Washington State Attorney General Bob Ferguson has filed a multi-million dollar consumer protection lawsuit against Uber, alleging thousands of violations of the state’s data breach notification law.
Uber discovered a 2016 data breach potentially affecting 57 million passengers and drivers around the world, including the names and driver’s license numbers of at least 10,888 Uber drivers in Washington. The ride-share company, however, didn’t notify the Attorney General’s Office of the breach until Nov. 21, 2017, roughly 372 days after it discovered the breach.
Under a 2015 amendment to the state’s data breach law, consumers must be notified within 45 days of a breach, and the Attorney General’s Office also must be notified within 45 days if the breach affects 500 or more Washingtonians. This is the first lawsuit filed under the revised statute.
“Washington law is clear: When a data breach puts people at risk, businesses must inform them,” Ferguson said. “Uber’s conduct has been truly stunning. There is no excuse for keeping this information from consumers.”
The complaint, filed today in King County Superior Court, alleges thousands of violations of Washington’s data breach law by failing to notify affected drivers and the Attorney General’s Office within 45 days of the breach.
The office argues each day Uber failed to report for each individual qualifies as a separate violation under the law. Ferguson’s lawsuit asks for civil penalties of up to $2,000 per violation, which should result in a penalty in the millions of dollars. The state also asks for recovery of its costs and fees.