Challenged on Monday by US senators to explain its failure to report that it had allowed hackers to grab records on 57 million customers and drivers and then paid hush money in an attempted year-long coverup, Uber has been presented with its second state-backed lawsuit for not alerting authorities to the pilfering.
The first such suit arrived on Monday, from the State of Illinois and the City of Chicago, featuring a chiding from Chicago Mayor Rahm Emanuel: "The City of Chicago will not tolerate these kinds of irresponsible practices, which is why we are taking legal action to hold Uber accountable for their reckless actions."
The second landed Tuesday, from the State of Washington, where the state's IT security breach law requires notification of consumers within 45 days and, if more than 500 state residents are implicated, notification of the state Attorney General. Uber, apparently, did neither: it sat on its hands for a year until the lid was blown on the coverup.
Washington's complaint, filed in King County Superior Court, claimed the hacking exposed data for an undisclosed number of customers and at least 10,888 drivers in Washington, and that Uber failed to say anything in a timely manner.
In a statement, Washington Attorney General Bob Ferguson said the law is clear that businesses must inform people put at risk by a computer security breach. "Uber's conduct has been truly stunning," he said. "There is no excuse for keeping this information from consumers."
The complaint asks the court to assess damages of up to $2,000 per affected individual, which could amount to $20m for drivers alone.
As a point of reference, Uber lost about $2.8bn last year, according to Bloomberg. Even so, despite the San Francisco upstart's bottomless well of scandals, reports this year suggest losses have been narrowing and ride bookings have been rising.
Uber's reputation for flouting laws has turned the taxi-app biz into a legal punching bag. Also on Tuesday, the judge hearing Google's trade secret lawsuit against Uber delayed the pending trial after evidence emerged the company had operated a secret unit explicitly for stealing trade secrets.
As a measure of its alleged malfeasance, Uber has been sued almost 80 times in US civil court so far this year. And there may be more lawsuits coming from other states, given that almost all have some form of data breach notification requirement.
Uber did not respond to a request for comment.
In its breach disclosure and apology last week, CEO Dara Khosrowshahi said Uber will learn from its mistakes. The ride hailing biz may also contribute to the career advancement of a significant number of lawyers. ®
Sponsored: Webcast: Ransomware has gone nuclear