Uber’s Recent Legal Troubles Highlight the Importance of Being Transparent About a Data Breach
TechLawLogy™: eDiscovery and Privacy Blog
For any company that maintains the personal information of its customers, a data breach is one of the worst imaginable things that can happen. A data breach can have a devastating impact on consumer trust and can expose the company to many liabilities. However, the recent legal troubles of Uber, the ride-sharing company, have highlighted the importance of being transparent with the public about a data breach. Uber’s failure to disclose a data breach from October 2016 now threatens to engulf the company in a slew of lawsuits and government investigations.
Uber failed to disclose an October 2016 data breach that compromised the personal information of its users and drivers.
In October 2016, hackers infiltrated a third-party cloud service that contained the names, email addresses, and phone numbers of millions of Uber users. The hackers also gained access to the license numbers of approximately 600,000 Uber drivers. It was not until last month that Uber finally disclosed the hack to the public. While a data breach already presents a public relations crisis for any company, this particular breach has proven to be more painful for Uber because of the company’s own actions. On top of the breach, it was revealed that Uber paid the hackers $100,000 to delete any stolen data and keep quiet about the incident.
Even more troublesome for Uber is that it may have breached the terms of an August 2017 consent order settling prior charges brought by the Federal Trade Commission (“FTC”). The consent order was in relation to an almost identical breach that occurred in 2014, compromising the data of Uber users and drivers. As part of the consent order, Uber agreed to implement a comprehensive privacy program and consent to regular audits. More problematic for Uber’s current situation is that the company also agreed to refrain from making misrepresentations regarding the privacy of the personal data of its users and drivers. By failing to disclose the October 2016 data breach, Uber may have already violated this provision of the consent order.
Uber is now facing the stark reality that it will have to fend off countless legal battles because of its failure to report the breach. Several class-action lawsuits have already been filed against the company for violating various state statutes requiring companies to notify customers of a data breach. Attorney generals from at least five states around the country have also signaled that they are investigating the breach and may take action against Uber. Further, the company faces renewed inquiries by the FTC and possible findings that it violated the consent order. Some Uber executives involved in covering up the breach, many of which have since departed the company, could face criminal charges for lying to the FTC in negotiating the consent order. The company may even face legal troubles abroad, as several countries have expressed disdain over Uber’s failure to disclose the data breach.
Transparency is key when dealing with the fallout of a data breach.
The lesson to be learned from Uber’s situation is clear: failing to disclose a data breach that compromised customers’ personal information can have grave consequences. The disclosure of this information will never be an easy conversation to have with your customer base. Yet the legal quagmire in which Uber now finds itself stands to illustrate the importance of being transparent. Transparency can help a company to avoid the same legal pitfalls that now plague Uber and may mitigate the damage to consumer confidence. Should your company ever experience a data breach, you should immediately consult with a lawyer to determine whether and to what extent the breach should be disclosed.
If your company has experienced a data breach, or you have questions about data privacy laws, please Contact Us.