NO. 14 The Plaintiff, State of Washington, by and through its attorneys Robert W. Ferguson,

Similar documents
STATE OF WASHINGTON KING COUNTY SUPERIOR COURT NO. I. INTRODUCTION

STATE OF WASHINGTON KING COUNTY SUPERIOR COURT NO.

STATE OF WASHINGTON KING COUNTY SUPERIOR COURT DISCONTINUANCE V.

STATE OF WASHINGTON KING COUNTY SUPERIOR COURT

STATE OF WASHINGTON KING COUNTY SUPERIOR COURT NO. I. INTRODUCTION. action against Defendants Garnishment Services, LLC and Richard John Brees, d/b/a

IN THE CIRCUIT COURT OF THE FIFTEENTH JUDICIAL CIRCUIT IN AND FOR PALM BEACH COUNTY, FLORIDA

STATE OF WASIDNGTON KING COUNTY SUPERIOR COURT

Case 2:12-cv Document 1 Filed 12/06/12 Page 1 of 14

STATE OF WASHINGTON KING COUNTY SUPERIOR COURT

Case 2:14-cv MJP Document 1 Filed 03/24/14 Page 1 of 13

Case 3:13-cv JE Document 1 Filed 12/20/13 Page 1 of 13 Page ID#: 1

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA SAN FRANCISCO DIVISION. Plaintiffs, Defendant.

1 HB By Representative Williams (P) 4 RFD: Technology and Research. 5 First Read: 13-FEB-18. Page 0

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

Case 9:18-cv RLR Document 1 Entered on FLSD Docket 05/22/2018 Page 1 of 11 UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF FLORIDA CASE NO.

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

Case3:15-cv DMR Document1 Filed09/16/15 Page1 of 11

SCHWARTZ & BALLEN LLP 1990 M STREET, N.W. SUITE 500 WASHINGTON, DC

Case 2:06-cv RSM Document 26 Filed 04/17/2006 Page 1 of 10

FILED SAN MAteO COUNTY

IN THE CIRCUIT COURT OF THE ELEVENTH JUDICIAL CIRCUIT, IN AND FOR MIAMI-DADE COUNTY, FLORIDA

Case 2:17-cv EJF Document 2 Filed 10/02/17 Page 1 of 8 UNITED STATES DISTRICT COURT FOR THE DISTRICT OF UTAH CENTRAL DIVISION

IN THE CIRCUIT COURT OF THE SIXTH JUDICIAL CIRCUIT IN AND FOR PINELLAS COUNTY, FLORIDA CIVIL ACTION

UNITED STATES DISTRICT COURT WESTERN DISTRICT OF WASHINGTON AT SEATTLE I. INTRODUCTION

Chapter PERSONAL INFORMATION PROTECTION ACT. Article 01. BREACH OF SECURITY INVOLVING PERSONAL INFORMATION

COMPLAINT FOR IN REM RELIEF. Plaintiffs CostaRica.com, Inc. Sociedad Anonima ( CostaRica.com ) and

Case 2:15-cv PA-AJW Document 1 Filed 01/02/15 Page 1 of 11 Page ID #:1 UNITED STATES DISTRICT COURT CENTRAL DISTRICT OF CALIFORNIA. Deadline.

FILED 16 AUG 09 PM 2:59

Case: 1:17-cv Document #: 1 Filed: 11/28/17 Page 1 of 17 PageID #:1 IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS

SUPERIOR COURT OF CALIFORNIA COUNTY OF YOLO. Plaintiff, Defendant. JEFF W. REISIG, District Attorney of Yolo County, by LARRY BARLLY, Supervising

UNITED STATES DISTRICT COURT EASTERN DISTRICT OF TEXAS TYLER DIVISON COMPLAINT FOR PATENT INFRINGEMENT THE PARTIES

FILED 18 AUG 30 AM 11:45

Case 3:17-cv MO Document 1 Filed 09/27/17 Page 1 of 10

Security Breach Notification Chart

THE GENERAL ASSEMBLY OF PENNSYLVANIA HOUSE BILL

Case 2:16-cv Document 1 Filed 12/09/16 Page 1 of 8 PageID #: 1

Case 2:06-cv RSM Document 30 Filed 05/04/2006 Page 1 of 6

FILED 16 AUG 29 PM 2:30

7 STATE OF WASHINGTON 8 PIERCE COUNTY SUPERIOR COURT 9 STATE OF WASHINGTON, NO.

IN THE SUPERIOR COURT OF THE STATE OF WASHINGTON COUNTY OF KING NO.

Case 2:10-cv RAJ Document 1 Filed 08/16/10 Page 1 of 8

IN THE CIRCUIT COURT OF THE TWELFTH JUDICIAL CIRCUIT, IN AND FOR SARASOTA, MANATEE, DESOTO COUNTY, FLORIDA

Case3:15-cv Document1 Filed07/10/15 Page1 of 12

IN THE SUPERIOR COURT OF THE STATE OF CALIFORNIA IN AND FOR THE COUNTY OF SAN FRANCISCO. Unlimited Jurisdiction

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF DELAWARE COMPLAINT FOR PATENT INFRINGEMENT

Security Breach Notification Chart

UNITED STATES DISTRICT COURT EASTERN DISTRICT OF CALIFORNIA SACRAMENTO DIVISION ) ) ) ) ) ) ) ) ) ) ) ) ) E.D. Case No.

Case 1:15-cv JG-JO Document 1 Filed 08/18/15 Page 1 of 9 PageID #: 1 UNITED STATES DISTRICT COURT EASTERN DISTRICT OF NEW YORK.

Case 6:18-cv Document 1 Filed 01/31/18 Page 1 of 9 PageID #: 1

: : her undersigned attorneys, as and for her Complaint against the Defendant, alleges the following

UNITED STATES DISTRICT COURT WESTERN DISTRICT OF WASHINGTON AT SEATTLE. No. Plaintiff, Defendants.

Filing # E-Filed 03/07/ :02:15 AM

IN THE SUPERIOR COURT FOR THE STATE OF WASHINGTON IN AND FOR KING COUNTY

Filing # E-Filed 07/13/ :52:45 AM

IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF TEXAS TYLER DIVISION COMPLAINT FOR PATENT INFRINGEMENT

Case 2:16-cv Document 1 Filed 12/09/16 Page 1 of 8 PageID #: 1

IN THE CIRCUIT COURT OF THE FIFTEENTH JUDICIAL CIRCUIT IN AND FOR PALM BEACH COUNTY, FLORIDA -CIVIL DIVISION-

Case 3:16-cv LB Document 1 Filed 06/11/16 Page 1 of 14

NO. THE STATE OF TEXAS, IN THE DISTRICT COURT Plaintiff

UNITED STATES DISTRICT COURT WESTERN DISTRICT OF TEXAS SAN ANTONIO DIVISION

Case: 1:16-cv Document #: 1 Filed: 11/15/16 Page 1 of 8 PageID #:1

Case 1:17-cv Document 1 Filed 02/20/17 Page 1 of 13

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF DELAWARE ) ) ) ) ) ) ) ) ) ) ) ) Plaintiff, Defendants. COMPLAINT FOR PATENT INFRINGEMENT

8 IN THE SUPERIOR COURT OF THE STATE OF WASHINGTON FOR PIERCE COUNTY 9 STATE OF WASHINGTON, 10. Defendant. I. INTRODUCTION

STATE OF WASHINGTON KING COUNTY SUPERIOR COURT

Filing # E-Filed 05/08/ :47:12 PM

THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF NORTH CAROLINA WESTERN DIVISION Case No: 5:11-cv ) ) ) ) ) ) ) ) ) )

FILED 16 NOV 03 PM 2:13

IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF UTAH, CENTRAL DIVISION : : : : : : : : : :

USDC IN/ND case 2:18-cv JVB-APR document 1 filed 05/16/18 page 1 of 10

IN THE COURT OF COMMON PLEAS FRANKLIN COUNTY, OHIO

Case 2:16-cv RWS Document 1 Filed 10/14/16 Page 1 of 6 PageID #: 1

UNITED STATES DISTRICT COURT EASTERN DISTRICT OF MICHIGAN SOUTHERN DIVISION. Hon.

IN THE CIRCUIT COURT OF THE SECOND JUDICIAL CIRCUIT IN AND FOR LEON COUNTY, FLORIDA

SUPERIOR COURT OF WASHINGTON FOR CLARK COUNTY 9. Case No.

OKLAHOMA IDENTITY THEFT RANKING BY STATE: Rank 25, 63.9 Complaints Per 100,000 Population, 2312 Complaints (2007) Updated January 10, 2009

IN THE SUPERIOR COURT OF THE STATE OF WASHINGTON IN AND FOR THE COUNTY OF WALLA WALLA. Plaintiff, Defendant. I. INTRODUCTION

IN THE SUPERIOR COURT FOR THE STATE OF WASHINGTON IN AND FOR KING COUNTY NO.

ASSEMBLY, No STATE OF NEW JERSEY. 218th LEGISLATURE PRE-FILED FOR INTRODUCTION IN THE 2018 SESSION

Case 1:16-cv Document 1 Filed 09/22/16 Page 1 of 6

IN THE SUPERIOR COURT OF THE STATE OF WASHINGTON IN AND FOR THE COUNTY OF KING

Security Breach Notification Chart

EEOC v. Applegate Holdings LLC

IN THE CIRCUIT COURT OF THE NINTH JUDICIAL CIRCUIT IN AND FOR ORANGE COUNTY, FLORIDA - CIVIL DIVISION - Plaintiff CASE NO.

Case 1:11-cv LPS Document 14 Filed 01/30/12 Page 1 of 7 PageID #: 59 UNITED STATES DISTRICT COURT DISTRICT OF DELAWARE

State Data Breach Law Summary. November 2017

Case 2:08-cv JAM-DAD Document 220 Filed 07/25/12 Page 1 of 21

Case 3:06-cv JAP-TJB Document 1 Filed 03/27/2006 Page 1 of 5 UNITED STATES DISTRICT COURT DISTRICT OF NEW JERSEY

Security Breach Notification Chart

IN THE CIRCUIT COURT OF JACKSON COUNTY, MISSOURI AT KANSAS CITY

CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, CHANCERY DIVISION

IN THE CIRCUIT COURT OF THE NINTH JUDICIAL CIRCUIT ORANGE COUNTY, FLORIDA CIVIL ACTION

IN THE UNITED STATES DISTRICT COURT FOR THE SOUTHERN DISTRICT OF TEXAS HOUSTON DIVISION ORIGINAL COMPLAINT

State Data Breach Notification Laws

Case 1:16-cv Document 1 Filed 06/05/16 Page 1 of 7

underpaid overtime compensation, and such other relief available by law. Plaintiffs, against INC.; ARLETE TURTURRO, jointly and severally,

IN THE CIRCUIT COURT FOR THE STATE OF OREGON FOR MULTNOMAH COUNTY. Case No.

SUPERIOR COURT OF THE STATE OF CALIFORNIA FOR THE COUNTY OF LOS ANGELES. Plaintiff, Defendants.

Case 3:17-cv AJB-KSC Document 1 Filed 05/23/17 PageID.1 Page 1 of 8

Transcription:

1 2 3 4 5 6 7 STATE OF WASHINGTON KING COUNTY SUPERIOR COURT 8 9 STATE OF WASHINGTON, NO. 10 Plaintiff, COMPLAINT FOR INJUNCTIVE AND OTHER RELIEF UNDER THE 11 V. CONSUMER PROTECTION ACT UBER TECHNOLOGIES, INC., 12 Defendant. 13 14 The Plaintiff, State of Washington, by and through its attorneys Robert W. Ferguson, 15 Attorney General, and Shannon Smith, Tiffany Lee, and Andrea Alegrett, Assistant Attorneys 16 General, brings this action against the Defendant named herein. The State alleges the following 17 on information and belief: 18 I. PLAINTIFF 19 1.1 The Plaintiff is the State of Washington ("State"). 20 1.2 The Plaintiff brings this action pursuant to RCW 19.86, the Consumer Protection 21 Act, and RCW 19.255 governing notice of security breaches. Plaintiff seeks a permanent 22 injunction, and other equitable relief, including civil penalties and attorneys' costs and fees based 23 on violations of the Consumer Protection Act and RCW 19.255. 24 1.3 The Attorney General is authorized to commence this action pursuant to 25 RCW 19.86.080, 19.86.140, and 19.255.010(17). 26 COMPLAINT - I (206)464-7745

1 II. DEFENDANT 2 2.1 Defendant, Uber Technologies, Inc. ("Uber") is a Delaware corporation with its 3 principal place of business at 1455 Market Street, No. 400, San Francisco, California. Uber is 4 registered with the Washington Secretary of State. 5 2.2 Uber is in the business of connecting drivers with passengers who are looking for 6 vehicles for hire. Uber transacts or has transacted business in the state of Washington. 7 2.3 When used in this Complaint, "Uber Technologies, Inc.," "Uber," and 8 "Defendant" refer to Uber Technologies, Inc. and its agents, servants, employees, or 9 representatives. 10 III. JURISDICTION AND VENUE 11 3.1 The State files this Complaint and institutes these proceedings under RCW 19.86 12 and RCW 19.255. 13 3.2 The Defendant engaged in the conduct set forth in this Complaint in King County 14 and elsewhere in the state of Washington. 15 3.3 Venue is proper in King County pursuant to RCW 4.12.020. 16 IV. NATURE OF TRADE OR COMMERCE 17 4.1 Defendant is now, and has been at all times relevant to this lawsuit, engaged in 18 trade or commerce within the meaning of RCW 19.86.020. 19 4.2 Uber is a ride hailing service that connects drivers with passengers who are 20 looking for a vehicle for hire. Uber markets its ride hailing service to passengers and drivers, 21 including through a website it operates, www.uber.com. Drivers and passengers are consumers 22 of Uber's ride hailing service. 23 4.3 Uber operates its ride hailing service by means of a mobile software application 24 ("App") that connects drivers and passengers. Uber markets different versions of the App to 25 drivers and passengers. As part of the services it provides, Uber collects information about 26 drivers and passengers, including personally identifiable information such as names, addresses, COMPLAINT - 2 (206)464-7745

1 email addresses, payment card information, driver's license numbers of vehicle drivers, and 2 I other information. 3 4.4 Defendant has been at all times relevant to this action in competition with others 4 engaged in similar business in the state of Washington. 5 V. FACTS 6 5.1 On or about November 14, 2016, Uber was contacted by an individual who 7 claimed he had accessed Uber user information. Following the contact, Uber investigated the 8 claim and determined that the individual who had made the contact and another person had 9 obtained access to information stored electronically in Uber's databases and files. The 10 individuals were not authorized to have access to the information. The unauthorized access 11 began on or about October 13, 2016 and the unauthorized access was terminated on or about 12 November 15, 2016. 13 5.2 The unauthorized access, or hack, of Uber's electronic data included information 14 on 57 million passengers and drivers around the world. The hackers accessed the names, email 15 addresses, and telephone numbers of about 50 million passengers. The hackers also accessed 16 the names and driver's license number of about seven million drivers 600,000 of whom reside 17 in the United States and at least 10,888 of whom are in Washington state. 18 5.3 When it learned about the breach, Uber did not notify law enforcement authorities 19 or consumers about it. Rather, at the hackers' demand, Uber paid the hackers to delete the 20 consumer data and keep quiet about the breach. 21 5.4 Uber notified the Washington Attorney General's Office of the breach on 22 Tuesday, November 21, 2017. On November 22, 2017, Uber began the process of notifying 23 affected consumers that an unauthorized person or persons accessed their personal information, 24 including driver's license numbers. A copy of Uber's notice to the Attorney General is attached 25 as Exhibit A. 26 5.5 Uber executives were aware of the breach as early as November 2016. COMPLAINT - 3 (206) 464-7745

1 5.6 Uber is aware of its responsibilities to provide notice of data security breaches. 2 In 2016, the New York Attorney General fined Uber for failing to notify drivers and that office 3 about a data breach that occurred in 2014. 4 VI. FIRST CAUSE OF ACTION 5 Failure To Provide Notice of Security Breach to Affected Consumers 6 6.1 Plaintiff realleges paragraphs 1.1 through 5.6 and incorporates them herein by 7 this reference. 8 6.2 Defendant became aware of a data security breach on or about November 14, 9 2016. The data security breach resulted in the unauthorized access of personal information of 10 Washington consumers, consisting of the names and driver's license numbers of at least 10,888 11 Uber drivers. 12 6.3 RCW 19.255.010(16) requires Defendant to provide notice of the security breach 13 to affected consumers "in the most expedient time possible and without unreasonable delay, no 14 more than forty-five calendar days after the breach was discovered." Defendant failed to notify 15 the affected drivers until November 22, 2017. 16 6.4 Defendant's conduct is made more egregious by the fact that Uber paid the 17 hackers to delete the personal information and keep quiet about the breach. 18 6.5 The conduct described in paragraphs 6.1 through 6.4, violates RCW 19.255.010. 19 Pursuant to RCW 19.255.010(17), violations of RCW 19.255 constitute violations of the 20 Consumer Protection Act, RCW 19.86. 21 6.6 Notwithstanding RCW 19.222.010(17), failing to notify affected consumers that 22 their driver's license numbers had been. access by unauthorized individuals is an unfair or 23 deceptive act or practice in violation of RCW 19.86.020. Failing to notify affected consumers 24 that their driver's license numbers were accessed by unauthorized individuals is not reasonable 25 in relation to the development and preservation of business and is inconsistent with the public 26 interest. COMPLAINT - 4 (206) 464-7745

1 VII. SECOND CAUSE OF ACTION Failure To Notify the Attorney General of Data Security Breach 2 3 7.1 Plaintiff realleges paragraphs 1.1 through 6.6 and incorporates them herein by 4 this reference. 5 7.2 RCW 19.255.010(15) requires Defendant to provide notice of the November 14, 6 2016 security breach to the Attorney General because the personal information of more than 500 7 Washington residents was affected by the data security breach. As set forth in RCW g 19.255.010(16), Defendant was required to notify the Attorney General "in the most expedient 9 time possible and without unreasonable delay, no more than forty-five calendar days after the 10 breach was discovered." Defendant failed to notify the Attorney General until November 21, 11 2017. 12 7.3 The conduct described in paragraphs 7.1 through 7.2 violates RCW 19.255.010. 13 Pursuant to RCW 19.255.010(17), violations of RCW 19.255 constitute violations of the 14 Consumer Protection Act, RCW 19.86. 15 VIII. PRAYER FOR RELIEF 16 WHEREFORE, Plaintiff, State of Washington, prays for relief as follows: 17 8.1 That the Court adjudge and decree that the Defendant has engaged in the conduct 18 complained of herein. 19 8.2 That the Court adjudge and decree that the conduct complained of constitutes 20 unfair or deceptive acts and practices and an unfair method of competition and is unlawful in 21 violation of the Consumer Protection Act, RCW 19.86.020, and RCW 19.255.010. 22 8.3 That the Court issue a permanent injunction enjoining and restraining the 23 Defendant, and its representatives, successors, assigns, officers, agents, servants, employees, and 24 all other persons acting or claiming to act for, on behalf of, or in active concert or participation 25 with the Defendant, from continuing or engaging in the unlawful conduct complained of herein. 26 8.4 That the Court assess civil penalties, pursuant to RCW 19.86.140, of up to two COMPLAINT - 5 (206) 464-7745

1 thousand dollars ($2,000) per violation against the Defendant for each and every violation of 2 RCW 19.86.020 and RCW 19.255.010 caused by the conduct complained of herein. 3 8.5 That the Court make such orders pursuant to RCW 19.86.080 as it deems 4 appropriate to provide for restitution to consumers of money or property acquired by the 5 Defendants as a result of the conduct complained of herein. 6 8.6 That the Court make such orders pursuant to RCW 19.86.080 to provide that the 7 Plaintiff, State of Washington, recover from the Defendant the costs of this action, including 8 reasonable attorneys' fees. 9 8.7 For such other relief as the Court may deem just and proper. 10 DATED November 28, 2017. 11 ROBERT W. FERGUSON 12 Attorney General 13 t4 15 -SHANNON SMITH, WSBA No. 19077 TIFFANY LEE, WSBA No. 51979 16 ANDREA ALEGRETT, WSBA No. 50236 Assistant Attorneys General 17 Attorneys for Plaintiff State of Washington 18 19 20 21 22 23 24 25 26 COMPLAINT - 6 (206) 464-7745

EXHIBIT A November 21, 2017 Office of the Washington Attorney General Consumer Protection 800 5th Ave, Suite 2000-3188 Rebecca S. Engrav REngrav@perkinscoie.com D. +1.206.359.6168 F. +1.206.359.7168 Email Address: SecurityBreach@atg.wa.gov Re: Notification of Security Breach To Whom It May Concern: On behalf of our client Uber Technologies, Inc. ( Uber ), we are writing to notify you of a data security incident. In November 2016, Uber was contacted by an individual who claimed he had accessed Uber user information. Uber investigated and determined that the individual and another person working with him had obtained access to certain stored copies of Uber databases and files located on Uber s private cloud data storage environment on Amazon Web Services. Uber determined the means of access, shut down a compromised credential, and took other steps intended to confirm that the actors had destroyed and would not use or further disseminate the information. Uber also implemented additional measures to improve its security posture. To the best of Uber s knowledge, the unauthorized actor s access to this data began on October 13, 2016, and there was no further access by the actor to Uber s data after November 15, 2016. As determined by Uber and outside forensic experts, the accessed files contained user information that Uber used to operate the Uber service. Most of this information does not trigger data breach notifications under state law. However, the files did include, for a subset of users in the files, the names and driver s license numbers of about 600,000 Uber drivers in the United States, including at least 10,888 drivers in Washington (we will update this number in the next few days after the mailing count is finalized). 1 Beginning on November 22, 2017, Uber is providing notice to the individuals whose driver s license information was downloaded in this incident. Uber will offer 12 months of credit monitoring and identity theft protection services to these individuals free of charge, and the notice will provide information on how to use such services. A copy of the notice is enclosed. 1 The files also included other types of data and salted and hashed user passwords, but they do not trigger notification.

EXHIBIT A November 21, 2017 Page 2 As it has publicly announced today, Uber now thinks it was wrong not to provide notice to affected users at the time. Accordingly, Uber is now providing notice. In order to treat its driver partners consistently throughout the United States, Uber is providing notice to affected drivers in all states without regard to whether the facts and circumstances of this incident (or the number of affected individuals) trigger notification in each particular state. Uber is taking personnel actions with respect to some of those involved in the handling of the incident. In addition, Uber has implemented and will implement further technical security measures, including improvements related to both access controls and encryption. Uber sincerely regrets that this incident occurred. It is committed to working with your office to address this matter. Please do not hesitate to contact me with any questions or for more information. My contact information is above. Very truly yours, Rebecca S. Engrav Attachment

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback