State Of Washington Sues Uber For Alleged Data Breach Law Violations
Wednesday, November 29, 2017
The Office of the Attorney General (AG) for Washington State has filed a lawsuit against Uber, the popular ride-sharing company, for alleged violations of the state's data breach laws. The AG's office explained in a press release:
"Under a 2015 amendment to the state’s data breach law requested by AG Bob Ferguson, consumers must be notified within 45 days of a breach, and the Attorney General’s Office also must be notified within 45 days if the breach affects 500 or more Washingtonians. This is the first lawsuit filed under the revised statute... Uber notified the Attorney General’s Office of the breach Nov. 21, 2017, roughly 372 days after it discovered the breach. Rather than reporting the breach as required by law, the company has admitted to paying the hackers to destroy the stolen data."
The massive data breach affected 57 million users, including both riders and drivers. This is critical because:
"... the hackers also obtained the names and driver’s license numbers of about 7 million drivers for the company. About 600,000 of those drivers live in the United States, and at least 10,888 live in Washington... The [AG's] office argues each day Uber failed to report for each individual qualifies as a separate violation under the law. Ferguson’s lawsuit asks for civil penalties of up to $2,000 per violation, which should result in a penalty in the millions of dollars. The state also asks for recovery of its costs and fees."
Important information for residents of Washington State:
"Washington has two data breach laws: One applying to individuals and businesses, the other for local and state government agencies. The laws are essentially the same and require notification to Washingtonians at risk of harm because of a security breach that includes personal information, meaning someone’s name and any of the following: a) Social Security number; b) Driver’s license number or Washington identification card number; or c) Bank account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s account."
Since 48 states have data breach notification laws, I expect many more lawsuits. (Consumers in Alabama and South Dakota might ask their elected officials why their states don't have laws requiring notice.) When a company intentionally decides not to comply with states' laws, there must be consequences. Corporate executives must be held accountable for their actions and decisions; especially when they negatively affect consumers.
What are your opinions?
More bad news. The Guardian reported:
"Uber has admitted that 2.7 million people in the UK were affected by a 2016 security breach that compromised customers’ information, including names, email addresses and mobile phone numbers. The ride-hailing company had previously disclosed that 57 million people worldwide were affected by a breach that it covered up for more than a year. It published an estimate of the number of UK drivers and passengers for the first time, prompting concern from the mayor of London, where Uber is already battling a decision to revoke its license to operate."
https://www.theguardian.com/technology/2017/nov/29/uber-security-breach-london-sadiq-khan-users
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Thursday, November 30, 2017 at 12:36 PM