Recommended Alerts

Sign Up For Alerts

EDBP Guidelines shed light on the use of health data to aid research efforts

On 21 April 2020 the European Data Protection Board published Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak. Its aim is to “shed light” on some of the key issues concerning the use of health data to aid research efforts in the fight against the virus, such as legal basis for processing, implementation of adequate safeguards for processing of health data in this context and the exercise by individuals of their rights under the GDPR.

Read More

Fifty State Attorneys General Reach Settlement over Cyber-Incident Disclosure

Time to Read: 2 minutes Practices: Data, Privacy & Cybersecurity

Printer-Friendly Version

Uber Technologies, Inc. has reached a settlement with the attorneys general for all fifty states and the District of Columbia regarding allegations that Uber had violated state data breach notification statutes and consumer protection laws in connection with a 2016 data breach.

The monetary settlement is the largest state attorneys general settlement reached in the aftermath of a data breach and the first to include every state in the nation. It is also the most recent step in a trend of state law enforcement becoming increasingly aggressive in pursuing companies that have suffered data breaches, especially with regard to disclosure requirements.

The state attorneys general asserted consumer protection claims relating to Uber’s data security practices and also asserted that the allegedly delayed announcement violated state statutes regarding notification of data breaches within specific periods of time or within a “reasonable” time or as prompt as is practicable.

For instance, many states, including California and New York, require that “disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.” Maryland adds the requirement that the reasonably expedient disclosure occur within 45 days of the completion of an investigation into an incident. New Mexico and several other states cap the reporting period at 45 days from the discovery or confirmation of a breach.

Uber publicly disclosed the unauthorized access to data about users and drivers, including as many as 57 million individuals worldwide (with 25.6 million in the United States), in November 2017, approximately a year after the incident occurred.

The Uber settlement is significantly larger than others reached with state attorneys general in recent years. For example, in 2017, multistate groups of attorneys general announced two settlements following data security incidents that had occurred previously. Nationwide paid $5.5 million to a group of 32 states and the District of Columbia in connection with a 2012 incident that allegedly may have involved the data of 1.27 million people. Target agreed to pay $18.5 million to settle claims arising out of its 2013 incident that allegedly involved approximately 40 million payment cards and the personal information of as many as 70 million individuals. At the time, the Target settlement was the largest of its kind.

In addition to paying $148 million to be divided among the states, Uber has committed to certain business practices, including specific data protection steps, password standards, encryption, development of an information security plan and an incident response and breach notification plan, and ongoing self-assessment of data security.

For more information regarding the Uber settlement, or to discuss cybersecurity practices generally, please feel free to contact Mark Szpak or another member of Ropes & Gray’s leading privacy & cybersecurity team.

Printer-Friendly Version

Cookie Settings