How can decisions that a business makes before and after a data breach expose the business to a lawsuit by a government regulator?

A recent high-profile settlement between North Carolina Attorney General Josh Stein and the ride-sharing company Uber prompts this important question.

Dear Uber, we have your data

In November 2016, hackers emailed Uber and claimed to have found a major vulnerability in the company’s information security program. The hackers then stole a trove of sensitive personal information, including the names and driver’s license numbers of some 600,000 Uber drivers working throughout the country.

Uber identified and fixed the vulnerability, and then negotiated a deal with the hackers under which the hackers would delete the stolen data in exchange for $100,000.

At that point, Uber might have reported the breach to the affected drivers and state attorneys general under state breach notification laws like North Carolina’s Identity Theft Protection Act. But it didn’t.

Uber likely based that decision on the hacker’s promise to delete the data. After all, North Carolina’s breach notification statute, like some other states’, includes a so-called “risk of harm” trigger. Under N.C. Gen. Stat. § 75-61(14), a business need only report breaches “where illegal use of the personal information has occurred or is reasonably likely to occur” or there is otherwise “a material risk of harm to a consumer.”

About that data breach…

A year later, however, Uber decided to report the breach.  Its CEO explained that the original failure to do so had been a mistake, and that the individuals “who led the response” to the incident were no longer with the company.

Public outcry ensued. That outcry included class-action lawsuits and a coordinated investigation by the attorneys general of all 50 states.

Section 75-1.1 as settlement leverage?

On September 26, North Carolina Attorney General Josh Stein announced that Uber had agreed to a nationwide settlement with those attorneys general. Uber agreed to pay $148 million to the states, and to various other forms of injunctive relief designed to prevent similar breaches in the future.

As part of that settlement, Attorney General Stein’s office filed a complaint in Wake County Superior Court that detailed its allegations of wrongdoing against Uber.  Those allegations relied heavily on N.C. Gen. Stat § 75-1.1, and gave rise to both deception and per se claims.

The complaint first alleged that Uber deceived consumers by making forceful promises about its security program in the company’s privacy policy:

We take the security of your data seriously.  Uber uses technical safeguards like encryption, authentication, fraud detection, and secure software development to protect your information.  We also have an extensive team of data security and privacy experts working around the clock to prevent theft, fraud, or abuse of your information.

But the complaint alleged that Uber failed to implement and maintain reasonable security practices, as evidenced by the breach. Thus, its promises were likely to mislead consumers and constituted a deceptive practice under section 75-1.1.

Second, the complaint alleged that Uber’s failure to notify drivers in North Carolina of the breach when it was first discovered violated section 75-65 of the Identity Theft Protection Act. That statute requires a business to notify individuals “without unreasonable delay” after a company discovers a security breach.  And failing to do so constitutes a per se violation of section 75-1.1.

The parties also filed a consent judgment that resolved the Attorney General’s claims as part of the nationwide settlement.

Lessons for businesses

That settlement leaves unanswered some interesting questions. Could Uber have defended against the “failure to notify” claim based on the hackers’ assurances that they deleted the stolen data? Could it have beat the deception claim by showing that the vulnerability that led to the breach was an anomaly in an otherwise solid data security program?

We’ll never know the answers to those questions.  But under the circumstances, Uber’s defenses would have faced a steep uphill battle.

The Uber settlement still teaches at least two important lessons about how a business’s data security decisions can implicate section 75-1.1.

First, security promises in a privacy policy can provide a readily-available source for 75-1.1 claims premised on a deception theory after a data breach. A business should thus ensure that any privacy and security promises that appear in its policy are accurate and defensible—and that there’s a reason to make them in the first place.

Second, a decision not to report a North Carolina data breach—which can sometimes be appropriate given the “risk of harm” trigger in our statute—can (and almost certainly will) be second-guessed if the breach becomes public through other means. A business that decides not to notify should thus think carefully about whether it’s prepared to defend against a 75-1.1 claim if the breach ever comes to light.

The price for not asking that question—as Uber found out—can be painfully high.

Author: Alex Pearce