It's been quite a week for Uber as the lawsuits from its recent high-profile breach keep on coming. The popular ride-hailing company has been under fire ever since it was disclosed that the company took more than a year to notify consumers of a breach, after which it allegedly paid hackers $100,000 to keep the attack quiet.
The hack reportedly affected 57 million people worldwide and exposed names and driver's license numbers of some 600,000 drivers in the United States.
First, on Monday, the city of Chicago and Cook County filed a lawsuit asking the court to fine Uber $10,000 a day for each violation of a consumer's privacy. The suit contends Uber took much too long to report the breach.
Next, on Tuesday, Washington State Attorney General Bob Ferguson filed a consumer protection lawsuit against Uber, asking for penalties of up to $2,000 per violation. The lawsuit alleges that at least 10,888 Uber drivers in Washington were breached, so the lawsuit could result in millions of dollars of penalties.
On top of the two lawsuits from state and local governments, Uber has also been hit with two class-action lawsuits. Both cases were filed last week. The first, Alejandro Flores v. Raiser was filed in federal court in Los Angeles. The second lawsuit, Danyelle Townsend and Ken Tew v. Uber, was filed in federal court in San Francisco.
Multiple state governments also say that they are conducting investigations into the Uber breach. Dark Reading has confirmed ongoing investigations by the states of Connecticut, Massachusetts, Missouri, and New York.
The lawsuit by the state of Washington was seen as significant, because it was the first lawsuit against Uber filed by a state government. Under a 2015 amendment to the state's data breach law, consumers must be notified within 45 days of a breach, and the Attorney's General's office also must be notified within 45 days if the breach affects 500 or more Washington residents. Tuesday's lawsuit was the first one filed under the revised statute.
"Washington law is clear: When a data breach puts people at risk, businesses must inform them," Ferguson said in a press release. "Uber's conduct has been truly stunning. There is no excuse for keeping this information from consumers."
Craig Spiezle, chairman emeritus of the Online Trust Alliance, says the Uber case may spark renewed calls for national data breach legislation. In the past, there's been a general consensus for such a measure because companies must grapple with the cost of handling the compliance requirements of 48 separate state data breach laws.
"The European Union has a data breach notification requirement of 72 hours," says Spiezle, who worked closely with Attorney General Ferguson on the data breach law in Washington. "While three days is really not enough time, I think Washington's 45-day law is very generous. I've actually been on the record calling for a notification period of 10 days."
The last time the federal government talked seriously about national data breach legislation was in early 2015. At the time, the Obama administration called for a notification period of 30 days. Legislation sponsored that year by Sen. Tom Carper (D-Del) and Sen. Roy Blunt (R-Mo.) would have required companies to notify federal agencies and consumers of a breach that affects more than 5,000 consumers. Few other details were released, such as which agencies companies should report to first, the Department of Homeland Security or the FBI, and the issue slowly died as the 2016 election year morphed into 2017, the nation's first under the Trump administration.
In response to this most recent Uber case, Sen. Richard Blumenthal (D-Conn.) last week called for the Federal Trade Commission to investigate the Uber breach and impose strict penalties. And Sen. Mark Warner (D-Va.) has expressed support for national data breach legislation. A spokesman for Sen. Warner would offer no new details and would only say national data breach legislation "continues to be a top priority" for the senator.
Efforts to reach Sen. John Thune (R-S.D.) were unsuccessful. Sen. Thune chairs the Senate's Commerce, Science and Transportation committee, which could potentially play an important role in any national data breach legislation.