Big news out of the state of Pennsylvania. According to the Attorney General’s Office, thousands of Uber drivers were unaware of an alleged data breach. Did Uber owe a duty to private citizens to inform drivers of this?
On March 5, 2018, Pennsylvania Attorney General Josh Shapiro filed a lawsuit against Uber Technologies, Inc. for violating Pennsylvania’s data breach notification law. Uber knew for more than a year that a data breach potentially impacting 57 million passengers and drivers around the world had happened – but the company failed to disclose the breach until last November.
At least 13,500 Pennsylvania Uber drivers were impacted by the breach. Their first and last names and their drivers’ license numbers were stolen by hackers. Under Pennsylvania’s data breach notification law, Uber was required to notify impacted persons of the breach within a reasonable time frame, but the company failed its duty to do so.
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Attorney General Shapiro said. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and stay quiet. That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians.”
To learn more about the data breach, you may read the specifics here.