Opinion articles provide independent perspectives on key community issues, separate from our newsroom reporting.

Editorials

Walla Walla Union Bulletin: State AG right to hold Uber accountable

By the Walla Walla Union-Bulletin
Washington state Attorney General Bob Ferguson has announced that his office is suing Uber for waiting a year to come clean about a data breach. It’s estimated that about 11,000 Washington state Uber drivers had data compromised.
Washington state Attorney General Bob Ferguson has announced that his office is suing Uber for waiting a year to come clean about a data breach. It’s estimated that about 11,000 Washington state Uber drivers had data compromised. Dreamstime TNS

Uber — the ride-sharing service that’s put a dent into the nation’s taxi business — recently announced that more than a year ago it was hacked, resulting in the personal data for about 57 million customers and Uber drivers being stolen. But, according to several media reports, Uber paid the hackers $100,000 to delete the data and pushed them to keep the theft secret.

So, is this a case of — to borrow a phrase from a pickup basketball game — no harm, no foul?

Not in the mind of Washington state Attorney General Bob Ferguson, who announced last week that his office is suing Uber for waiting a year to come clean about the data breach. It’s estimated that about 11,000 Washington state Uber drivers had data compromised.

“Washington law is clear: When a data breach puts people at risk, businesses must inform them,” Ferguson said. “Uber’s conduct has been truly stunning. There is no excuse for keeping this information from consumers.”

Ferguson is correct. If Uber’s lapse in judgment and ignoring the law is allowed to stand, other companies could see it as an invitation to do the same. But ceding to the blackmail demands of hackers will serve only to spur more hacking.

And all of this leaves consumers vulnerable to having their data — driver’s license numbers, for example — used for theft or other crimes.

Washington law requires both affected consumers and the Attorney General’s Office to be notified within 45 days of the breach. Uber waited more than a year, Ferguson said.

The Seattle Times reported Ferguson’s lawsuit is the first from a state, although attorneys general in New York, Missouri, Massachusetts, Connecticut and Illinois have begun investigations.

“Defendant’s conduct is made more egregious by the fact that Uber paid the hackers to delete the personal information and keep quiet about the breach,” Ferguson wrote in the lawsuit.

An Uber attorney wrote to Ferguson’s office saying the company “now thinks it was wrong not to provide notice to affected users at the time.”

That’s fine, but it isn’t enough to ensure Uber actually takes action and that other businesses will follow the law in Washington state in the future.

Taking legal action will. Ferguson’s lawsuit seeks penalties of up to $2,000 per violation of the state’s data-breach-notification law. If that penalty were applied to each of the affected drivers in the state, it would put Uber’s penalty at $22 million.

Ferguson’s decision to hold Uber accountable is welcome.

This story was originally published December 9, 2017 at 1:04 PM with the headline "Walla Walla Union Bulletin: State AG right to hold Uber accountable."

Get one year of unlimited digital access for $159.99
#ReadLocal

Only 44¢ per day

SUBSCRIBE NOW