Like a rider hailing an overcrowded uberPOOL heading to O’Hare on a busy weekday, the City of Chicago has joined the feeding frenzy surrounding the recently disclosed and controversially handled Uber breach.
Specifically, Chicago Corporation Counsel and the Illinois State’s Attorney for Cook County filed suit on November 28, 2017 in the Circuit Court of Cook County on behalf of the City of Chicago and the People of the State of Illinois against Uber, alleging, among other things:
- failure to safeguard personal information in violation of the Chicago Municipal Code;
- failure to give prompt notice of a data breach in violation of the Chicago Municipal Code;
- concealment of a data breach in violation of the Chicago Municipal Code;
- unfair and deceptive business practices under Illinois state law;
- failure to give prompt notice of a data breach in violation of Illinois state law; and
- concealment of a data breach in violation of Illinois state law
Such actions have become commonplace, with jurisdictions becoming plaintiffs, suing on behalf of their constituents for damages and injunctive relief arising from a data breach. Two alarming developments are reflected in the City of Chicago v. Uber suit, however.
First, the City of Chicago—at least according to the complaint—does not have a specific ordinance requiring companies to safeguard personal information of the city’s residents. Nor does the City of Chicago have (in contrast to local jurisdictions like New York City, for example) its own applicable data breach notification requirements. Rather, the City’s claims in the Uber suit arise from its general municipal prohibition against unfair and deceptive business practices, Chicago Municipal Code Section 2-25-090, which states that: “[n]o person shall engage in any act of consumer fraud, unfair method of competition, or deceptive practice while conducting any trade or business in the city.” Based on this generalized prohibition, the city asserted its first five causes of action against Uber, alleging failure to safeguard personal information (Causes of Action Nos. 1 and 4), failure to give prompt notice of the breach (Cause of Action No. 2); concealment of the breach (Cause of Action No. 3); and seeking declaratory judgment that Uber breached Section 2-25-090 (Cause of Action No. 5).
Given that most, if not all, major cities in the United States have ordinances similar to Section 2-25-090, the City of Chicago v. Uber suit has the potential to exponentially multiply the number of regulators to which a nationwide, or even statewide, entity must answer in relation to data security. Now, not only are the federal authorities (FTC, HHS, CFPB, etc.) watching, and 52 states and territories (including Washington D.C) have data breach notification laws on the books (some of which require specific data security safeguards before the breach), but post Uber, almost every city or other municipality that prohibits unfair or deceptive business practices can become a post hoc regulator—bringing suit for violations after the breach. Indeed, all cyber regulators exerting authority under “little FTC Acts” that prohibit unfair and deceptive business practices generally could well become regulators before the breach, that is if a whistleblower complains to the regulator that the organization is being unfair or deceptive in its cybersecurity practices.
The FTC has taken this very position since at least 2011, stating (subject to a disclaimer) in a presentation at John Jay College in New York City that: “[A] company’s practices may be unreasonable and subject to FTC enforcement even without a known security breach.” See FTC: Anatomy of a Data Security/Privacy Investigation and the Future of Privacy, November 10, 2011(slide 8). It is one thing for a monolithic federal regulator like the FTC, which regularly gives administrative guidance and has an established system of administrative precedent, to assert a position like this. It is another thing entirely for numerous and disparate cities to potentially join the fray, whether pre- or post-breach.
The other watershed development of the City of Chicago v. Uber suit is that the City and the Illinois State Attorney for Cook County did not go it alone. They have significant and high-powered help from the Edelson firm, a high-profile plaintiffs’ firm specializing in privacy-related suits. This kind of plaintiffs’ firm firepower does not bode well for companies assessing their litigation risk in relation to a data breach. If representing municipalities in data breach suits turns out to be a viable income stream for the plaintiffs’ bar, these types of suits will certainly proliferate, increasing litigation risk exponentially. The facts of the Uber suit were unequivocally bad, giving rise to much of the reaction we are seeing currently. But these bad facts have repercussions beyond Uber’s board room, bottom line, or brand. They may well echo around the country, as local jurisdictions (aided by the plaintiffs’ bar) join the data breach litigation fray.