Portland City Auditor - oregonlivemedia.oregonlive.com/roadreport_impact/other/Statement of... · 2018-03-13 · Portland City Auditor Hearings Office 1900 SW 4'0 Avenue, Room 3100,

Portland City Auditor Hearings Office 1900 SW 4'0 Avenue, Room 3100, Portland, OR 97201

www .portlandoregon.gov/ auditor /hearings

phone: (503) 823-7307

fax: (503) 823-4347

APPEAL HEARING REQUEST FORM (See reverse for instructions on submitting this form.)

*=Required Information. Failure to submit all required information will cause your request to be denied.

*1. Appellant: Raiser, LLC

2. Contact Name (if different than Appellant): Erick Haynie (Attorney for Appellant)

*3. Mailing Address: 700 SW 5th Ave. #4000, 3rd Floor, Portland, OR 97204

*4. Telephone: 866.576.1039

5. Attorney's (if any) Name: Erick Haynie

6. Attorney's Mailing Address: 1120 NW Couch St., Portland, OR 97209

7. Attorney's Phone Number: 503.727.2017

*8. Does your request involve being excluded from a City Park? Yes D No li'.'.'.f

*9. Does your request involve a suspension or revocation of a license? Yes D No 0 *10. Why do you believe the City Bureau's decision/determination is invalid, unauthorized, or otherwise

improper? (Attach additional sheets, if needed).

See attached.

11, If your request is late, please explain why. (Attach additional sheets, if needed):

By signing below, I certify that all information is true and complete to the best of my knowledge. If Appellant is other than an individual, I certify (by signing below) that I am a duly-authorized representative.

• 1,,-,;) &· ~,.; Date

In compliance with Civil Rights laws, it is the policy of the City of Portland that no person shall be excluded from participation in, denied the benefits of, or be subjected to discrimination in any City program, service, or activity on the grounds of race, color, national origin, or disability. To help ensure equal access to City programs, services, and activities, the City of Portland reasonably provides: translation and interpretation services, modifications, accommodations, auxiliary aides and services, and alternative format. For these services, complaints, and additional information, contact 503-823-7307, use City TTY 503-823-6868, or use Oregon Relay Service: 71 I.

PORTLAND BUREAU OF TRANSPORTATION

1120 SW Fifth Avenue. Suite 800 Portland, OR 97204 503.823.5185

Fax 503.823.7576 TTY 503.823.6868 www.portlandoregon.gov/transportation

Dan Saltzman Commissioner Leah Treat Director

Raiser, LLC Attn: Matt Neururer 700 SW 5th Ave. #4000, 3rd Floor Portland, OR 97204

BY ELECTRONIC MAIL, US FIRST CLASS MAIL AND CERTIFIED MAIL

January 29, 2018

Re: Penalty for violation of Portland City Code Chapter 16.40.240

Dear Mr. Neururer:

In late November of 2017, we learned that Uber Technologies, Inc. the parent of its wholly owned subsidiary Raiser, LLC (collectively "Uber") was the subject of a massive data breach. This breach impacted millions of drivers and riders across the United States and the world. In a November 22, 2017 letterwe received from Perkins Coie, we learned that 1391 Oregon drivers had their personal information disclosed. Uber also reported the data breach to the Oregon Department of Justice Department of Consumer and Business Services Consumer Protection section ("Oregon DOJ") as required by ORS 646A.604. The notice to both the City and the Oregon DOJ noted that the breach began on October 13, 2016 and ended on November 15, 2016. Uber discovered the breach on November 14, 2016.

A breach of a consumer's personal information occurs when a consumer's name is disclosed in combination with any one or more identifying elements [(ORS 646A.602(1)(a), (11)]. In the November 22, 2017 report submitted to the Oregon DOJ and the City, Uber did not dispute this and identified that the names and Driver's License or State Identification Card Numbers of approximately 60 million accounts were accessed, noting that 1, 1731 were Oregonians.

According to media reports and Uber's own reporting of the breach, Uber's leadership knew about the breach for at least a year. In addition, Uber paid $100,000 to recover the lost records. Finally, Uber failed to notify either the State of Oregon or the City of Portland as required by Oregon Law and Portland City Code (16.40.240, K. 4) until sending the November 22, 2017 letter, more than a year after the initial breach and its discovery.

1 In its initial report to the DOJ and City Uber reported 1,173 Oregonians affected by the breach. In a follow up letter from Perkins Coie to the City on December 15, 2017 this number was revised to 1,391.

llPage

Uber has had a difficult relationship with the City of Portland dating back to December 2014. In 2014, Uber used a tactic that has become widely known and reported as Greyballing to thwart regulators while Uber was attempting to illegally establish operations in Portland. The failure to report the data breach to those affected and the state and City as required by state law and City Code shows a continuing disregard for Portland laws and regulatory structure for private for-hire operators. It is a clear violation of the data reporting requirement in Portland City Code 16.40.240 K.4. which provides:

16.40.240 TNC Company Operating Responsibilities and Prohibitions

K. Digital Record Requirements. Secure, digital records with contact information from TNC Drivers and TNC passengers shall be maintained by the TNC. Such records shall provide a verifiable way to identify drivers and riders for investigatory purposes. Secure digital records must be maintained in accordance with the following requirements:

4. The TNC shall notify the City of a known data security breach in the same manner as provided in ORS 646A.600 to ORS 646A.628.

M. Failure to comply with any provision in Section 16.40.240 is a Class B violation subject to penalties provided in Sections 16.40.930 through 16.40.950.

In accordance with Portland City Code 16.40.930, we are imposing a fine of $3,475,000.00. Each violation is a separate offense which carries a penalty. As noted, the violations for failure to report a breach of personal information is a Class B violation. In total, Uber has noted 1,391 violations subject to penalty. The violations began on November 14, 2016. Under the penalty table provided in 16.40.930, a first offense of a Class B violation is punishable by a $1000 penalty. The· second offense of this Class B violation is punishable by a $1500 penalty. The third, and each subsequent offenses are Class B violations punishable by a $2500 penalty. The penalty for violations of PCC 16.40.24 K.4. breaks down as follows:

1st driver 2nd driver

1389 drivers

$1,000.00 $1,500.00 $ 2,500.00

$1,000.00 $1,500.00

$ 3,472,500.00 $ 3,475,000.00

The penalty for these violations could also include suspension or revocation of Uber's operating permit. Despite the volume of violations, we are not suspending or revoking the operating permit at this time.

Please Remit Payment to: City of Portland - Accounting Division Attn: General AR PO Box 5066 Portland, OR 97208-5066

(Check or money orders only)

21Page

If you believe that this determination is not consistent with City Code, you may request an appeal before a Code Hearings Officer under the provisions of Portland City Code Chapter 22.10. To arrange a hearing, the Code Hearings Office must receive your written request no later than 10 business days after the date of this determination. Your written request must include a description of what you believe makes this determination invalid along with copies of any evidence you wish to submit. Hand-deliver your written request to:

City of Portland Code Hearings Office 1900 SW 4th Avenue Room 3100 Portland, OR 97201 Monday - Friday from 8:30am to 12:00pm and 1 :OOpm to 4:30pm http://www.portlandoreqon.gov/hearings/ Phone 503-823-7307 Fax 503-823-4347

You will receive an acknowledgement from the Code Hearings Office if you submit an appeal request. Please note that if you request an appeal, the decision in this letter will be stayed until the Hearings Officer makes a final determination.

Sincerely,

Leah Treat

cc: Dave Benson, Parking Group Manager Mark Williams, Regulatory Division Manager Matthew Erickson - Program Manager Ken McGair, Sr. Deputy City Attorney Rebecca Engrav, Perkins Coie

3IPage

2

3

4

5

6

7 Rasier, LLC,

8

9 v.

BEFORE THE CITY OF PORTLAND CODE HEARINGS OFFICE

Appellant,

Case No.

STATEMENT OF GROUNDS FOR ADMINISTRATIVE APPEAL

By Rasier, LLC 10 Portland Bureau of Transportation,

11 Appellee.

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

I. INTRODUCTION

The Portland Bureau of Transportation ("PBOT" or the "City") has levied an

unprecedented civil penalty against Rasier, LLC, a wholly owned subsidiary of Uber

Techn~logies, Inc., 1 for allegedly violating a local code provision requiring transportation

network companies ("TN Cs") to report data breaches to the City. The penalty should be struck

down for three reasons. First, the code provision is invalid because PBOT lacks authority to

. regulate data security incidents. Second, even if the code provision were valid, Rasier complied

with the code: it is uncontested that Rasier provided notice in November 2017, and notice is all

that is required. Third, even ifthe code provision is a valid exercise of PBOT's authority, and

even if Rasier violated the code provision, the code unambiguously permits only a $1000

penalty, total. Engaging in breathtaking overreach to fill its coffers, however, the City instead

imposed a penalty in the amount of $3,475,000-over three thousand times the maximum

1 Uber Technologies, Inc. ("UTI") is the technology company that developed the Uber app. Rasier, LLC ("Rasier") is a subsidiary ofUTI and is a TNC that makes the Uber app available to drivers. UTI, Rasier, and their affiliates sometimes are referred to collectively herein as "Uber."

Perkins Coie LLP

PAGE 1- STATEMENT OF GROUNDS FOR ADMINISTRATIVE APPEAL

1120 N.W. Couch Street, 10th Floor Portland, OR 97209-4128

Phone: 503.727.2000 Fax: 503.727.2222

penalty allowed under the code and of unprecedented magnitude. Applying funny math, the City

2 ignores the plain language of the code, goes far outside its territorial jurisdiction to seek penalties

3 on behalf of drivers statewide with no relationship to Portland, denies Rasier due process, and

4 seeks to assess an unconstitutionally excessive fine. Rasier seeks invalidation of the civil penalty

5 and relief from the City's impermissible overreach.

6 II. BACKGROUND

7 The Portland City Code ("PCC") includes a chapter of regulations applicable to TN Cs,

8 including Rasier. One provision states: "The TNC shall notify the City of a known data security

9 breach in the same manner as provided in ORS 646A.600 to ORS 646A.628." Chapter

IO 16.40.240.K.4 (hereinafter, "TNC Breach Code"). The referenced Oregon statewide statutes

11 provide substantive and procedural requirements for when and how data breaches of all types

12 and from any type of company, TNC or not, should be reported to the Oregon Attorney General

13 and affected individuals in Oregon.

14 On November 21, 2017, Uber announced that it had been the victim of a data security

15 incident that occurred in the fall of 2016. The incident involved access by outsiders to backup

16 files of Uber data from the summer of 2015 that included, for some drivers, their names and

17 driver's license numbers ("affected drivers"). Outside forensics experts have not seen any

18 indication that the files include Social Security numbers, birth dates, or payment or credit card

19 numbers. In a different case that similarly involved exposure of names and driver's license

20 numbers, a federal court ruled that there was no risk of identify theft or other harm from

21 exposure of driver's license numbers. See Antman v. Uber Techs., In'c., 3: 15-cv-01175-LB, 2015

22 WL 6123054, at *11 (N.D. Cal. Oct. 19, 2015) ("Without a hack of information such as social

23 security numbers, account numbers, or credit card numbers, there is no obvious, credible risk of

24 identity theft that risks real, immediate injury.").

25 On November 22, 2017, Rasier notified PBOT of the incident, including providing PBOT

26 with copies of the information Uber had provided the day before to the Oregon Attorney


Perkins Coie LLP 1120 N.W. Couch Street, 10th Floor

Portland, OR 97209-4128 Phone: 503.727.2000

Fax: 503.727.2222

General. See Tab 1. The parties engaged in several exchanges of information, largely centering

2 on the City's questions about how many of the affected drivers were permitted by the City. See

3 Tabs 2-5. In response, Uber searched the records of all affected drivers nationwide for those that

4 had ever been licens~d by the City of Portland or had otherwise completed a trip in Portland

5 requested through the Uber app. It provided this list of 328 drivers electronically to PBOT on

6 January 26, 2018, and it also engaged in telephone discussions with PBOT staff to explain in

7 detail how the data was determined and assembled. See Tab 5.

8 PBOT sent a letter to Rasier on January 29, 2018 assessing a civil penalty of

9 $3,475,000.00. See Tab 6. To reach this astronomical number, PBOT engages in fanciful math.

10 First, PBOT purports to assess a penalty for each affected driver, as though there were a separate

11 offense under the TNC Breach Code as to each of them-which is belied by the fact that the

12 TNC Breach Code requires only one notice to the City. Second, PBOT further counts every

13 violation beyond the first as subsequent violations (to reach higher penalty enhancements) even

14 though the claimed failure to timely report was a single occurrence. Third, PBOT further

15 includes all affected drivers currently living in the entire state of Oregon (which is 1391

16 individuals), rather than those within the authority of PBOT (which is at most 328 individuals, or

17 possibly 300). This appeal follows.

18 III. DISCUSSION AND ARGUMENT

19 A. Jurisdiction of Hearings Officer

20 This appeal arises from an alleged violation of PCC 16.40.240.K.4. Pursuant to PCC

21 16.40.240.M, "Failure to comply with any provision of in Section 16.40.240 is a Class B

22 violation subject to penalties provided in Sections 16.40.930 through 16.40.950." PCC

23 16.40.950.E states: "Civil Penalties Appeals. Any person or entity assessed a civil penalty may

24 appeal that decision to the Code Hearings Officer under the provisions of Chapter 22.10."

25 Accordingly, Rasier has the right to file this appeal, and the Hearings Office has jurisdiction,

26 pursuant to PCC Chapter 22.10.




Fax: 503.727.2222

B. Legal Standard

2 The City bears the burden of proof in justifying the fine at issue in this case. See, e.g.,

3 ADM 9.05(9)(e) ("[t]he Hearings Officer shall render a decision as to whether the Determination

4 subject to Appellant's appeal is justified by a preponderance of the evidence in the record and

5 applicable legal standards"). It is the City's burden to present sufficient evidence to establish

6 both that the code was violated and that its method of calculating the fine is proper. Id ("The

7 burden of presenting evidence to support a fact or proposition rests on the proponent of that fact

s or proposition").

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

c. The TNC Breach Code Is Invalid Because It Exceeds the Scope of the City's Authority to Regulate TNCs

Oregon law grants the City authority to regulate vehicles for hire in six specifically stated

areas: licensing, entry into the business, rates, routes, safety and insurance, and a catchall for

"requirements necessary to assure safe and reliable service." ORS 221.495. Given the obvious

lack of relationship between data security and the other five bases, the City presumably relies on

the catchall provision as the jurisdictional basis for passing the TNC Breach Code. But notifying

the City of a data security incident involving the driver's information has no relationship to "safe

and reliable service,'' which is aimed at protecting consumers-the riders taking trips with these

drivers.

If it were not outside the City's allowed areas for regulating TNCs, the TNC Breach Code

would be invalid for another reason: preemption by statewide law. In Oregon, as in all states

with a data breach notification law, data breach notification is a creature of state law. The

Oregon Attorney General's office not only enforces the law, but also receives and reviews

reports of data security incidents from companies, maintains a public website providing a

searchable database of all such notices to assist consumers, see

https://justice.oregon.gov/consumer/databreach/, and has great deal of institutional knowledge

Perkins Coie LLP



Phone: 503.727.2000 Fax: 503.727.2222

about trends in data security incidents and how companies should respond. The City, and local

2 transportation regulators, have no such institutional knowledge or expertise.

3 In particular, the penalty imposed here is improper because the City cannot impose a

4 greater penalty on Rasier than would be imposed by the State of Oregon under ORS Chapter

5 646A. See, e.g., State v. Uroza-Zuniga, 287 Or. App. 214, 223, 402 P.3d 772, 777 (2017)

6 ("Generally, a city may not impose a greater punishment than a statute imposes for acts 'similar

7 in nature, although different in specifics' that both the statute and an ordinance prohibit."). ORS

8 646A.624, which sets out penalties under statewide law.for failing to notify of a data breach,

9 provides that "the maximum penalty for any occurrence shall not exceed $500,000."

10 Data breaches from all companies-TNCs as well as every other realm oftechnology-

11 are well covered by statewide law, and do not relate to the "safe and reliable service" of a ride-

12 hailing business. Therefore, the City lacked authority to pass the TNC Breach Code, which as a

13 result is invalid and not enforceable.

14

15

16

17

18

19

20

21

22

23

24

25

26

D. Even if the TNC Breach Code Is Valid, Rasier Did Not Violate It and No Penalty Should Be Assessed

As quoted above, the TNC Breach Code requires that TN Cs notify the City of data

breaches "in the same manner" as any notifications required by state law to be made to other

parties. PCC 16.40.240.K.4. The "manner" of providing notice in ORS 646A.604.4 includes

notice "in writing ... electronically ... by telephone ... [or] with substitute notice .... "

Rasier did exactly that. Rasier sent its notice letter ("in writing") to PBOT on November

22, 2017. And, it is uncontested that it did so "in the same manner" that it notified the Oregon

Attorney General's office the day before.

The City appears to believe that the TNC Breach Code includes a timeliness

requirement-i.e., that Rasier failed to comply by not giving notice immediately after the data

security incident occurred. But unlike the state data breach law, the TNC Breach Code does not

contain any particular requirements as to when notice must be given. It is uncontested that

Perkins Coie LLP



Phone: 503. 727.2000 Fax: 503.727.2222

Rasier has given notice. Thus, Rasier complied with the code provision and no penalty should be

2 assessed.

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

E. Even if Rasier Violated the TNC Breach Code, the Maximum Penalty Allowed by Law Is $1,000

Even if the TNC Breach Code is valid and even if Rasier violated it (both points are

disputed, as explained above),-the City's methodology for calculating the penalty is contrary to

unambiguous law. The maximum civil penalty applicable is $1,000.

The City alleges that Rasier violated the TNC Breach Code, PCC 16.40.240.K.4.

Pursuant to PCC 16.40.240.M, "Failure to comply with any provision of Section 16.40.240 is a

Class B violation subject to penalties provided in Sections 16.40.930 through 16.40.950." As a

preliminary matter, there is no specific penalty prescribed in the code for a violation of the TNC

·Breach Code. Thus, the Civil Penalty Table in PCC 16.40.930.C applies. See PCC 16.40.930.B

("Unless a specific civil penalty amount is prescribed by any section of this chapter, penalties for

specific code and administrative violations are found in the Civil Penalty Table in Section

16.40.930.") The Civil Penalty Table states as follows for "Class B" violations:

Class B $1,000 $1,500

PCC 16.40.930.C.

$2,500

.. ~ Subsequent Offenses . ' '

Suspension/Revocation of Certification

Trying to juice the numbers, the City makes three crucial errors when it calculates its

penalty amount of over three million dollars ($3,475,000), each discussed below.

1. Only One Alleged Offense Occurred

The City's first error in approach is that it assessed a separate penalty for each driver

affected, see Tab 6, rather than one penalty for the alleged delay in notice to the City.

The TNC Breach Code states that "The TNC shall notify the City of a known data

security breach .... " PCC 16.40.240.K.4 (emphasis added). The City is one entity, and all that

Perkins Coie LLP



Phone: 503.727.2000 Fax: 503.727.2222

is required is a notice to the City. Thus, Rasier at most did one thing wrong: it did not "notify

2 the City" at the time of the data security incident. PCC 16.40.240.K.4.2 Of course, the City's

3 authority is limited to what is stated in the code, and based on the plain language, the City can

4 seek a penalty only for a failure to provide notice to "the City"-a one-time act or a one-time

5 failure to act.

6 The singular nature of the notice requirement in the TNC Breach Code is further

7 supported by the text and context. The provision requires notice to the City of "a known data

8 security data breach" (emphases added). The notice that is required is that of a singular event-

9 a breach. The TNC Breach Code contains no requirement that TN Cs notify drivers, and it

10 contains no requirement that the TNC even tell the City how many or which particular drivers

11 are affected. That Rasier did so voluntarily and in good faith cooperation with the City does not·

12 give PBOT license to overstep its authority in assessing a penalty. (

13 In short, a failure to notify "the City" of "a" data security incident constitutes one offense

14 under the code. Indeed, the City provides no support for its penalty calculation approach, merely

15 asserting in its penalty notice that a separate offense occurr,ed for every affected driver. To

16 follow this logic, Uber would need to submit a separate notice to the City for each affected

17 driver. That is not what the TNC Breach Code states nor what it requires because, as a practical

18 matter, that approach makes no sense.

19 Because at most one offense occurred, the maximum penalty is $1,000 per the Civil

20 Penalty Table. See PCC 16.40.930.C.

21 2. A Single Occurrence Cannot Comprise "Subsequent" Offenses

22 The City's second improper step in calculating its purported penalty is in using sleight of

23 hand as to what constitutes a "subsequent" offense. The City claims that Rasier' s alleged lack of

24

25

26

2 As explained above, however, the code includes no timeliness requirement, and Rasier ultimately did notify the City of the data breach incident, so there is no violation at all. This section describing the penalty calculation assumes arguendo that the hearings officer determines a violation did occur.

Perkins Coie LLP



Phone: 503.727.2000 Fax: 503.727.2222

notice to the City is not only a separate offense as to each driver, but also is a first offense as to

2 the first driver in the data set, a second offense as to the second driver in the data set, and a third

3 offense as to each of the remaining drivers in the data set, which enables the City to reach its

4 astronomical penalty amount of $3,475,000.3 See Tab 6.

5 The alleged conduct of Rasier-failing to notify the City of the data security incident-

6 was a single act. This is a single data security incident and a corresponding single decision by

7 Rasier about when to report it. There is no first, second, third, and subsequent offense. Rasier

8 did not consider individually, seriatim, on behalf of each driver, whether to notify the City of the

9 incident. To the extent it was required to notify the City of the incident earlier than it did, which

1 o Rasier disputes under the plain language of the code as discussed above, that act or failure to act

11 compromised only a single occurrence.

12 This result is supported by the careful and graduated range of penalties in the Civil

13 Penalty Table. This scheme is consistent with the clear intent that an initial violation serves as a

14 warning-before the second offense is committed (with an escalating penalty)--or a third

15 offense (with further penalty escalation). Here, there was only one data security incident. If

16 data-related violations such as the one alleged here are measured by the number of potentially

17 affected individuals, TN Cs could immediately be subject to suspension and punitive fines on the

18 first offense, especially since data security issues by their nature often involve data for more than

19 , one individual at the same time. This result would swallow all notions of graduated fines or

20 penalties and ignore the "warning" policy rationale for a first offense.

21

22

23

24

25

26 3 This analysis is additionally flawed because, as discussed below and as will be shown at the hearing, there are at most only 328 Portland-licensed drivers affected by the security incident, not 1391.

Perkins Coie LLP



Phone: 503.727.2000 Fax: 503. 727.2222

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

3. Drivers Who Currently Live in Oregon, But Have Never Driven or Been Permitted in Portland, Are Outside the City's Jurisdiction

The City's third calculation error is that it is sweeping in all affected drivers who

currently live in Oregon, rather than just those within PBOT's jurisdiction in Portland, see Tab 6,

in order to gin up a higher penalty assessment.

Oregon law delegates to Portland and other cities the authority to "control and regulate

... vehicles for hire that operate within their respective jurisdictions." ORS 221.495 (emphasis

added). Accordingly, the code provisions for TNCs in PCC 16.40.200 et seq. are expressly

limited geographically to the City of Portland. Thus, the TNC Breach Code applies only to data

security incidents affecting City-permitted drivers operating in Portland. See PCC 16.40.240.K.

Stated differently, but to make sure this point is clear: if Rasier suffered a data security incident

affecting only a driver in Salem, or a driver in, say, Florida who later moves to Bend, in neither

case would the TNC Breach Code apply, and Rasier would have no obligation to notify the City

of anything. The City's methodology for calculating the assessed fine, however, would sweep in

those two drivers over whom PBOT has no jurisdiction in the first place.

Rasier has painstakingly explained the data set to PBOT in both written communications

and telephone conversations. See Tabs 3-5. The facts, which will also be the subject of

testimony by Uber witnesses at the hearing of this matter, are as follows:

(1) The accessed data is stale. The data accessed in the fall 2016 incident was in

backup files from the summer of 2015 (over a year old at the time and now nearly three years

old). Thus, all affected drivers were driving with Uber as of the summer of 2015. No one who

began driving with Uber at any point after the summer of 2015 is included.

(2) Rasier was permitted by the City in April 2015, just a few months prior to the

creation of the accessed data. Thus, it is not surprising that the number of Portland-licensed

drivers in the data set is low. (See also point number four below-even the other drivers Uber

Perkins Coie LLP



Phone: 503.727.2000 Fax: 503.727.2222

notified now within the state of Oregon based on current mailing address might have been

2 driving in other states at the time the data set was created, or at the time it was downloaded.)

3 (3) In order to provide notice to drivers in November 2017 under state law, which

4 addresses notice to residents of Oregon, Uber took all affected drivers and looked to other

5 sources to determine, as best as possible, a current mailing address for those individuals. Based

6 on November 2017 mailing addresses, 1391 individuals from the nationwide data set now live

7 somewhere in the state of Oregon.

8 (4) People move frequently. These 1391 individuals in Oregon thus could include

9 scenarios such as (a) someone who drove in Florida with Uber in 2015, subsequently ceased

1 o driving at all, and in the summer of 2017 moved to Salem for other reasons, or (b) someone who

11 drove in Vancouver, Washington with Uber in 2015 but subsequently moved to Bend and

12 continues to drive there. Conversely, the 1391 individuals who currently live in Oregon do not

13 include scenarios such as ( c) a driver who currently is permitted and drives with Uber in the City,

14 but lives in Vancouver, Washington, or (d) a driver who drove with Uber in the City as of the

15 summer of 2015, but subsequently moved to Arizona. In sum, current residence is simply not a

16 proxy for past or present licensure. See Tab 5.

17 (5) For these reasons, and as a courtesy and to facilitate an understanding of the data

18 by PBOT, Rasier determined the actual number of affected drivers with a relationship to PBOT.

19 To do this, Rasier took the overall set of all affected drivers nationwide. It then ran analyses,

20 using other data sources, to determine which of those drivers (a) had ever been permitted in the

21 City, or regardless of permit status, (b) had ever provided a trip in the City. This number is 300

22 individuals permitted, and 328 individuals permitted or who had provided a trip. Rasier provided

23 this data electronically to PBOT and explained it by telephone. See Tab 5.

24 If the City is allowed to assess a penalty based on the theory that there was a separate

25 offense as to each driver (which, as discussed above, would be contrary to the clear language of

26 the code which only requires a single notice to the City), the calculation could only be based on,



Portland, OR 97209-4128 Phone: 503.727.2000 Fax: 503.727.2222

at most, the 300 or 328 drivers with a connection to the City, not the 1391 current Oregon

2 residents.

3 F. Allowing PBOT's Penalty Assessment to Stand Would Violate the Constitution

4 As described above, for clear statutory and factual reasons, PBOT' s penalty assessment

5 of over three million dollars ($3,475,000) is incorrect and unsupported. But even if not

6 invalidated on those grounds, this staggering penalty also is a flagrant constitutional violation as

7 both an excessive punishment under the Eighth Amendment and a violation of substantive and

8 procedural due process based on the flimsy factual record before PBOT, its mathematical

9 miscalculations, and no cognizable risk of harm or injury to consumers or the affected drivers-

10 all in the context of a municipal code violation hearing before a hearings officer (without a jury),

11 with so few affected drivers within the City's jurisdiction.

12 The Eighth Amendment to the U.S. Constitution, made applicable to the states through

13 the Fourteenth Amendment, provides that"[ e ]xcessive bail shall not be required, nor excessive

14 fines imposed." U.S. Const. amend. XIII. Under the Eighth Amendment, a fine "violates the

15 Excessive Fines Clause if it is grossly disproportional to the gravity of a defendant's offense."

16 United States v. Bajakajian, 524 U.S. 321, 334 (1998). Separately, the Due Process Clause of

17 the Fourteenth Amendment also prohibits the imposition of "grossly excessive" punitive awards.

18 TXO Production Corp. v. Alliance Resources Corp., 509 U.S. 443, 454 (1993). The courts will

19 set aside statutory civil penalties that are so "plainly arbitrary and oppressive" as to violate the

20 Due Process Clause. Sw. Tel. & Tel. Co. v. Danaher, 238 U.S. 482, 491 (1915).

21 Oregon courts have also stressed that "[a] penalty may be so excessive as to amount to a

22 deprivation of property without due process oflaw." Gooch v. Rogers, 193 Or. 158, 168, 238

23 P.2d 274, 278 (1951). "The state and federal constitutions ... impose limits upon a legislature's

24 power to prescribe severe penalties." Staley Enters., Inc. v. Dep 't of Revenue, 15 Or. Tax 63, 66

25 (1999). Specifically, "[p]enalties may not be 'grossly oppressive or disproportionate to the

26 offense' which the legislature seeks to do away with." Id. at 184.



Portland, OR 97209-4128 Phone: 503.727.2000 Fax: 503.727.2222

The penalty assessed by PBOT in this matter-$3,475,000-is grossly disproportionate

2 to the claimed offense: the alleged failure to notify the City that an outside actor accessed the

3 names and driver's license numbers of, at most, 328 Portland drivers. The City's claimed civil

4 penalty is 3,475 times what is allowed by the Code's fine schedule. See Section D, supra. The

5 claimed penalty is also arbitrary, as there is no basis for calculating the claimed penalty on a "per

6 · driver" (rather than per occurrence) basis. The City's claimed penalty is for other than remedial

7 purposes and therefore violates Rasier's procedural due process rights.

8 Additionally, where a civil penalty is imposed for retributive or deterrent purposes, rather

9 than remedial purposes, it is considered criminal in nature. Kokesh v. S.E.C., 137 S. Ct. 1635,

10 1645, 198 L. Ed. 2d 86 (2017) ("[a] civil sanction that cannot fairly be said solely to serve a

11 remedial purpose, but rather can only be explained as also serving either retributive or deterrent

12 purposes, is punishment, as we have come to understand the term.") (emphasis in original)

13 (citation omitted); see also Brown v. Multnomah Cty. Dist. Court, 280 Or. 95, 102, 570 P.2d 52,

14 57 (1977) (discussing standards that have been used "to determine whether an ostensibly civil

15 penalty proceeding remains a 'criminal prosecution' for constitutional purposes"). Where a

16 penalty is criminal in nature, the defendant must be afforded a host of procedural constitutional

17 protections, including (for example) a right to a jury trial and a heightened burden of proof,

18 neither of which have been afforded to Rasier here.

19 The City is clearly seeking retribution through its assessment of a $3,475,000 fine.

20 PBOT' s penalty assessment letter on its face purports to punish Rasier for purported "continuing

21 disregard for Portland laws and regulatory structure." See Tab 5 at 2. While Rasier adamantly

22 disputes this statement, the statement itself demonstrates the City's retributive intent in issuing

23 the purported penalty. For this reason, and all the other reasons discussed above, the claimed

24 penalty should be stricken.

25

26




Fax: 503.727.2222

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

IV. DISCUSSION OF EVIDENCE

At the hearing in this matter, Uber may submit as evidence the following:

Tab# DATE Descri~tion

1. 11/22/17 Letter from Rebecca S. Engrav (Perkins Coie) to Portland Bureau of Transportation (Leah Treat and Mark Williams), with enclosures

2. 12/1/17 Letter from City of Portland to Dara Khosrowshahi, CEO of Uber Technologies, Inc.

3. 12/15/17 Letter from Rebecca S. Engrav (Perkins Coie) to Ken McGair (Portland City Attorney's office). Redactions made for confidential and trade secret information.

4. 1123/18 Letter to Rasier, LLC from Portland Bureau of Transportation (Mark Williams)

5. 1126/18 Email referencing transmission of information by Rachel Pojunas of Uber to Mark Williams of Portland Bureau of Transportation

6. 1129/18 Penalty notice to Rasier, LLC from Portland Bureau of Transportation (Leah Treat)

To come: Summary of count of drivers by location; to be submitted after entry of an appropriate protective order to address privacy, trade secret, and confidentiality concerns

At the hearing in this matter, Rasier may call one or more lay and/or expert witnesses

who will testify about relevant facts and circumstances. Rasier may also supplement and amend

its list of evidence and may submit as evidence other relevant materials not listed in the table

above that are located or obtained through discovery or in connection with this matter, especially

in light of the size of the penalty sought by the City and the complex nature of the data at issue.

See, e.g., PCC 23 .03 .080 (broadly allowing admission of all relevant material and not unduly

repetitious evidence). For the same reason, and if submission of further materials is viewed as

part of the notice of appeal, Rasier requests leave to supplement and amend this notice of appeal

Perkins Coie LLP



Phone: 503.727.2000 Fax: 503.727.2222

· as is just and appropriate. See, e.g., PCC 22.10.030.A (allowing the Hearings Officer to waive

2 the default 10-day period for preparation of a notice of appeal).

3 v. REQUEST FOR SCHEDULING CONFERENCE

4 In order to facilitate the orderly management of this matter, Rasier respectfully requests

5 that the Hearings Officer hold a scheduling conference with the parties as soon as practicable.

6 At the scheduling conference, the Hearings Office can receive input from the parties and set such

7 orders as are necessary to allow for an orderly preparation of relevant evidence, an appropriate

8 schedule for a hearing and related briefing, and the entry of a protective order. ·see, e.g., Jack

9 Doe I v. Corp. of Presiding Bishop of Church of Jesus Christ of Latter-Day Saints, 352 Or. 77,

10 86, 280 P.3d 377, 383 (2012) ("The issuance and vacation of protective orders are matters of a

11 trial court's discretion.").

12 VI. CONCLUSION

13 For the reasons stated, the Hearings Officer should invalidate the City's claimed penalty

14 and dismiss this matter. Alternatively, if the Hearings Officer does not agree that the code

15 provision at issue is invalid, the Hearings Officer should invalidate the City's claimed penalty

16 calculation methodology and impose a penalty of $1,000, the amount prescribed by law.

17 DATED: february 12, 2018

18

19

20

21

22

23

24

25

26


PERKINS COIE LLP

By: ~~~ ErickJ. Ha ie, B o. 982482 EHaynie@p rkinscoie.com Christopher W. Rich, OSB No. 990954 [email protected]

Telephone: 503.727.2000 Facsimile: 503.727.2222

Attorneys for Rasier, LLC



Fax: 503.727.2222

1

0

PeRKINSCOle I /Cf! Third i\wnur.

Seattle. \NI\ 9B I LJ J .. 3099

0 ··· 1.20tiJ59 .8000 G . 1.201d!i9.900U

PerkinsC01e.com

November 22, 2017 Rebecca S. Engrav

[email protected]

D. + 1.206.359.6168

F. +1.206.359.7168

VIA E-MAIL

Leah Treat, Director Mark Williams, Regulatory Division Manager Portland Bureau of Transportation 1120 SW 5th Ave., Suite 800 Portland, OR 97204

[email protected] Mark. [email protected]

Re: Notification of Security Breach

Dear Ms. Treat and Mr. Williams:

We write to inform you of a data security incident at Uber Technologies, Inc. ("Uber"), the parent company of Rasier, LLC. Rasier is a licensed Transportation Network Company in the City of Portland. The incident, which was announced and reported in the media yesterday, has affected the personal information of for-hire drivers in Portland who use Uber's application for trip requests.

Uber yesterday submitted notice of the incident to the Oregon Department of Justice through its online form. A record of the submission is enclosed, but because the notice was submitted electronically, some of the information submitted is not displayed in the enclosed record. Specifically, the Brief Description of the Breach stated:

Uber was contacted by an individual who claimed he had accessed Uber user information. Uber investigated and determined that the individual and another person working with him had obtained access to certain stored copies of Uber databases and files located on Uber's private cloud data storage environment on Amazon Web Services. Uber determined the means of access, shut down a compromised credential, and took other steps intended to confirm that the actors had destroy~d and would not use or further disseminate the information. Uber also implemented additional measures to improve its security posture.

As determined by Uber and outside forensic experts, the accessed files contained user information that Uber used to operate the Uber

November 22, 2017 Page 2

service, including the names and driver's license numbers of about 600,000 Uber drivers in the United States.

Uber is in the process of providing notice to the individuals whose driver's license information was downloaded in this incident. Uber will offer 12 months of credit monitoring and identity theft protection services to these individuals free of charge, and the notice will provide information on how to use such services. A copy of the notice that will be sent to Portland-based drivers is enclosed. 1

Please do not hesitate to contact me with any questions or for more information. My contact information is above.

Sincerely,

Rebecca S. Engrav

Attachments

cc: Office of Mayor Ted Wheeler 1221 SW 4th Ave., Room 340 Portland, OR 97204 Kyle. [email protected]

Office of Commissioner Dan Satzman 1221 SW 4th Ave., Room 230 Portland, OR 97204 Tia. [email protected]

1 Although rider information (including name, email address, and mobile phone number) was present in the downloaded files, none of that information trigger notification under Oregon law. In particular, outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth were downloaded.

• •

• ABOUT us ~ EngJish oRBGo~MENT oF JUSTICE Consumer Protection

Fi hting Fraud. Protecting Oregonians.

Search the Oregon DOJ

ATTORNEY GENERAL CHILD SUPPORT

Motor Vehicles

MENU

Homes& Mortgages

CONSUMER PROTECTION

Phone, Internet &TV

CONSUMER PROTECTION CHARITIES

Sales, Scams & Fraud

ID Theft & Data Breaches

DOJ Home / Consumer Protection / ID Theft & Data Breaches / Report Data Breaches

Report Data Breaches

This submission is required by Oregon Revised Statutes 646A.604.

Scam Alert Network Report Scams & fraud

SCAM ALERT NETWORK

REPORT SCAMS & FRAUD

CRIME VICTIMS MEDIA

Credit, Loans & For Debt Businesses

Note: This form is only for use by businesses and state agencies, which are required to submit a sample notice if they experience a breach of personal information involving more than 250 Oregon

consumers. If you are a consumer who wishes to file a complaint, please use our online complaint

form.

Section 1 - Security Breach

Sample of Consumer Notice

C:\fakepath\Sample Notice.PDF

Files must be less than 100 MB Allowed file types: pdf

*

Breached Organization Name* Uber Technologies, Inc.

Address 1455 Market Street

-!<=required

City San Francisco

State California

Zip Code 94103

Date( s) of Breach (if known)

Start Date

10/13/2016

End Date

11/15/2016

Date( s) of Discovery of Breach

11/14/2016 +

+

Date(s) Individual Notice Provided to Consumers

11/22/2017 +

Was notification delayed because of a law enforcement

investigation?

No

Type of Personal Information Involved in the Breach (select

all that apply) (CTRL +click) Biometric (measurements of physical characteristics used to auther Credit or Debit Card Number Driver's license or State Identification Card Number Financial Account Number Health Insurance Information Medical Information Passport or other number issued by the United States Social Security Number Information

Brief Description of the Breach (1000 Character max)

Uber was contacted by an individual who claimed he had accessed Uber user information. Uber investigated and determined that the individual and another person working with him had obtained access to certain stored copies of Uber

databases and files located on Uber's private cloud data storage environment on Amazon Web Services. Uber determined the means of access, shut down a compromised credential, and took ,.. other steps intended to confirm that the actors had destroyed and ,,;

Report Type Initial Breach Report

Number of Oregon Consumers Affected by the Breach

250 or More Individuals

Approximate Number of Oregonians Affected by the Breach

1173

Approximate Number of Individuals Affected by the Breach

600000

Type of Breach

Other

Was Substitute Notice Given (ORS 646.604(4)(d))? No

Was Media Notice Given?

No

Section 2 - Information For Law Enforcement Purposes The information provided in Section 2 is for Department of Justice use only.

Name of company contact or attorney whom the Attorney

General may contact for further information? Rebecca S. Engrav, Perkins Coie LLP

Address :Check if the address is the same as organization.

1201 Third Ave, Suite 4900

City

Seattle

State Washington

Zip Code 98101

Telephone Number

206-359-6168

Email Address [email protected]

Was a law enforcement agency notified regarding the

breach?

No

Was a police report filed?

No

Submit

- TWEET f SHARE

• In SHARE ri EMAIL

Motor Vehicles

Leasing a Vehicle

Service Contracts

Towing

Other Vehicle Resources

Buying a Vehicle

Q PRINT

Lemon Law

Homes & Mortgages

Mortgage & Foreclosure Fraud

Mortgage Help for Oregon Homeowners

Foreclosure Avoidance Program

Home Maintenance

Phone, Internet & TV

Internet Providers

Cable & Satellite TV

Online Safety

Report a Do Not CallViolation

Sales, Scams & Fraud

Report Scams & Fraud

Join the Scam Alert Network

Search Consumer Complaints

Request Free Fraud Prevention Training

Consumer Protection Materials Order Form

Medicaid Fraud

Free Trial Offers

Door-To-Door Sales

Gift Cards

Timeshares

Employment Scams

Fitness Clubs & Health Spas

Price Gouging

Telemarketing

More Scams & Fraud Resources

ID Theft & Data Breaches

Data Breaches

Identity Theft

Credit, Loans & Debt

Personal Finances

Education Debt

Debt Collection

For Businesses

How to Respond to a Contact From the Oregon DOJ

Resources for Businesses

Connect

W Twitter

• In Linkedln

Contact Consumer Protection

Contact the Oregon DOJ

Email the DOJ Webmaster

Oregon DOJ Privacy Policy

Legal Notice

Oregon Consumer Protection SITE MAP

1455 Market Street Return Mail Processing P.O. Box 589 Claysburg, PA 16625-0589

San Francisco, CA 94103 UBER.com

##D2700-L01-0123456 0001 00000001**************9-0ELZZ123 SAMPLE A SAMPLE APT ABC 123ANYST

~~ ~

ANYTOWN, US 12345-6789 1•I11111IIp111111.1h11 l1l II 1IIIIIIII111I1 111 l1 1l1I11l 1h111I1 h

November 22, 2017

NOTICE OF DATA BREACH

Dear Sample A Sample:

I am writing to let you know about a data security incident at Uber that affected your information. Uber deeply regrets that this happened and we recommend that you closely review the information in this letter.

What Happened In November 2016, Uber learned that unauthorized actors obtained access to a private cloud storage environment used by Uber. They accessed stored copies of Uber databases and files. To the best of our knowledge, the unauthorized access began on October 13, 2016 and ended no later than November 15, 2016.

What The accessed files contained user information that Uber used to operate the Uber Information service, including your name and driver's license number. The files included Was Involved this information for about 600,000 Uber drivers in the United States.

What We Are We have made changes to our data storage environment and security procedures Doing to decrease the chance of a similar occurrence in the future. To assist you, we

are also providing identity theft protection and mitigation services from Experian, including credit monitoring, for twelve (12) months at no cost to you. See details below.

What You Can We recommend enrolling in Experian IdentityWorkssM and reviewing the Do additional information below.

For More If you have any questions regarding this incident or if you desire further Information information or assistance, please contact (844) 439-7669.

Again, and on behalf of everyone at Uber, I am sorry that this happened. Drivers like you are at the heart of our service. Simply put, Uber wouldn't exist without you and we thank you for your partnership.

Sincerely,

Dara Khosrowshahi Chief Executive Officer

0123456

r-.'~'1·~ ~

D2700-L01

Activate Experian IdentityWorkssM

We encourage you to activate the fraud detection tools available through Experian IdentityWorks8M as a complimentary one-year membership. This product provides you with superior identity detection and resolution of identity theft. To start monitoring your personal information please follow the steps below:

• Ensure that you enroll by: February 28. 2018. (Your code will not work after this date.)

• Visit the Experian IdentityWorks website to enroll: www.experianidworks.com/3bcreditone

• Provide your activation code: ABCDEFGHI

Additionally, complimentary Identity Restoration assistance is immediately available to you. If you believe there was fraudulent use of your information and would like to discuss how you may be able to resolve those issues, please reach out to an Experian agent. If, after discussing your situation with an agent, it is determined that identity restoration support is needed then an Experian Identity Restoration agent is available to work with you to investigate and resolve each incident of fraud that occurred (including, as appropriate, helping you with contacting credit grantors to dispute charges and close accounts; assisting you in placing a freeze on your credit file with the three major credit bureaus; and assisting you with contacting government agencies to help restore your identity to its proper condition).

Please note that this offer is available to you for one year from the date of this letter and does not require any action on your part at this time.

The Terms and Conditions for this offer are located at www.ExperianlDWorks.com/restoration. You will also find self-help tips and information about identity protection at this site.

If you have questions about these products, need assistance with identity restoration or would like an alternative to enrolling in Experian IdentityWorks online, please contact Experian's customer care team at (844) 439-7669 by February 28. 2018. Be prepared to provide engagement number as proof of eligibility for the identity restoration services by Experian.

Additional Steps You Can Take

Learn More and Report Suspected Identity Theft

You are encouraged to contact the Federal Trade Commission (FTC), law enforcement, or your state attorney general's office to report incidents of suspected identity theft or to learn about steps you can take to protect yourself from identity theft. You can contact the FTC at:

Federal Trade Commission 600 Pennsylvania Avenue, NW Washington, DC 20580 (877) IDTHEFT (438-4338) www.identitytheft.gov

If you find that your information has been misused, the FTC encourages you to file a complaint with the FTC and to take these additional steps: (1) close the accounts that you have confirmed or believe have been tampered with or opened fraudulently; and (2) file and keep a copy of a local police report as evidence of the identity theft crime.

You can contact the nationwide consumer reporting agencies at:

Equifax P.O. Box 105788 Atlanta, GA 30348 (800) 525-6285 www.equifax.com

Experian P.O. Box 9554 Allen, TX 75013 (888) 397-3742 www.experian.com

2

Trans Union P.O. Box 2000 Chester, PA 19016 (800) 680-7289 www.transunion.com

D2700-L01

You should remain vigilant for incidents of fraud, identity theft, and errors by regularly reviewing your account statements and monitoring free credit reports. If you discover any suspicious or unusual activity on your accounts, be sure to report it immediately to your financial institutions, as major credit card companies have rules that restrict them from requiring you to pay for fraudulent charges that are timely reported.

Obtain Your Credit Reports

You should also monitor your credit reports. You may periodically obtain free credit reports from each nationwide consumer reporting agency. If you discover inaccurate information or a fraudulent transaction on your credit report, you have the right to request that the consumer reporting agency delete that information from your credit report file.

You have rights under the federal Fair Credit Reporting Act (FCRA). These include, among others, the right to know what is in your file; to dispute incomplete or inaccurate information; and to have consumer reporting agencies correct or delete inaccurate, incomplete, or unverifiable information. For more information about the FCRA, please visit www.consumer.ftc.gov/articles/pdf-0096-fair-credit-reporting-act. pdf or www.ftc.gov.

Place a Fraud Alert or Security Freeze on Your Credit Report File

A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you. You should know that it also may delay your ability to obtain credit. You may place a fraud alert in your file by calling just one of the three nationwide consumer reporting agencies listed above. As soon as that agency processes your fraud alert, it will notify the other two agencies, which then must also place fraud alerts in your file. An initial fraud alert will last 90 days. An extended alert stays on your file for seven years. To place either of these alerts, a consumer reporting agency will require you to provide appropriate proof of your identity, which may include your Social Security number. If you ask for an extended alert, you will have to provide an identity theft report.

A security freeze, sometimes called a credit freeze, is designed to prevent credit, loans, and services from being approved in your name without your consent. You should know that it also may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing or other services. Unlike a fraud alert, you must separately place a security freeze on your credit file by sending a request to each of the three major credit reporting agencies listed above. When you place a security freeze on your credit report, you will be provided with a personal identification number, password, or similar device to use if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report to a specific party or parties or for a specific period of time after the freeze is in place. In order to request a security freeze, you will need to provide the following information:

1. Your full name (including middle initial as well as Jr., Sr., II, ill, etc.); 2. Social Security number; 3. Date of birth; 4. If you have moved in the past five (5) years, the addresses where you have lived over the prior five

years; 5. Proof of current address such as a current utility bill or telephone bill; 6. A legible photocopy of a government issued identification card (state driver's license or ID card,

military identification, etc.); 7. If you are a victim of identity theft, a copy of either the police report, investigative report, or

complaint to a law enforcement agency concerning identity theft; 8. If you are not a victim of identity theft, payment by check, money order, or credit card (Visa,

MasterCard, American Express or Discover only). Do not send cash through the mail.

3

0123456

r.·~ ~

D2700-L01

With certain exceptions, a consumer reporting agency may charge you a fee to place a freeze on your credit report, to temporarily lift a freeze on your credit report, or to remove a freeze from your credit report.

IF YOU ARE A MARYLAND RESIDENT: You may obtain information about steps you can take to avoid identity theft from the Maryland Attorney General's Office. This office can be reached at:

Office of the Attorney General Consumer Protection Division 200 St. Paul Place Baltimore, MD 21202 (410) 576-6491 www.oag.state.md. us

IF YOU ARE A NORTH CAROLINA RESIDENT: You may obtain information about preventing identity theft from the North Carolina Attorney General's Office. This office can be reached at:

North Carolina Department of Justice Office of the Attorney General 9001 Mail Service Center Raleigh, NC 27699-9001 (877) 566-7226 http://www.ncdoj.gov

IF YOU ARE A RHODE ISLAND RESIDENT: You have the right to obtain a police report in regard to this incident, and if you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it. Additionally, you may obtain information about preventing identity theft from the Rhode Island Attorney General's Office. This office can be reached at:

Rhode Island Office of the Attorney General 150 South Main Street Providence, RI 02903 (401) 274-4400 http://www.riag.ri.gov/

IF YOU ARE A RESIDENT OF OTHER STATES: Your state attorney general's office and website may also provide relevant information.

4 D2700-L01

2

CllYOF

PORTLAND, OREGON

December 1, 2017

Mr. Dara Khosrowshahi Uber Technologies, Inc 1455 Market Street San Francisco, CA 94103

Dear Mr. Khosrowshahi,

Dan Saltzman, Commissioner · 1221 S.W. 4th Avenue, Room 230

Portland, Oregon 97204 Telephone: (503) 823-4151

Fax: (503) 823-3036 [email protected]

I was alarmed to learn that on Tuesday, November 21 Uber disclosed a year-old data breach that reportedly exposed the personal information of millions ofUber's customers and drivers. According to the November 21 New York Times article, "Uber hid 2016 Breach, paid Hackers to delete stolen data." Uber reportedly paid the hackers $100,000.00 to delete these stolen files, presumably to conceal this data breach from consumers, regulators and the public.

As a permitted Private for Hire company in Portland, Uber Technologies, Inc./Rasier, LLC ("Uber") must protect the type of personal account information that was compromised. Furthermore, Uber Technologies is obligated to notify the City of any data breach in accordance with the Oregon Consumer Identity Theft Protection Act (ORS 646A.600 to 646A.628). The statutory language is very clear on these points:

"No TNC Company or Driver may allow any unauthorized person to intentionally access any records produced by the digital records systems. "'PCC 16.40.240 K3.

The TNC shall notify the City of a known data security breach in the same manner as provided in ORS 646A.600 to ORS 646A.628." PCC 16.40.240 K4.)

As referenced, ORS 646A.604, states " ... The person shall notify the consumer in the most expeditious manner possible, without unreasonable delay, consistent with the legitimate needs of law enforcement described in subsection (3) of this section ·and consistent with any measures that are necessary to determine sufficient contact information for the affected consumer, determine the scope of the breach of security and restore the reasonable integrity, security and confidentiality of the personal information. "

On November 22,··2017 ;the City·ofPortland received a letter from Rebecca Engrav acknowledging the November 14, 2016 breach of 600,000 Uber driver's license information. A. copy of the Notice filed with the Consumer Protection Division of the Oregon Department of Justice was attached. This Notice detailed noting that 1173 of the accounts compromised were Oregon accounts - presumably driver accounts. We have been informed by the Oregon

Department of Justice that the breach notification has since been amended to reflect additional account information related to Oregon Uber drivers. Further, Ms. Engrav asserts in a footnote that while rider information was compromised it does not trigger a notification under Oregon

································-"----Law...Due-ro-the--nature-and-seepe-ofthis-data-breaclnurdi:tber'-riailure-ro-aiercany-reguiatofy _______________________________ _ body or member o_f the public, any information, including the number of customer rider accounts that were compromised in any way, should be disclosed to the City of Portland.

Uber's past actions in the City of Portland have been severely problematic. To now learn that Uber deliberately concealed a massive data breach involving both customer and driver information for a period of over. a year adds to the already strained relationship the City has with Uber. As such, in accordance with PCC 16.40240 L. the City is requesting the following · information:

1. Provide us with the number of drivers whose personal information was compromised in· the breach were permitted by the City of Portland, and how you determined the number

· of Oregon licensed driver accounts that were compromised by this data breach. 2. ·Provide us with the number of Uber riders listing a home address in Portland who had

their name, or e-mail address, or phone number, or other personal information compromised by this data breach.

3. Provide us with an affirmative statement that Uber has not violated any other Portland rules, regulations or Oregon State laws since Portland City Code was adopted in January 2016.

4. Provide us with a copy ofUber's company policy on reporting data and security breaches.

Please provide responses to the inquiries stated above by close of business December 15, 2017.

All subsequent communications regarding this matter shall be directed to City Attorney Tracy Reeve and Senior Deputy City Attorney Ken McGair.

Sincerely,

'011o Dan Saltzman

c: Rebecca Engrav, Perkins Coie Mayor Ted Wheeler Commissioner Chloe Eudaly Commissioner Nick Fish Commissioner Amanda Fritz Attorney General, Ellen Rosenblum

3

. PeRKINSCOle

December 15, 2017

VIA EMAIL: [email protected]

Ken McGair Senior Deputy City Attorney Portland Office of the City Attorney 1221 S.W. 4th Avenue, Room 430 Portland, OR 97204

Re: Uber Data Security Incident

Dear Mr. McGair:

0 )Ui JfiC) 800C G · I ?Ul.l!19 9001:

Rebecca S. Engrav

[email protected]

D. +l.206.359.6168

F. +l.206.359:7168

Thank you for the time your office spent speaking with us on the phone this week regarding Commissioner Saltzman's letter dated December 1, 2017 and, more generally, the Uber data security incident recently announced by the company. We thought it was ve1y productive to share infonnation with you about the facts and circumstances of this incident on our telephone call. We respond below to the specific questions in Commissioner Saltzman 's letter, but we are fmther happy to continue to share infonnation should you have additional questions or desire fmther clarifications.

1. Provide us with the number of drivers whose personal information was compromised in the breach were permitted by the City of Portland, and how you determined the number of Oregon licensed driver accounts that were compromised by this data breach.

Uber does not have a ready means of detennining w uc i of the drivers in the data set were penuitted by the City of Po1tland at the time the files were created (or at the time they were downloaded by outside actors).

Uber detemliued the number of individuals who: (a) had a driver's license number in the downloaded files and b a ear to reside in Ore on, throu h:

Dnvers prov1 e a ·ess 111 onnahon at s1g11up, and Uber oes not contact drivers by mail, so this infonnation may not be c01Tect or cunent in all cases. Uber provided this infonuation to its mailing vendor, who ran the list through National

138078348.l

KenMcGair December 15, 201 7 Page 2

Change of Address and updated addresses accordingly. ill addition, Uber reviewed non-standard address entries to assign a state where paitial address infonnation was available. Where no street address infonnation was available, Uber matched the records to the city in which the driver had signed up to drive to detennine the likely state ofresidence. In total, Uber notified 1391 cfrivers that a ear to live in Ore on, and a roximatel 400 of these have cunent addresses in Po1tland.

an thus Uber cannot say how many Oregon licensed drivers were affected specifically, w nc i may be slightly different from the number above if individuals' state of residence is not the same as state of licensure.

2. Provide us with the number of Uber riders listing a home address in Portland who had their name, or e-mail address, or phone number, or other personal information compromised by this data breach.

Please note that under Oregon law (as well as the laws of all other U.S. states), it is the driver's license number that here triggered breach rep01ting. Under the law of Oregon and other states, exposure of name, email address, and phone number does not constitute a repo1table breach or trigger notification requirements. Thus, Uber has not analyzed the data set to detennine state of residence for the users without a driver's license in the data set. If it were to tly to do so to satisfy general interest and curiosity, there would be challenges. The Uber app does not require riders to provide home address infonnation as palt of the sign-up process. Accordingly, even fmiher analysis using data in Uber's systems would be incomplete.

3. Provide us with an affirmative statement that Uber has not violated any other Portland rules, regulations or Oregon State laws since Po1·tland City Code was adopted in January 2016.

Executives and management at Uber deeply regret that this incident occuned and that Uber did not publicly disclose it at the time. The fact that Uber is now doing so, as well as its tennination of two of the individuals who led the handling of the incident in the fall of 2016, is a clear example of the path being chaited by the new CEO, the new General Counsel, and ctment executives and management. As the new CEO stated in his blog post announcing this incident, "None of this should have happened, and I will not make excuses for it. While I can't erase the past, I can co1ll111it on behalf of eve1y Uber employee that we will leam from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to eam the tl11st of our customers." See https:/Avvvw.uber.com/newsroom/2016-data-incident/. As Uber moves fotward, its executives and management intend to continue to share infom1ation honestly and forthrightly about this and other matters.

138078348-1

KenMcGair December 15, 2017 Page 3

4. Provide us with a copy of Uber's company policy on reporting data and security breaches.

As discussed in our phone conversation on December 13, 2017, we will produce these documents shortly after we finalize in writing an agreement that such materials are to be treated confidentially under the Data Insight Agreement. (Detailed information about data security matters is not normally shared in great detail with the general public as a whole because, if the information gets into the hands of malicious actors, it can give them insight into how to structure a future attack on the systems or data of Uber or another technology company. Thus, the information is appropriately exempt from public records act requests.)

* * * We hope that the above information is of assistance to you. Please let me know if you have further questions or desire additional information.

Very truly yours,

Rebecca S. Engrav

138078348.1

4

POllTll.Ai'llD l!JIJIUAU 01' TllANSPOll"l"ATION

1120 SW Fifth Avenue, Suite SOil Portland, OR 97204 503.823.5185

Fax 503.823.1576 TTY 503.823.6861'! www.portlan!!oregon.gov/transportaitlon

Dan Saltzman Commissioner LHh Treat Director

January 23, 2018

Sent via email as requested to: \f1i;;L1C:i1PQlUlli1;:>(Ci)~!!)ef,yom Raiser, LLC Attn: Rachel Pojunas 700 SW 5th Ave. #4000, 3rd Floor Portland, OR 97204

Dear Rachel:

RECEIVED

JAN 25 2017

PERKINS COIE LLP

On December 15, 2017, Rebecca Engrnv, from Perkins Coie, representing Uber, sent a letter to Portland Senior Deputy City Attorney Ken McGair regarding 'Uber Data Security Incident'. In that letter, Ms. Engrav stated that Uber notified the City and the State of Oregon that 1,391 drivers who live in Oregon were affected by a data breach that occurred in November of 2016. According to the letter, of those 1,391 drivers, approximately 400 nave current addresses in Portland.

We are requesting more information about these drivers. By end of business day on January 26, 2018, please provide the names and driver's license number of each of the possible 1,391 drivers compromised by the data breach who possess a City of Portland Business License. Obviously, these names will better help us determine which drivers have been certified to provide private for hire services in the City of Portland. Once this information has been uploaded to the established secure FTP site, please contact me via phone or email.

Please feel free to contact Senior Deputy City Attorney Ken McGair at 503.823.4047 or me with any questions you may have.

( i' i •.. \,'.I J ~.·

··~r~WHllams Heg'Ulatory Divisions Manager

c: Ken McGair Rebecca Engrav

t!H' Pnt!lund Oru(:r;u of Y.101l'l//(1iJ'nt'ion /ufly 1 Oil'lf)IU~\ i.Vf!h !rt/(' W o{ Ci1li/ N1f;IH~ ,An oj i9<)>.i, ihl' ,;~DA titlr 11, nn(/

1 dn111rJ i,:rut1 tf (''; rn 1d 1egulnr1011<.; uJ olt 111 o.t;t !unir 1'Uld odivilil"'\, ro1 utcnn11rrodrnion\, tornpf(nnr'; nnrf infn11notion, coll (1_)03) i?l.1-<il tVi, cny f'!Y (::;rrn 82.'.J ,(Jr'.N:JJ, 01 use Ou-'8on fiPhW 7 l r

5

2/9/2018 Uber Mail - RE: Uber Call Follow Up

UBER Rachel Pojunas <[email protected]>

RE: Uber Call Follow Up

Rachel Pojunas <[email protected]> Fri, Jan 26, 2018 at 5:58 PM To: "Williams, Mark" <[email protected]> Cc: Rachel Greenberg <[email protected]>, "McGair, Ken" <[email protected]>, "Benson, Dave" <[email protected]>, Candace Kelly <[email protected]>, Matt Neururer <[email protected]>

Hi Mark,

As a follow up to our conversation this afternoon, we have uploaded a file to the ftp site with the names, email addresses, and current driver's license numbers for all Uber driver-partners who (1) received notice of the data breach, and (2) have (or have had) a Portland business license, or have accepted a trip request in Portland. The file name is portland_breached_dl_plus_dl_num.xlsx.

Please let us know if you would like us to also provide for these driver-partners the driver's licenses numbers that were on file at the time of the data breach, or if you have any questions.

Have a wonderful weekend.

Best regards, Rachel

Rachel Pojunas

Senior Counsel (Licensed only in NY and DC)

[email protected] I uber.com

[Quoted text hidden]

https://mail.google.com/mail/u/O/?ui=2&ik=f535e42a37&jsver=5L3RpKOutOI.en.&view=pt&msg=l613556lcd4aa768&search=sent&siml=l6135561cd4aa768 1/1

6

1120 SW Fifth Avenue, Suite 800 Portland, OR 97204 503.823.5185

Fax 503.823.7576 TTY 503.823.6868 www.portlandorcgon.gov/transportation

Dan Saltzman Commissione~· Leah Treat Dii·ector

Raiser, LLC Attn: Matt Neururer 700 SW 5th Ave. #4000, 3rd Floor Portland, OR 97204

BY ELECTRONIC MAIL, US FIRST CLASS MAIL AND CERTIFIED MAIL

January 29, 2018

Re: Penalty for violation of Portland City Code Chapter 16.40.240

Dear Mr. Neururer:

In late November of 2017, we learned that Uber Technologies, Inc. the parent of its wholly owned subsidiary Raiser, LLC (collectively "Uber") was the subject of a massive data breach. This breach impacted millions of drivers and riders across the United States and the world. In a November 22, 2017 letter we received from Perkins Coie, we learned that 1391 Oregon drivers had their personal information disclosed. Uber also reported the data breach to the Oregon Department of Justice Department of Consumer and Business Services Consumer Protection section ("Oregon DOJ'') as required by ORS 646A.604. The notice to both the City and the Oregon DOJ noted that the breach began on October 13, 2016 and ended on November 15, 2016. Uber discovered the breach on November 14, 2016.

A breach of a consumer's personal information occurs when a consumer's name is disclosed in combination with any one or more identifying elements [(ORS 646A.602(1 )(a), (11 )]. In the November 22, 2017 report submitted to the Oregon DOJ and the City, Uber did not dispute this and identified that the names and Driver's License or State Identification Card Numbers of approximately 60 million accounts were accessed, noting that 1, 1731 were Oregonians.

According to media reports and Uber's own reporting of the breach, Uber's leadership knew about the breach for at least a year. In addition, Uber paid $100,000 to recover the lost records. Finally, Uber failed to notify either the State of Oregon or the City of Portland as required by Oregon Law and Portland City Code (16.40.240, K. 4) until sending the November 22, 2017 letter, more than a year after the initial breach and its discovery.

1 In its initial report to the DOJ and City Uber reported 1,173 Oregonians affected by the breach. In a follow up letter from Perkins Coie to the City on December 15, 2017 this number was revised to 1,391.

llPage

Uber has had a difficult relationship with the City of Portland dating back to December 2014. In 2014, Uber used a tactic that has become widely known and reported as Greyballing to thwart regulators while Uber was attempting to illegally establish operations in Portland. The failure to report the data breach to those affected and the state and City as required by state law and City Code shows a continuing disregard for Portland laws and regulatory structure for private for-hire operators. It is a clear violation of the data reporting requirement in Portland City Code 16.40.240 K.4. which provides:

16.40.240 TNC Company Operating Responsibilities and Prohibitions

K. Digital Record Requirements. Secure, digital records with contact information from TNC Drivers and TNC passengers shall be maintained by the TNC. Such records shall provide a verifiable way to identify drivers and riders for investigatory purposes. Secure digital records must be maintained in accordance with the following requirements:

4. The TNC shall notify the City of a known data security breach in the same manner as provided in ORS 646A.600 to ORS 646A.628.

M. Failure to comply with any provision in Section 16.40.240 is a Class B violation subject to penalties provided in Sections 16.40.930 through 16.40.950.

In accordance with Portland City Code 16.40.930, we are imposing a fine of $3,475,000.00. Each violation is a separate offense which carries a penalty. As noted, the violations for failure to report a breach of personal information is a Class B violation. In total, Uber has noted 1,391 violations subject to penalty. The violations began on November 14, 2016. Under the penalty table provided in 16.40.930, a first offense of a Class B violation is punishable by a $1000 penalty. The second offense of this Class B violation is punishable by a $1500 penalty. The third, and each subsequent offenses are Class B violations punishable by a $2500 penalty. The penalty for violations of PCC 16.40.24 K.4. breaks down as follows:

1st driver 2nd driver

1389 drivers

$1,000.00 $1,500.00 $ 2,500.00

$ 1,000.00 $ 1,500.00

$ 3,472,500.00 $ 3,475,000.00

The penalty for these violations could also include suspension or revocation of Uber's operating permit. Despite the volume of violations, we are not suspending or revoking the operating permit at this time.

Please Remit Payment to: City of Portland - Accounting Division Attn: General AR PO Box 5066 Portland, OR 97208-5066

(Check or money orders only)

21Page

If you believe that this determination is not consistent with City Code, you may request an appeal before a Code Hearings Officer under the provisions of Portland City Code Chapter 22.10. To arrange a hearing, the Code Hearings Office must receive your written request no later than 10 business days after the date of this determination. Your written request must include a description of what you believe makes this determination invalid along with copies of any evidence you wish to submit. Hand-deliver your written request to:

City of Portland Code Hearings Office 1900 SW 4th Avenue Room 3100 Portland, OR 97201 Monday - Friday from 8:30am to 12:00pm and 1 :OOpm to 4:30pm http://www.portlandoregon.gov/hearings/ Phone 503-823-7307 Fax 503-823-434 7

You will receive an acknowledgement from the Code Hearings Office if you submit an appeal request. Please note that if you request an appeal, the decision in this letter will be stayed until the Hearings Officer makes a final determination.

Sincerely,

Leah Treat

cc: Dave Benson, Parking Group Manager Mark Williams, Regulatory Division Manager Matthew Erickson - Program Manager Ken McGair, Sr. Deputy City Attorney Rebecca Engrav, Perkins Coie

3IPage

Documents

Portland City Auditor - oregonlivemedia.oregonlive.com/roadreport_impact/other/Statement of... · 2018-03-13 · Portland City Auditor Hearings Office 1900 SW 4'0 Avenue, Room 3100,