On November 21, 2017, Uber disclosed a data breach potentially affecting 57 million passengers and drivers around the world, including over 10,000 Washingtonians. One week later, on November 28, 2017, Washington State Attorney General Bob Ferguson filed a consumer protection lawsuit.
According to Ferguson, this is the first time a lawsuit has been filed under the state’s revised data breach notification law, which was amended in 2015 to include the requirement that affected individuals must be notified within 45 days following discovery of a breach. The amendment also required that the attorney general must be notified within 45 days if the breach affected 500 or more Washington residents.
The Uber notification of security breach, published on the website of the Washington State Office of the Attorney General, indicates that the breach occurred between October 13, 2016 and November 15, 2016, but wasn’t reported until over a year had passed. The lawsuit asks for civil penalties up to $2,000 per violation of the law, counting as a separate violation each day Uber failed to report for each individual, potentially resulting in millions of dollars in penalties.
Will Other State Attorneys General Follow Suit?
Generally, all state breach notification statutes have a provision that individuals must be notified of a breach in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement. But a number of states go beyond the ambiguity of “expedient.”
As of the publication date of this article, nine states including Washington have general breach notification statutes that specify a notification timeline for individuals, the state’s attorney general, or major credit reporting agencies:
Connecticut
Individuals: Notice must be given to Connecticut residents no later than 90 days after discovery of a breach.
Florida
Individuals: Notice must be given no later than 30 days after the determination of a breach or reason to believe a breach occurred. A covered entity may receive an additional 15 days to provide notice to individuals if good cause for the delay is provided to the Florida Department of Legal Affairs in writing within 30 days of determination of a breach or reason to believe a breach occurred.
Department of Legal Affairs: If more than 500 individuals are affected, the Department must be notified no later than 30 days after determination of a breach or reason to believe a breach occurred.
New Mexico
Individuals: Notice must be given to New Mexico residents no later than 45 calendar days following discovery.
Attorney general: If more than 1,000 New Mexico resident require notification, the attorney general must be notified no later than 45 calendar days following discovery.
Major credit reporting agencies: If more than 1,000 New Mexico residents require notification, major credit reporting agencies must be notified no later than 45 calendar days following discovery.
Ohio
Individuals: Notice must be given to Ohio residents no later than 45 days following discovery or notification of a breach.
Rhode Island
Individuals: Notice must be given to Rhode Island residents no later than 45 calendar days after confirmation of a breach.
Tennessee
Individuals: Notice must be given to Tennessee residents no later than 45 days from discovery or notification of a breach.
Vermont
Individuals: Notice must be given to Vermont residents no later than 45 days after discovery or notification of a breach.
Washington
Individuals: Notice must be given to Washington residents no later than 45 calendar days after discovery.
Attorney general: If more than 500 Washington residents require notification, the attorney general must be notified no later than 45 calendar days after discovery.
Wisconsin
Individuals: Notice must be given no later than 45 days after a covered entity learns of the acquisition of personal information.
Note that if you are a member of the International Association of Privacy Professionals, you have access to the IAPP-RADAR Incident Response Center, an innovative tool that provides access to up-to-date overviews of U.S. state and federal breach notification laws, as well as and international law overviews–including GDPR. Access this free tool.
The privacy community will be watching closely to see if or when other states follow Attorney General Ferguson’s lead in filing lawsuits against Uber for non-compliance with their breach notification laws.
Expect Increased Stringency and Associated Fines when it Comes to Missed Data Breach Notification Deadlines
We’ve written before about the trend of states increasingly requiring notification to the state attorney general, and the increasing specificity in notification timelines. Coming up in 2018, at least one additional state will continue the trend of specifying a breach notification timeline. Effective April 14, 2018, an amendment to Delaware’s general breach notification statute requires that Delaware residents be notified no later than 60 days after discovery.
Though this is the first time such a lawsuit has been filed under Washington’s 45-day breach notification law, penalties for late notification are on the rise. Earlier this year, the Office for Civil Rights announced the first ever enforcement settlement for lack of a timely breach notification after a healthcare network failed to notify within 60 days of discovery of a breach affecting 500 or more individuals. Timely notification is also top of mind for companies working to comply with the GDPR come May 25, 2018, when noncompliance with a 72-hour breach notification timeline could result in a fine of 2% to 4% of total worldwide annual turnover of the preceding financial year.
For RADAR customers, staying current with the global patchwork of breach notification laws is seamless. The RADAR regulatory team continuously tracks and updates RADAR’s Breach Guidance Engine™ and Law Overviews with changes in data breach notification laws, leaving no gaps in compliance.