Legal Implications of the Uber Data Breach

Following the US and Australia, the Canadian privacy commissioner is launching an investigation in to last year’s data breach at Uber that impacted over three quarters of a million Canadians.

Uber data breach and cover up

In late 2016, hackers stole personal information from 57 million Uber drivers and users around the world, including contact information and driver’s license numbers. The company failed to notify users, or the general public, claiming that no payment details, social insurance numbers, or location data was compromised. In the wake of the cover up being exposed, the company’s Chief Security Officer left the company.

More recently, it has been revealed that the company paid the hacker to destroy the stolen information through a “bug bounty” program, in an attempt to conceal the nature of the breach and subsequent ransom payment. The program is intended to reward security researchers that identify flaws in the company’s systems.

Legal and liability implications of the Uber data breach

A data breach can lead to liability under privacy legislation, which requires that companies maintain proper privacy and data protection measures, as well as giving notification of any security breach of this type. The Canadian federal privacy commissioner can initiate an investigation into a company for failing to comply with privacy laws. Depending on their findings, they can sue a company at Federal Court, seeking an order that the company rectify any non-compliance, or compensate any damages caused.

This type of breach may also result in civil liability. An Alberta woman has launched a lawsuit against Uber, and is seeking class action certification. They seek damages for credit counseling, monitoring, and theft protection services, claiming that the company failed to uphold its duty to inform users and the Alberta privacy commission.

Toronto product liability lawyers following the latest legal trends

Historically, companies have been required to provide the public with products and services that do not cause harm or injury when used as intended. If those products are badly designed, or if services are provided below a reasonable standard of care, companies are expected to take steps to recall, redesign or otherwise rectify the issue, and then compensate any losses that resulted from their negligence.

Where the product or service provided includes storing personal data, the courts are now being asked to determine whether companies must compensate users that suffer a loss due to their failure to uphold a reasonable standard of privacy and data protection. At Derfel Injury Law our product liability lawyers are following these cases closely, so we can stay on top of emerging trends and offer better advice to our clients. Contact us online to make an appointment with one of our lawyers or call 416-847-3580.