Nearly a year after Uber agreed to pay $148 million to settle claims with Illinois and all other U.S. states over a 2016 data breach, the ride hailing service is still in Cook County court, seeking to persuade a judge to pull to the curb the city of Chicago’s persistent attempts to make the company pony up millions more in fines under a city data breach ordinance.
A Cook County judge could soon weigh in on a motion, filed earlier this summer by Uber, asking the court to dismiss a revised version of the city’s long-running legal action.
The amended lawsuit represents a “new strategy” and “naked gamesmanship” by the city, Uber said, in an attempt by the city to “resuscitate their case – presumably to extract more money from Uber.”
Christopher B. Wilson | Perkins Coie
“That ploy should fail,” Uber wrote.
In late 2017, Jay Edelson and other lawyers from the firm of Edelson P.C., of Chicago, filed suit against Uber, representing the city of Chicago and the Cook County State’s Attorney’s Office. The lawsuit was filed in Cook County Circuit Court on behalf of all residents of Chicago and of Illinois whose personal information may have been compromised when Uber’s data systems were hacked in October 2016. In all, published reports estimated hackers obtained names, email addresses and phone numbers of 50 million Uber passengers and 7 million Uber drivers.
The lawsuit specifically faulted Uber for allowing hackers to access that data using almost exactly the same tactic that had unlocked Uber customer and driver data in a previous 2014 data breach. Further, the complaint asserted Uber had attempted to hide the 2016 data breach, allegedly paying $100,000 to the hackers to delete the user data and not discuss the data breach further.
The lawsuit asserted Uber’s actions violated Illinois state consumer fraud laws and a Chicago ordinance requiring companies to notify the city and Chicago users of such data breaches.
The lawsuit asks the court to order Uber to pay fines under the city’s ordinance of $10,000 per violation per day. It had also sought fines of $50,000 per violation under Illinois state law.
However, at the same time the city and Cook County State’s Attorney brought their action, Uber also was facing legal actions brought by attorneys general from all 50 states, including Illinois, and the District of Columbia. In September 2018, Uber agreed to pay $148 million to settle those national claims.
In the wake of that settlement, Uber again asked a Cook County judge to dismiss the lawsuit brought by the city and Cook County, asserting the lawsuit was now barred by the deal with the Illinois Attorney General, who represented all of Illinois in the controversy over the breach.
However, the city and Cook County responded by first dropping the State’s Attorney from the action, and then amending the lawsuit to include additional claims against Uber for the 2014 breach, as well.
Uber has now asked the judge to reject that amended lawsuit, as well.
“The motives behind Plaintiffs’ (Chicago’s) new strategy are not hard to discern,” Uber wrote in a memorandum in support of its motion to dismiss, filed July 31. “Having gambled and lost on the notion that they could obtain a judgment regarding the 2016 incident before the Illinois Attorney General, Plaintiffs (who have delegated their enforcement authority to a private class-action firm working on a contingency basis) are trying to use stale 2014 claims to resuscitate their case…”
In its brief, Uber asserted the city’s new lawsuit is an “overreach” of the city’s home-rule authority under the Illinois state constitution. Uber argued prior court decisions limit the ability of local governments, like the city, to bring enforcement actions over incidents which are of “statewide or national concern.”
The 2016 and 2014 data breaches meet that criteria, Uber argued.
“Here, all … factors indicate that data security regulation is quintessentially not a matter of local concern, but instead a matter of statewide or national concern,” Uber wrote.
“The City does not (and cannot) allege that the 2014 and 2016 incidents occurred in Chicago. Plaintiffs have not alleged the location of the affected cloud-based data storage service, let alone the locations of the outside actors who caused the incident. Uber’s headquarters are in San Francisco, California. Plaintiffs have alleged no facts to suggest that the incidents affected Chicago residents any differently than any affected Uber users in other cities or states.”
Further, Uber asserted the city violated its own ordinance by not following the notification procedures spelled out in the ordinance. Specifically, Uber said Chicago did not provide any violation notice to Uber before it filed suit.
Finally, Uber argued, as before, the city’s claims are blocked by the Illinois Attorney General’s settlement on behalf of the people of Illinois against Uber. To allow the city to continue in its lawsuit would open the door to allowing Chicago and “every other municipal entity in Illinois” to “easily frustrate the statewide enforcement efforts of the Illinois AG by bringing duplicative and inconsistent local claims against defendants, like Uber, who have already settled with the Illinois AG.”
“By withdrawing its claims based on the 2016 incident, the State’s Attorney admitted that the Illinois AG has authority to settle and release claims brought by state’s attorneys,” Uber wrote. “The City, however, maintains that the Final Judgment does not release and discharge its claims based on the 2016 incident simply because the City is not the State’s Attorney.
“The City’s view of the operative legal doctrine, however, is crabbed, overly narrow and flies in the face of common sense.”
Uber is represented in the action by attorneys Christopher B. Wilson, Eric D. Brandfonbrener and Rebecca S. Engrav, of the firm of Perkins Coie LLP, of Chicago and Seattle.