Payment or Pillory: More Fallout from Uber’s Data Breach
With new developments regarding Uber Technologies Inc.’s 2016 data breach coming out almost daily, lawsuits against the company continue to pile-up. We previously reported that within days of Uber disclosing the data theft and its subsequent payment of $100,000 to the hackers ostensibly to delete the data, regulators from around the globe, including the U.S., EU, Mexico, Canada, Australia, and the Philippines, began investigations. As of this morning, Uber has already been hit with at least four class action lawsuits alleging that Uber failed to protect consumer data and notify consumers in a timely manner as required by various state laws, as well as lawsuits by the City of Chicago and the State of Washington.
One of the class action lawsuits takes Uber to task for its payment to the two hackers. The suit, filed last Tuesday in Illinois federal court, alleges violations of Illinois’ Consumer Fraud Act, negligence, breach of contract, invasion of privacy, and unjust enrichment. While including claims based on Uber’s alleged failure to properly safeguard its customers’ information, the complaint focuses in large part on Uber’s payment to the hackers to keep the breach quiet. One of the core allegations makes this plain:
“Rather than comply with its obligations to disclose such breaches and inform the public and regulators of what occurred, Uber allegedly paid the hackers behind the breach $100,000 in exchange for the criminals’ silence and assurance that they would delete the data. Uber covered up the payment by calling it a bug bounty, a legitimate payment to third parties to stress test the security of their systems. Uber continued to fail to inform affected consumers of the Security Breach for more than one year.”
This most recent suit leverages Uber’s payment of ransom to add another layer of conduct to each of its claims, and lays the groundwork for increased relief sought by the plaintiffs based on reckless or willful conduct.
While it remains to be seen whether Uber could or should have taken additional steps to safeguard its customers’ data, the larger question raised by this particular case—and Uber’s circumstances more generally—is what a business is to do when placed faced with a demand for ransom. One could argue that paying the criminals to delete or otherwise destroy the stolen data may benefit consumers by ensuring that the ill-gotten fruits of a data theft are not placed on the black market. But doing so will, no doubt, invite negative headlines, countless lawsuits, and intense regulatory scrutiny. Indeed, recent reports suggest that payoffs like Uber’s may be on the rise amongst businesses trying to mitigate public shaming, reputational damage, and regulatory action, especially in the case of a company such as Uber, which is currently trying to re-brand itself after several scandals and, at the same time, pushing to close a major financing deal with SoftBank.