Last week, Pennsylvania’s Attorney General sued Uber for allegedly failing to provide timely notice to its drivers that their personal identifying information (“PII”) had been compromised in a data breach in 2016.  The lawsuit seeks $13.5 million in penalties against Uber—$1,000 for each of the 13,500 Pennsylvanian Uber drivers whose driver’s license information was accessed by hackers.  The complaint alleges that, in violation of Pennsylvania’s data breach notification law,[1] Uber failed to provide notice “without unreasonable delay” to the affected drivers, instead paying the hackers to allegedly “delete the data and stay quiet.”  A second claim in the lawsuit against Uber alleges the company’s conduct violated the Pennsylvania Unfair Trade Practices and Consumer Protection Law.

The lawsuit is the latest in a series of such suits brought against Uber by state and city governments following its announcement that it had suffered a data breach in 2016, which involved hackers accessing the names, email addresses and phone numbers of 50 million riders and 7 million drivers and the driver’s license numbers of approximately 600,000 U.S. drivers.  One of the lessons of Uber’s experience is that, if a company decides to make a “ransom payment” to a hacker who has accessed PII or other sensitive data, it does not necessarily relieve the company of making any required notifications under state and federal breach notification statutes and regulations.

Click here to view the new complaint against Uber.

[1] 73 P.S. § 2301, et seq.