Did Uber Break the Law in Hacker Payoff?

Uber’s Data Drama Puts ‘Bug Bounties’ in the Spotlight
– Law360

Manatt’s Richard Lawson, a partner in the firm’s consumer protection practice, was quoted by Law360 for an article on Uber’s response to a recent cybersecurity threat.

According to the publication, Uber paid $100,000 to hackers who reportedly revealed a security flaw. Uber’s decision to pay off the hackers has spawned regulatory backlash that may force companies to examine how they can respond to cybersecurity threats like this one without breaking the law. Uber waited more than a year to disclose what happened, and as a result, at least five state attorneys general have launched inquiries to determine whether the company violated state data breach notification laws.

Lawson explained that once state regulators determine a hack was “unauthorized,” they are likely to look at whether the researcher merely “accessed” the data or went a step further and “acquired” it by downloading and storing it.