Advertising Disclosure Email Disclosure

Legal Updates for Privacy and Data Security

March 16, 2018
Presented by the Privacy and Data Security Practice Group

Uber Sued by Pennsylvania State Attorney General Over Unreasonably Late Data Breach Notification

By David J. Shannon, Esquire

This week the Pennsylvania State Attorney General's Office filed a lawsuit against car sharing business Uber for violating the state's mandatory data breach notification law. In November 2017, Uber belatedly disclosed that hackers had accessed up to 57 million accounts for its drivers and riders throughout the world. The hackers accessed a back-up file with this information. Despite knowledge of the breach, Uber did not notify the public for over a year. Uber later acknowledged that it paid a $100,000 bug bounty or extortion payment to two individuals to delete the data, and not publicly disclose the incident. 

At least 13,500 Uber drivers in Pennsylvania were affected. Pursuant to Pennsylvania's data breach statute, the Commonwealth can seek $1,000.00 per person for the unauthorized access to their information leading to a maximum civil penalty of up to $13.5 million.

Pennsylvania Attorney General Josh Shapiro had strong words for Uber when he stated that the incident demonstrated outrageous corporate conduct and he was suing to hold them accountable for all Pennsylvanians.

Uber has acknowledged the breach and that they handled the matter poorly. However, the company has always pointed out that no sensitive consumer information such as social security numbers or credit card numbers were compromised. The Pennsylvania Attorney General pointed out the fact that driver's license information was accessed which could be used for identity theft. 

This lawsuit demonstrates that state data breach statutes must be properly complied with and that failure to publicly acknowledge a breach can have serious consequences for a business entity. Proper privacy and data breach insurance, along with appropriate privacy counsel, can ensure that companies do not violate state statutes in their response and can help minimize the potential fines, penalties and lawsuits that may arise as a result of an incident.


The material in this law alert has been prepared for our readers by Marshall Dennehey Warner Coleman & Goggin. It is solely intended to provide information on recent legal developments, and is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. We welcome the opportunity to provide such legal assistance as you require on this and other subjects. To be removed from our list of subscribers who receive these complimentary Privacy and Data Security updates, please contact If however you continue to receive the alerts in error, please send a note to

ATTORNEY ADVERTISING pursuant to New York RPC 7.1
© 2018 Marshall Dennehey Warner Coleman & Goggin. All Rights Reserved.

Affiliated Attorney

David J. Shannon
Chair, Privacy and Data Security
(215) 575-2615

Practice Areas

Before you send this email please note:

You are attempting to send email, through a link on our website, to an attorney of Marshall Dennehey Warner Coleman & Goggin or an employee in our firm. Please note that your email may not be treated as confidential and does not create an attorney-client relationship. You should not rely upon the transmission of an email through this website if you are seeking to enter into such a relationship. Until such time as we have agreed to represent you, no information in your email will be treated as confidential. Please contact us directly by telephone at 1.800.220.3308 if it is your intent to seek legal counsel with our firm or convey confidential information.

If it is still your intent to send this email, knowing that it may not be treated as confidential, you may accept our terms of agreement by pressing "OK". If you choose not to accept these terms of agreement you may navigate away from this page by pressing "Cancel."