On Tuesday, Uber’s new CEO, Dara Khosrowshahi, disclosed that in late 2016, hackers got hold of personal data belonging to 57 million Uber drivers and riders. Uber did not report the incident to riders or drivers when it occurred, Khosrowshahi said. As Reuters reported Wednesday, the company paid the hackers $100,000 in exchange for their assurances the stolen data would be destroyed.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in his blog post about the breach.
Those are the sort of words that set class action plaintiffs’ lawyers’ hearts racing. Predictably, within hours of Uber’s announcement, Uber was hit with a class action claiming its drivers and passengers are at risk of fraud and identity theft as a result of the company’s negligence. The suit was filed in federal court in Los Angeles by the Wilshire Law Firm, which bills itself as a specialist in personal injury litigation.
Uber will undoubtedly reap ill consequences from its admitted mishandling of the 2016 hack. Regulators around the world are already investigating whether the company violated consumer protection laws that, in many instances, require disclosure of data breaches. Drivers and riders may decide to bail on the embattled company if they don’t trust Uber to keep their personal information secure.
But however bad the optics of the breach and Uber’s initial response to it, the company probably does not face crippling exposure in a data breach class action, according to two prominent data breach plaintiffs' lawyers I interviewed on Wednesday.
In part, that’s because Uber may be able to squelch cases at the outset because of a clause in its contracts with drivers and riders. But it’s also because of the way data breach victims have obtained damages in litigation against companies that have been hacked.“The way data breach class actions are framed right now, conduct doesn’t matter terribly much,” said plaintiffs' lawyer Jay Edelson.
The first obstacle for Uber drivers and riders, according to Edelson and another data breach class action lawyer Douglas McNamara, will be the company’s arbitration clause in its contracts with drivers and passengers. As the 2nd U.S. Circuit Court of Appeals discussed last summer in a ruling in an antitrust class action against Uber, the company requires riders to agree to waive their right to go to court in order to sign up for the ride-sharing app. The company also asks drivers to agree to arbitrate any claims against the company, although it allows drivers not to opt not to accept the class action waiver.
The credit services company Equifax faced a barrage of criticism over a mandatory arbitration clause in its offer of credit monitoring to consumers affected by breach of its data security system. Like Uber, Equifax failed immediately to disclose that personal information had been exposed to hackers. After it announced the breach, the company offered free credit monitoring to U.S. consumers worried about identity theft - but the offer’s terms of service appeared to require consumers to forfeit the right to go to court. Equifax later said it would not invoke the arbitration clause to kill off data breach class actions against it.
Uber does face some risk if it attempts to evade litigation by citing its arbitration clauses, said Edelson: State and federal regulators in the U.S. may be more likely to take action if consumers cannot sue on their own. Edelson said he believes Equifax’s arbitration provision helped prompt government entities including Chicago and Massachusetts to sue the company, even though Equifax said the clause would not foreclose consumer suits.
The Equifax breach provides a useful comparison to explain Uber’s exposure. Edelson told me that based on early accounts, Uber did a worse job than Equifax in protecting personal information and responding once hackers accessed it. But those factors, he said, don’t determine a defendant’s potential liability to victims of the breach.
Damages in data breach class actions are instead driven by the kind of personal information that was stolen and the ensuing risk to victims of identity theft, said McNamara.
When the health insurer Anthem was hacked, for instance, the breach exposed names, addresses, social security numbers, health records and even financial information – everything an identity thief might need. In that case, Anthem agreed to a settlement plaintiffs’ lawyers valued at $119 million.
By contrast, hackers who breached security at Home Depot and Target accessed only names, addresses and credit card data. Tens of millions of consumers were exposed in the breaches, but their damages were minimal. The consumer data breach class action against Home Depot settled for $13 million. The private consumer case against Target settled for $10 million.
According to Uber, hackers obtained limited information about its customers – just their names, email addresses and cellphone numbers. The company also said that its forensic experts “have not seen any indication” that more sensitive data like credit card numbers, bank account information, Social Security numbers or even riders’ birthdays were exposed. Uber also said it has not seen evidence that its customers’ data has been misused.
So it will be difficult for class action lawyers to argue Uber riders are at such increased risk of identity theft that they’re due compensation. Uber, meanwhile, can argue that passengers don’t meet threshold requirements to sue in federal court because they can’t show they were or are even likely to be harmed by the breach.
Uber’s class action defense, weirdly enough, could end up benefiting from the delay in reporting the hack. Data breach defendants often argue that plaintiffs can’t trace misuse of their personal information back to any particular breach in data security. This year’s Equifax hack exposed data on more than 150 million people. Inevitably, a lot of those people are also Uber riders. Uber’s lawyers can try to shift blame to Equifax (or other companies that experienced 2017 data breaches) for misuse of information.
State laws mandating disclosure of data breaches aren’t a viable alternative for class action plaintiffs, according to McNamara. Unlike many federal consumer protection statutes, which allow private plaintiffs to bring class actions aggregating per-violation penalties, most of the state laws do not include monetary penalties. Without such statutory damages, McNamara said, state disclosure laws are toothless.
In the long run, as I’ve written, class actions – at least under prevailing damages theories - may simply not be the optimal way to redress data breaches. “Class actions have failed in the data breach context,” Edelson said. “Uber may end up with more exposure on the government end.”
(This post has been corrected to remove attribution to a second lawyer in paragraph 11.)