Presented by the Privacy and Data Security Practice Group

Legal Updates for Privacy and Data Security - March 2018

Uber Sued by Pennsylvania State Attorney General Over Unreasonably Late Data Breach Notification

By David J. Shannon, Esquire

This week the Pennsylvania State Attorney General's Office filed a lawsuit against car sharing business Uber for violating the state's mandatory data breach notification law. In November 2017, Uber belatedly disclosed that hackers had accessed up to 57 million accounts for its drivers and riders throughout the world. The hackers accessed a back-up file with this information. Despite knowledge of the breach, Uber did not notify the public for over a year. Uber later acknowledged that it paid a $100,000 bug bounty or extortion payment to two individuals to delete the data, and not publicly disclose the incident. 

At least 13,500 Uber drivers in Pennsylvania were affected. Pursuant to Pennsylvania's data breach statute, the Commonwealth can seek $1,000.00 per person for the unauthorized access to their information leading to a maximum civil penalty of up to $13.5 million.

Pennsylvania Attorney General Josh Shapiro had strong words for Uber when he stated that the incident demonstrated outrageous corporate conduct and he was suing to hold them accountable for all Pennsylvanians.

Uber has acknowledged the breach and that they handled the matter poorly. However, the company has always pointed out that no sensitive consumer information such as social security numbers or credit card numbers were compromised. The Pennsylvania Attorney General pointed out the fact that driver's license information was accessed which could be used for identity theft. 

This lawsuit demonstrates that state data breach statutes must be properly complied with and that failure to publicly acknowledge a breach can have serious consequences for a business entity. Proper privacy and data breach insurance, along with appropriate privacy counsel, can ensure that companies do not violate state statutes in their response and can help minimize the potential fines, penalties and lawsuits that may arise as a result of an incident.


The material in this law alert has been prepared for our readers by Marshall Dennehey Warner Coleman & Goggin. It is solely intended to provide information on recent legal developments, and is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. We welcome the opportunity to provide such legal assistance as you require on this and other subjects. To be removed from our list of subscribers who receive these complimentary Privacy and Data Security updates, please contact If however you continue to receive the alerts in error, please send a note to 

ATTORNEY ADVERTISING pursuant to New York RPC 7.1
© 2018 Marshall Dennehey Warner Coleman & Goggin. All Rights Reserved.