driver’s license information.

While disturbing and perhaps disappointing too, the fact that Uber suffered a breach is not, in and of itself, all that surprising.  At least, not in today’s climate where large breaches are reported on an almost daily basis.  What was surprising, however, is how Uber reacted.

Rather than implement its breach response plan and notify affected individuals as required under state law, and perhaps even offer credit monitoring as a showing of good faith, Uber did the unthinkable: it turned itself from the victim into the villain by actively concealing the breach and paying the cyber criminals $100,000 to keep them from disclosing any details.  What’s worse, Uber’s security officials apparently even kept the breach a secret from Uber’s own board members.  When it eventually discovered the breach, the board provided the required notice.  By that time, however, it was already too late.  More than a year had passed between the breach and the time notice was finally given.

Of course, this didn’t sit well with governmental authorities.  A breach that Uber initially thought it could keep under wraps for the hush sum of $100,000 ultimately turned out to be a $148 million liability.  That’s the amount of the settlement, announced on September 26, 2018, that will be paid by Uber in a deal stuck with all 50 states’ attorneys’ generals for failure to provide timely breach notification, including in violation of New York’s General Business Law Section 899-aa, which requires notice of a breach to be given “in the most expedient time possible and without unreasonable delay.”  And that settlement payment is just the start of it.  Uber also must, in accordance with the deal it struck, implement new data security policies, engage an outside professional to audit its security efforts on a regular basis, and implement any improvement recommendations that may be made by way of the auditing procedure.

What are the lessons from the Uber debacle? In today’s threat landscape, breaches, even huge ones, are a given. Certainly, an organization must prepare for them.  An organization must also commit itself to doing the right thing:  disclosing as required by law.  All too often, the response to a breach can be to protect one’s own job first or ignore what appears at first to be a small problem.  Addressing these tendencies head-on can help avoid the kind of self-preservation maneuvers seen at Uber.  Your employees must be empowered to speak up in relation to a breach, as well as understand the consequences to the organization if they don’t.  If an organization fails to address these challenges, the price tag may be much higher than any hush money or potential ransom paid to a threat actor.  As the Uber settlement has shown, the states mean business when it comes to proper notification, and they will band together to seek steep relief if you attempt to sweep a breach under the rug.

Attorney Advertising. Prior results do not guarantee a similar outcome. This publication is provided as a service to clients and friends of Harter Secrest & Emery LLP. It is intended for general information purposes only and should not be considered as legal advice. The contents are neither an exhaustive discussion nor do they purport to cover all developments in the area. The reader should consult with legal counsel to determine how applicable laws relate to specific situations. ©2018 Harter Secrest & Emery LLP