Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Portland City Auditor Hearings Office 1900 SW 4'0 Avenue, Room 3100, Portland, OR 97201
www .portlandoregon.gov/ auditor /hearings
phone: (503) 823-7307
fax: (503) 823-4347
APPEAL HEARING REQUEST FORM (See reverse for instructions on submitting this form.)
*=Required Information. Failure to submit all required information will cause your request to be denied.
*1. Appellant: Raiser, LLC
2. Contact Name (if different than Appellant): Erick Haynie (Attorney for Appellant)
*3. Mailing Address: 700 SW 5th Ave. #4000, 3rd Floor, Portland, OR 97204
*4. Telephone: 866.576.1039
5. Attorney's (if any) Name: Erick Haynie
6. Attorney's Mailing Address: 1120 NW Couch St., Portland, OR 97209
7. Attorney's Phone Number: 503.727.2017
*8. Does your request involve being excluded from a City Park? Yes D No li'.'.'.f
*9. Does your request involve a suspension or revocation of a license? Yes D No 0 *10. Why do you believe the City Bureau's decision/determination is invalid, unauthorized, or otherwise
improper? (Attach additional sheets, if needed).
See attached.
11, If your request is late, please explain why. (Attach additional sheets, if needed):
By signing below, I certify that all information is true and complete to the best of my knowledge. If Appellant is other than an individual, I certify (by signing below) that I am a duly-authorized representative.
• 1,,-,;) &· ~,.; Date
In compliance with Civil Rights laws, it is the policy of the City of Portland that no person shall be excluded from participation in, denied the benefits of, or be subjected to discrimination in any City program, service, or activity on the grounds of race, color, national origin, or disability. To help ensure equal access to City programs, services, and activities, the City of Portland reasonably provides: translation and interpretation services, modifications, accommodations, auxiliary aides and services, and alternative format. For these services, complaints, and additional information, contact 503-823-7307, use City TTY 503-823-6868, or use Oregon Relay Service: 71 I.
PORTLAND BUREAU OF TRANSPORTATION
1120 SW Fifth Avenue. Suite 800 Portland, OR 97204 503.823.5185
Fax 503.823.7576 TTY 503.823.6868 www.portlandoregon.gov/transportation
Dan Saltzman Commissioner Leah Treat Director
Raiser, LLC Attn: Matt Neururer 700 SW 5th Ave. #4000, 3rd Floor Portland, OR 97204
BY ELECTRONIC MAIL, US FIRST CLASS MAIL AND CERTIFIED MAIL
January 29, 2018
Re: Penalty for violation of Portland City Code Chapter 16.40.240
Dear Mr. Neururer:
In late November of 2017, we learned that Uber Technologies, Inc. the parent of its wholly owned subsidiary Raiser, LLC (collectively "Uber") was the subject of a massive data breach. This breach impacted millions of drivers and riders across the United States and the world. In a November 22, 2017 letterwe received from Perkins Coie, we learned that 1391 Oregon drivers had their personal information disclosed. Uber also reported the data breach to the Oregon Department of Justice Department of Consumer and Business Services Consumer Protection section ("Oregon DOJ") as required by ORS 646A.604. The notice to both the City and the Oregon DOJ noted that the breach began on October 13, 2016 and ended on November 15, 2016. Uber discovered the breach on November 14, 2016.
A breach of a consumer's personal information occurs when a consumer's name is disclosed in combination with any one or more identifying elements [(ORS 646A.602(1)(a), (11)]. In the November 22, 2017 report submitted to the Oregon DOJ and the City, Uber did not dispute this and identified that the names and Driver's License or State Identification Card Numbers of approximately 60 million accounts were accessed, noting that 1, 1731 were Oregonians.
According to media reports and Uber's own reporting of the breach, Uber's leadership knew about the breach for at least a year. In addition, Uber paid $100,000 to recover the lost records. Finally, Uber failed to notify either the State of Oregon or the City of Portland as required by Oregon Law and Portland City Code (16.40.240, K. 4) until sending the November 22, 2017 letter, more than a year after the initial breach and its discovery.
1 In its initial report to the DOJ and City Uber reported 1,173 Oregonians affected by the breach. In a follow up letter from Perkins Coie to the City on December 15, 2017 this number was revised to 1,391.
llPage
Uber has had a difficult relationship with the City of Portland dating back to December 2014. In 2014, Uber used a tactic that has become widely known and reported as Greyballing to thwart regulators while Uber was attempting to illegally establish operations in Portland. The failure to report the data breach to those affected and the state and City as required by state law and City Code shows a continuing disregard for Portland laws and regulatory structure for private for-hire operators. It is a clear violation of the data reporting requirement in Portland City Code 16.40.240 K.4. which provides:
16.40.240 TNC Company Operating Responsibilities and Prohibitions
K. Digital Record Requirements. Secure, digital records with contact information from TNC Drivers and TNC passengers shall be maintained by the TNC. Such records shall provide a verifiable way to identify drivers and riders for investigatory purposes. Secure digital records must be maintained in accordance with the following requirements:
4. The TNC shall notify the City of a known data security breach in the same manner as provided in ORS 646A.600 to ORS 646A.628.
M. Failure to comply with any provision in Section 16.40.240 is a Class B violation subject to penalties provided in Sections 16.40.930 through 16.40.950.
In accordance with Portland City Code 16.40.930, we are imposing a fine of $3,475,000.00. Each violation is a separate offense which carries a penalty. As noted, the violations for failure to report a breach of personal information is a Class B violation. In total, Uber has noted 1,391 violations subject to penalty. The violations began on November 14, 2016. Under the penalty table provided in 16.40.930, a first offense of a Class B violation is punishable by a $1000 penalty. The· second offense of this Class B violation is punishable by a $1500 penalty. The third, and each subsequent offenses are Class B violations punishable by a $2500 penalty. The penalty for violations of PCC 16.40.24 K.4. breaks down as follows:
1st driver 2nd driver
1389 drivers
$1,000.00 $1,500.00 $ 2,500.00
$1,000.00 $1,500.00
$ 3,472,500.00 $ 3,475,000.00
The penalty for these violations could also include suspension or revocation of Uber's operating permit. Despite the volume of violations, we are not suspending or revoking the operating permit at this time.
Please Remit Payment to: City of Portland - Accounting Division Attn: General AR PO Box 5066 Portland, OR 97208-5066
(Check or money orders only)
21Page
If you believe that this determination is not consistent with City Code, you may request an appeal before a Code Hearings Officer under the provisions of Portland City Code Chapter 22.10. To arrange a hearing, the Code Hearings Office must receive your written request no later than 10 business days after the date of this determination. Your written request must include a description of what you believe makes this determination invalid along with copies of any evidence you wish to submit. Hand-deliver your written request to:
City of Portland Code Hearings Office 1900 SW 4th Avenue Room 3100 Portland, OR 97201 Monday - Friday from 8:30am to 12:00pm and 1 :OOpm to 4:30pm http://www.portlandoreqon.gov/hearings/ Phone 503-823-7307 Fax 503-823-4347
You will receive an acknowledgement from the Code Hearings Office if you submit an appeal request. Please note that if you request an appeal, the decision in this letter will be stayed until the Hearings Officer makes a final determination.
Sincerely,
Leah Treat
cc: Dave Benson, Parking Group Manager Mark Williams, Regulatory Division Manager Matthew Erickson - Program Manager Ken McGair, Sr. Deputy City Attorney Rebecca Engrav, Perkins Coie
3IPage
2
3
4
5
6
7 Rasier, LLC,
8
9 v.
BEFORE THE CITY OF PORTLAND CODE HEARINGS OFFICE
Appellant,
Case No.
STATEMENT OF GROUNDS FOR ADMINISTRATIVE APPEAL
By Rasier, LLC 10 Portland Bureau of Transportation,
11 Appellee.
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
I. INTRODUCTION
The Portland Bureau of Transportation ("PBOT" or the "City") has levied an
unprecedented civil penalty against Rasier, LLC, a wholly owned subsidiary of Uber
Techn~logies, Inc., 1 for allegedly violating a local code provision requiring transportation
network companies ("TN Cs") to report data breaches to the City. The penalty should be struck
down for three reasons. First, the code provision is invalid because PBOT lacks authority to
. regulate data security incidents. Second, even if the code provision were valid, Rasier complied
with the code: it is uncontested that Rasier provided notice in November 2017, and notice is all
that is required. Third, even ifthe code provision is a valid exercise of PBOT's authority, and
even if Rasier violated the code provision, the code unambiguously permits only a $1000
penalty, total. Engaging in breathtaking overreach to fill its coffers, however, the City instead
imposed a penalty in the amount of $3,475,000-over three thousand times the maximum
1 Uber Technologies, Inc. ("UTI") is the technology company that developed the Uber app. Rasier, LLC ("Rasier") is a subsidiary ofUTI and is a TNC that makes the Uber app available to drivers. UTI, Rasier, and their affiliates sometimes are referred to collectively herein as "Uber."
Perkins Coie LLP
PAGE 1- STATEMENT OF GROUNDS FOR ADMINISTRATIVE APPEAL
1120 N.W. Couch Street, 10th Floor Portland, OR 97209-4128
Phone: 503.727.2000 Fax: 503.727.2222
penalty allowed under the code and of unprecedented magnitude. Applying funny math, the City
2 ignores the plain language of the code, goes far outside its territorial jurisdiction to seek penalties
3 on behalf of drivers statewide with no relationship to Portland, denies Rasier due process, and
4 seeks to assess an unconstitutionally excessive fine. Rasier seeks invalidation of the civil penalty
5 and relief from the City's impermissible overreach.
6 II. BACKGROUND
7 The Portland City Code ("PCC") includes a chapter of regulations applicable to TN Cs,
8 including Rasier. One provision states: "The TNC shall notify the City of a known data security
9 breach in the same manner as provided in ORS 646A.600 to ORS 646A.628." Chapter
IO 16.40.240.K.4 (hereinafter, "TNC Breach Code"). The referenced Oregon statewide statutes
11 provide substantive and procedural requirements for when and how data breaches of all types
12 and from any type of company, TNC or not, should be reported to the Oregon Attorney General
13 and affected individuals in Oregon.
14 On November 21, 2017, Uber announced that it had been the victim of a data security
15 incident that occurred in the fall of 2016. The incident involved access by outsiders to backup
16 files of Uber data from the summer of 2015 that included, for some drivers, their names and
17 driver's license numbers ("affected drivers"). Outside forensics experts have not seen any
18 indication that the files include Social Security numbers, birth dates, or payment or credit card
19 numbers. In a different case that similarly involved exposure of names and driver's license
20 numbers, a federal court ruled that there was no risk of identify theft or other harm from
21 exposure of driver's license numbers. See Antman v. Uber Techs., In'c., 3: 15-cv-01175-LB, 2015
22 WL 6123054, at *11 (N.D. Cal. Oct. 19, 2015) ("Without a hack of information such as social
23 security numbers, account numbers, or credit card numbers, there is no obvious, credible risk of
24 identity theft that risks real, immediate injury.").
25 On November 22, 2017, Rasier notified PBOT of the incident, including providing PBOT
26 with copies of the information Uber had provided the day before to the Oregon Attorney
PAGE 2- STATEMENT OF GROUNDS FOR ADMINISTRATIVE APPEAL
Perkins Coie LLP 1120 N.W. Couch Street, 10th Floor
Portland, OR 97209-4128 Phone: 503.727.2000
Fax: 503.727.2222
General. See Tab 1. The parties engaged in several exchanges of information, largely centering
2 on the City's questions about how many of the affected drivers were permitted by the City. See
3 Tabs 2-5. In response, Uber searched the records of all affected drivers nationwide for those that
4 had ever been licens~d by the City of Portland or had otherwise completed a trip in Portland
5 requested through the Uber app. It provided this list of 328 drivers electronically to PBOT on
6 January 26, 2018, and it also engaged in telephone discussions with PBOT staff to explain in
7 detail how the data was determined and assembled. See Tab 5.
8 PBOT sent a letter to Rasier on January 29, 2018 assessing a civil penalty of
9 $3,475,000.00. See Tab 6. To reach this astronomical number, PBOT engages in fanciful math.
10 First, PBOT purports to assess a penalty for each affected driver, as though there were a separate
11 offense under the TNC Breach Code as to each of them-which is belied by the fact that the
12 TNC Breach Code requires only one notice to the City. Second, PBOT further counts every
13 violation beyond the first as subsequent violations (to reach higher penalty enhancements) even
14 though the claimed failure to timely report was a single occurrence. Third, PBOT further
15 includes all affected drivers currently living in the entire state of Oregon (which is 1391
16 individuals), rather than those within the authority of PBOT (which is at most 328 individuals, or
17 possibly 300). This appeal follows.
18 III. DISCUSSION AND ARGUMENT
19 A. Jurisdiction of Hearings Officer
20 This appeal arises from an alleged violation of PCC 16.40.240.K.4. Pursuant to PCC
21 16.40.240.M, "Failure to comply with any provision of in Section 16.40.240 is a Class B
22 violation subject to penalties provided in Sections 16.40.930 through 16.40.950." PCC
23 16.40.950.E states: "Civil Penalties Appeals. Any person or entity assessed a civil penalty may
24 appeal that decision to the Code Hearings Officer under the provisions of Chapter 22.10."
25 Accordingly, Rasier has the right to file this appeal, and the Hearings Office has jurisdiction,
26 pursuant to PCC Chapter 22.10.
PAGE 3- STATEMENT OF GROUNDS FOR ADMINISTRATIVE APPEAL
Perkins Coie LLP 1120 N.W. Couch Street, 10th Floor
Portland, OR 97209-4128 Phone: 503.727.2000
Fax: 503.727.2222
B. Legal Standard
2 The City bears the burden of proof in justifying the fine at issue in this case. See, e.g.,
3 ADM 9.05(9)(e) ("[t]he Hearings Officer shall render a decision as to whether the Determination
4 subject to Appellant's appeal is justified by a preponderance of the evidence in the record and
5 applicable legal standards"). It is the City's burden to present sufficient evidence to establish
6 both that the code was violated and that its method of calculating the fine is proper. Id ("The
7 burden of presenting evidence to support a fact or proposition rests on the proponent of that fact
s or proposition").
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
c. The TNC Breach Code Is Invalid Because It Exceeds the Scope of the City's Authority to Regulate TNCs
Oregon law grants the City authority to regulate vehicles for hire in six specifically stated
areas: licensing, entry into the business, rates, routes, safety and insurance, and a catchall for
"requirements necessary to assure safe and reliable service." ORS 221.495. Given the obvious
lack of relationship between data security and the other five bases, the City presumably relies on
the catchall provision as the jurisdictional basis for passing the TNC Breach Code. But notifying
the City of a data security incident involving the driver's information has no relationship to "safe
and reliable service,'' which is aimed at protecting consumers-the riders taking trips with these
drivers.
If it were not outside the City's allowed areas for regulating TNCs, the TNC Breach Code
would be invalid for another reason: preemption by statewide law. In Oregon, as in all states
with a data breach notification law, data breach notification is a creature of state law. The
Oregon Attorney General's office not only enforces the law, but also receives and reviews
reports of data security incidents from companies, maintains a public website providing a
searchable database of all such notices to assist consumers, see
https://justice.oregon.gov/consumer/databreach/, and has great deal of institutional knowledge
Perkins Coie LLP
PAGE 4- STATEMENT OF GROUNDS FOR ADMINISTRATIVE APPEAL
1120 N.W. Couch Street, 10th Floor Portland, OR 97209-4128
Phone: 503.727.2000 Fax: 503.727.2222
about trends in data security incidents and how companies should respond. The City, and local
2 transportation regulators, have no such institutional knowledge or expertise.
3 In particular, the penalty imposed here is improper because the City cannot impose a
4 greater penalty on Rasier than would be imposed by the State of Oregon under ORS Chapter
5 646A. See, e.g., State v. Uroza-Zuniga, 287 Or. App. 214, 223, 402 P.3d 772, 777 (2017)
6 ("Generally, a city may not impose a greater punishment than a statute imposes for acts 'similar
7 in nature, although different in specifics' that both the statute and an ordinance prohibit."). ORS
8 646A.624, which sets out penalties under statewide law.for failing to notify of a data breach,
9 provides that "the maximum penalty for any occurrence shall not exceed $500,000."
10 Data breaches from all companies-TNCs as well as every other realm oftechnology-
11 are well covered by statewide law, and do not relate to the "safe and reliable service" of a ride-
12 hailing business. Therefore, the City lacked authority to pass the TNC Breach Code, which as a
13 result is invalid and not enforceable.
14
15
16
17
18
19
20
21
22
23
24
25
26
D. Even if the TNC Breach Code Is Valid, Rasier Did Not Violate It and No Penalty Should Be Assessed
As quoted above, the TNC Breach Code requires that TN Cs notify the City of data
breaches "in the same manner" as any notifications required by state law to be made to other
parties. PCC 16.40.240.K.4. The "manner" of providing notice in ORS 646A.604.4 includes
notice "in writing ... electronically ... by telephone ... [or] with substitute notice .... "
Rasier did exactly that. Rasier sent its notice letter ("in writing") to PBOT on November
22, 2017. And, it is uncontested that it did so "in the same manner" that it notified the Oregon
Attorney General's office the day before.
The City appears to believe that the TNC Breach Code includes a timeliness
requirement-i.e., that Rasier failed to comply by not giving notice immediately after the data
security incident occurred. But unlike the state data breach law, the TNC Breach Code does not
contain any particular requirements as to when notice must be given. It is uncontested that
Perkins Coie LLP
PAGE 5- STATEMENT OF GROUNDS FOR ADMINISTRATIVE APPEAL
1120 N.W. Couch Street, 10th Floor Portland, OR 97209-4128
Phone: 503. 727.2000 Fax: 503.727.2222
Rasier has given notice. Thus, Rasier complied with the code provision and no penalty should be
2 assessed.
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
E. Even if Rasier Violated the TNC Breach Code, the Maximum Penalty Allowed by Law Is $1,000
Even if the TNC Breach Code is valid and even if Rasier violated it (both points are
disputed, as explained above),-the City's methodology for calculating the penalty is contrary to
unambiguous law. The maximum civil penalty applicable is $1,000.
The City alleges that Rasier violated the TNC Breach Code, PCC 16.40.240.K.4.
Pursuant to PCC 16.40.240.M, "Failure to comply with any provision of Section 16.40.240 is a
Class B violation subject to penalties provided in Sections 16.40.930 through 16.40.950." As a
preliminary matter, there is no specific penalty prescribed in the code for a violation of the TNC
·Breach Code. Thus, the Civil Penalty Table in PCC 16.40.930.C applies. See PCC 16.40.930.B
("Unless a specific civil penalty amount is prescribed by any section of this chapter, penalties for
specific code and administrative violations are found in the Civil Penalty Table in Section
16.40.930.") The Civil Penalty Table states as follows for "Class B" violations:
Class B $1,000 $1,500
PCC 16.40.930.C.
$2,500
.. ~ Subsequent Offenses . ' '
Suspension/Revocation of Certification
Trying to juice the numbers, the City makes three crucial errors when it calculates its
penalty amount of over three million dollars ($3,475,000), each discussed below.
1. Only One Alleged Offense Occurred
The City's first error in approach is that it assessed a separate penalty for each driver
affected, see Tab 6, rather than one penalty for the alleged delay in notice to the City.
The TNC Breach Code states that "The TNC shall notify the City of a known data
security breach .... " PCC 16.40.240.K.4 (emphasis added). The City is one entity, and all that
Perkins Coie LLP
PAGE 6- STATEMENT OF GROUNDS FOR ADMINISTRATIVE APPEAL
1120 N.W. Couch Street, 10th Floor Portland, OR 97209-4128
Phone: 503.727.2000 Fax: 503.727.2222
is required is a notice to the City. Thus, Rasier at most did one thing wrong: it did not "notify
2 the City" at the time of the data security incident. PCC 16.40.240.K.4.2 Of course, the City's
3 authority is limited to what is stated in the code, and based on the plain language, the City can
4 seek a penalty only for a failure to provide notice to "the City"-a one-time act or a one-time
5 failure to act.
6 The singular nature of the notice requirement in the TNC Breach Code is further
7 supported by the text and context. The provision requires notice to the City of "a known data
8 security data breach" (emphases added). The notice that is required is that of a singular event-
9 a breach. The TNC Breach Code contains no requirement that TN Cs notify drivers, and it
10 contains no requirement that the TNC even tell the City how many or which particular drivers
11 are affected. That Rasier did so voluntarily and in good faith cooperation with the City does not·
12 give PBOT license to overstep its authority in assessing a penalty. (
13 In short, a failure to notify "the City" of "a" data security incident constitutes one offense
14 under the code. Indeed, the City provides no support for its penalty calculation approach, merely
15 asserting in its penalty notice that a separate offense occurr,ed for every affected driver. To
16 follow this logic, Uber would need to submit a separate notice to the City for each affected
17 driver. That is not what the TNC Breach Code states nor what it requires because, as a practical
18 matter, that approach makes no sense.
19 Because at most one offense occurred, the maximum penalty is $1,000 per the Civil
20 Penalty Table. See PCC 16.40.930.C.
21 2. A Single Occurrence Cannot Comprise "Subsequent" Offenses
22 The City's second improper step in calculating its purported penalty is in using sleight of
23 hand as to what constitutes a "subsequent" offense. The City claims that Rasier' s alleged lack of
24
25
26
2 As explained above, however, the code includes no timeliness requirement, and Rasier ultimately did notify the City of the data breach incident, so there is no violation at all. This section describing the penalty calculation assumes arguendo that the hearings officer determines a violation did occur.
Perkins Coie LLP
PAGE 7- STATEMENT OF GROUNDS FOR ADMINISTRATIVE APPEAL
1120 N.W. Couch Street, 10th Floor Portland, OR 97209-4128
Phone: 503.727.2000 Fax: 503.727.2222
notice to the City is not only a separate offense as to each driver, but also is a first offense as to
2 the first driver in the data set, a second offense as to the second driver in the data set, and a third
3 offense as to each of the remaining drivers in the data set, which enables the City to reach its
4 astronomical penalty amount of $3,475,000.3 See Tab 6.
5 The alleged conduct of Rasier-failing to notify the City of the data security incident-
6 was a single act. This is a single data security incident and a corresponding single decision by
7 Rasier about when to report it. There is no first, second, third, and subsequent offense. Rasier
8 did not consider individually, seriatim, on behalf of each driver, whether to notify the City of the
9 incident. To the extent it was required to notify the City of the incident earlier than it did, which
1 o Rasier disputes under the plain language of the code as discussed above, that act or failure to act
11 compromised only a single occurrence.
12 This result is supported by the careful and graduated range of penalties in the Civil
13 Penalty Table. This scheme is consistent with the clear intent that an initial violation serves as a
14 warning-before the second offense is committed (with an escalating penalty)--or a third
15 offense (with further penalty escalation). Here, there was only one data security incident. If
16 data-related violations such as the one alleged here are measured by the number of potentially
17 affected individuals, TN Cs could immediately be subject to suspension and punitive fines on the
18 first offense, especially since data security issues by their nature often involve data for more than
19 , one individual at the same time. This result would swallow all notions of graduated fines or
20 penalties and ignore the "warning" policy rationale for a first offense.
21
22
23
24
25
26 3 This analysis is additionally flawed because, as discussed below and as will be shown at the hearing, there are at most only 328 Portland-licensed drivers affected by the security incident, not 1391.
Perkins Coie LLP
PAGE 8- STATEMENT OF GROUNDS FOR ADMINISTRATIVE APPEAL
1120 N.W. Couch Street, 10th Floor Portland, OR 97209-4128
Phone: 503.727.2000 Fax: 503. 727.2222
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
3. Drivers Who Currently Live in Oregon, But Have Never Driven or Been Permitted in Portland, Are Outside the City's Jurisdiction
The City's third calculation error is that it is sweeping in all affected drivers who
currently live in Oregon, rather than just those within PBOT's jurisdiction in Portland, see Tab 6,
in order to gin up a higher penalty assessment.
Oregon law delegates to Portland and other cities the authority to "control and regulate
... vehicles for hire that operate within their respective jurisdictions." ORS 221.495 (emphasis
added). Accordingly, the code provisions for TNCs in PCC 16.40.200 et seq. are expressly
limited geographically to the City of Portland. Thus, the TNC Breach Code applies only to data
security incidents affecting City-permitted drivers operating in Portland. See PCC 16.40.240.K.
Stated differently, but to make sure this point is clear: if Rasier suffered a data security incident
affecting only a driver in Salem, or a driver in, say, Florida who later moves to Bend, in neither
case would the TNC Breach Code apply, and Rasier would have no obligation to notify the City
of anything. The City's methodology for calculating the assessed fine, however, would sweep in
those two drivers over whom PBOT has no jurisdiction in the first place.
Rasier has painstakingly explained the data set to PBOT in both written communications
and telephone conversations. See Tabs 3-5. The facts, which will also be the subject of
testimony by Uber witnesses at the hearing of this matter, are as follows:
(1) The accessed data is stale. The data accessed in the fall 2016 incident was in
backup files from the summer of 2015 (over a year old at the time and now nearly three years
old). Thus, all affected drivers were driving with Uber as of the summer of 2015. No one who
began driving with Uber at any point after the summer of 2015 is included.
(2) Rasier was permitted by the City in April 2015, just a few months prior to the
creation of the accessed data. Thus, it is not surprising that the number of Portland-licensed
drivers in the data set is low. (See also point number four below-even the other drivers Uber
Perkins Coie LLP
PAGE 9- STATEMENT OF GROUNDS FOR ADMINISTRATIVE APPEAL
1120 N.W. Couch Street, 10th Floor Portland, OR 97209-4128
Phone: 503.727.2000 Fax: 503.727.2222
notified now within the state of Oregon based on current mailing address might have been
2 driving in other states at the time the data set was created, or at the time it was downloaded.)
3 (3) In order to provide notice to drivers in November 2017 under state law, which
4 addresses notice to residents of Oregon, Uber took all affected drivers and looked to other
5 sources to determine, as best as possible, a current mailing address for those individuals. Based
6 on November 2017 mailing addresses, 1391 individuals from the nationwide data set now live
7 somewhere in the state of Oregon.
8 (4) People move frequently. These 1391 individuals in Oregon thus could include
9 scenarios such as (a) someone who drove in Florida with Uber in 2015, subsequently ceased
1 o driving at all, and in the summer of 2017 moved to Salem for other reasons, or (b) someone who
11 drove in Vancouver, Washington with Uber in 2015 but subsequently moved to Bend and
12 continues to drive there. Conversely, the 1391 individuals who currently live in Oregon do not
13 include scenarios such as ( c) a driver who currently is permitted and drives with Uber in the City,
14 but lives in Vancouver, Washington, or (d) a driver who drove with Uber in the City as of the
15 summer of 2015, but subsequently moved to Arizona. In sum, current residence is simply not a
16 proxy for past or present licensure. See Tab 5.
17 (5) For these reasons, and as a courtesy and to facilitate an understanding of the data
18 by PBOT, Rasier determined the actual number of affected drivers with a relationship to PBOT.
19 To do this, Rasier took the overall set of all affected drivers nationwide. It then ran analyses,
20 using other data sources, to determine which of those drivers (a) had ever been permitted in the
21 City, or regardless of permit status, (b) had ever provided a trip in the City. This number is 300
22 individuals permitted, and 328 individuals permitted or who had provided a trip. Rasier provided
23 this data electronically to PBOT and explained it by telephone. See Tab 5.
24 If the City is allowed to assess a penalty based on the theory that there was a separate
25 offense as to each driver (which, as discussed above, would be contrary to the clear language of
26 the code which only requires a single notice to the City), the calculation could only be based on,
PAGE 10- STATEMENT OF GROUNDS FOR ADMINISTRATIVE APPEAL
Perkins Coie LLP 1120 N.W. Couch Street, 10th Floor
Portland, OR 97209-4128 Phone: 503.727.2000 Fax: 503.727.2222
at most, the 300 or 328 drivers with a connection to the City, not the 1391 current Oregon
2 residents.
3 F. Allowing PBOT's Penalty Assessment to Stand Would Violate the Constitution
4 As described above, for clear statutory and factual reasons, PBOT' s penalty assessment
5 of over three million dollars ($3,475,000) is incorrect and unsupported. But even if not
6 invalidated on those grounds, this staggering penalty also is a flagrant constitutional violation as
7 both an excessive punishment under the Eighth Amendment and a violation of substantive and
8 procedural due process based on the flimsy factual record before PBOT, its mathematical
9 miscalculations, and no cognizable risk of harm or injury to consumers or the affected drivers-
10 all in the context of a municipal code violation hearing before a hearings officer (without a jury),
11 with so few affected drivers within the City's jurisdiction.
12 The Eighth Amendment to the U.S. Constitution, made applicable to the states through
13 the Fourteenth Amendment, provides that"[ e ]xcessive bail shall not be required, nor excessive
14 fines imposed." U.S. Const. amend. XIII. Under the Eighth Amendment, a fine "violates the
15 Excessive Fines Clause if it is grossly disproportional to the gravity of a defendant's offense."
16 United States v. Bajakajian, 524 U.S. 321, 334 (1998). Separately, the Due Process Clause of
17 the Fourteenth Amendment also prohibits the imposition of "grossly excessive" punitive awards.
18 TXO Production Corp. v. Alliance Resources Corp., 509 U.S. 443, 454 (1993). The courts will
19 set aside statutory civil penalties that are so "plainly arbitrary and oppressive" as to violate the
20 Due Process Clause. Sw. Tel. & Tel. Co. v. Danaher, 238 U.S. 482, 491 (1915).
21 Oregon courts have also stressed that "[a] penalty may be so excessive as to amount to a
22 deprivation of property without due process oflaw." Gooch v. Rogers, 193 Or. 158, 168, 238
23 P.2d 274, 278 (1951). "The state and federal constitutions ... impose limits upon a legislature's
24 power to prescribe severe penalties." Staley Enters., Inc. v. Dep 't of Revenue, 15 Or. Tax 63, 66
25 (1999). Specifically, "[p]enalties may not be 'grossly oppressive or disproportionate to the
26 offense' which the legislature seeks to do away with." Id. at 184.
PAGE 11- STATEMENT OF GROUNDS FOR ADMINISTRATIVE APPEAL
Perkins Coie LLP 1120 N.W. Couch Street, 10th Floor
Portland, OR 97209-4128 Phone: 503.727.2000 Fax: 503.727.2222
The penalty assessed by PBOT in this matter-$3,475,000-is grossly disproportionate
2 to the claimed offense: the alleged failure to notify the City that an outside actor accessed the
3 names and driver's license numbers of, at most, 328 Portland drivers. The City's claimed civil
4 penalty is 3,475 times what is allowed by the Code's fine schedule. See Section D, supra. The
5 claimed penalty is also arbitrary, as there is no basis for calculating the claimed penalty on a "per
6 · driver" (rather than per occurrence) basis. The City's claimed penalty is for other than remedial
7 purposes and therefore violates Rasier's procedural due process rights.
8 Additionally, where a civil penalty is imposed for retributive or deterrent purposes, rather
9 than remedial purposes, it is considered criminal in nature. Kokesh v. S.E.C., 137 S. Ct. 1635,
10 1645, 198 L. Ed. 2d 86 (2017) ("[a] civil sanction that cannot fairly be said solely to serve a
11 remedial purpose, but rather can only be explained as also serving either retributive or deterrent
12 purposes, is punishment, as we have come to understand the term.") (emphasis in original)
13 (citation omitted); see also Brown v. Multnomah Cty. Dist. Court, 280 Or. 95, 102, 570 P.2d 52,
14 57 (1977) (discussing standards that have been used "to determine whether an ostensibly civil
15 penalty proceeding remains a 'criminal prosecution' for constitutional purposes"). Where a
16 penalty is criminal in nature, the defendant must be afforded a host of procedural constitutional
17 protections, including (for example) a right to a jury trial and a heightened burden of proof,
18 neither of which have been afforded to Rasier here.
19 The City is clearly seeking retribution through its assessment of a $3,475,000 fine.
20 PBOT' s penalty assessment letter on its face purports to punish Rasier for purported "continuing
21 disregard for Portland laws and regulatory structure." See Tab 5 at 2. While Rasier adamantly
22 disputes this statement, the statement itself demonstrates the City's retributive intent in issuing
23 the purported penalty. For this reason, and all the other reasons discussed above, the claimed
24 penalty should be stricken.
25
26
PAGE 12- STATEMENT OF GROUNDS FOR ADMINISTRATIVE APPEAL
Perkins Coie LLP 1120 N.W. Couch Street, 10th Floor
Portland, OR 97209-4128 Phone: 503.727.2000
Fax: 503.727.2222
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
IV. DISCUSSION OF EVIDENCE
At the hearing in this matter, Uber may submit as evidence the following:
Tab# DATE Descri~tion
1. 11/22/17 Letter from Rebecca S. Engrav (Perkins Coie) to Portland Bureau of Transportation (Leah Treat and Mark Williams), with enclosures
2. 12/1/17 Letter from City of Portland to Dara Khosrowshahi, CEO of Uber Technologies, Inc.
3. 12/15/17 Letter from Rebecca S. Engrav (Perkins Coie) to Ken McGair (Portland City Attorney's office). Redactions made for confidential and trade secret information.
4. 1123/18 Letter to Rasier, LLC from Portland Bureau of Transportation (Mark Williams)
5. 1126/18 Email referencing transmission of information by Rachel Pojunas of Uber to Mark Williams of Portland Bureau of Transportation
6. 1129/18 Penalty notice to Rasier, LLC from Portland Bureau of Transportation (Leah Treat)
To come: Summary of count of drivers by location; to be submitted after entry of an appropriate protective order to address privacy, trade secret, and confidentiality concerns
At the hearing in this matter, Rasier may call one or more lay and/or expert witnesses
who will testify about relevant facts and circumstances. Rasier may also supplement and amend
its list of evidence and may submit as evidence other relevant materials not listed in the table
above that are located or obtained through discovery or in connection with this matter, especially
in light of the size of the penalty sought by the City and the complex nature of the data at issue.
See, e.g., PCC 23 .03 .080 (broadly allowing admission of all relevant material and not unduly
repetitious evidence). For the same reason, and if submission of further materials is viewed as
part of the notice of appeal, Rasier requests leave to supplement and amend this notice of appeal
Perkins Coie LLP
PAGE 13- STATEMENT OF GROUNDS FOR ADMINISTRATIVE APPEAL
1120 N.W. Couch Street, 10th Floor Portland, OR 97209-4128
Phone: 503.727.2000 Fax: 503.727.2222
· as is just and appropriate. See, e.g., PCC 22.10.030.A (allowing the Hearings Officer to waive
2 the default 10-day period for preparation of a notice of appeal).
3 v. REQUEST FOR SCHEDULING CONFERENCE
4 In order to facilitate the orderly management of this matter, Rasier respectfully requests
5 that the Hearings Officer hold a scheduling conference with the parties as soon as practicable.
6 At the scheduling conference, the Hearings Office can receive input from the parties and set such
7 orders as are necessary to allow for an orderly preparation of relevant evidence, an appropriate
8 schedule for a hearing and related briefing, and the entry of a protective order. ·see, e.g., Jack
9 Doe I v. Corp. of Presiding Bishop of Church of Jesus Christ of Latter-Day Saints, 352 Or. 77,
10 86, 280 P.3d 377, 383 (2012) ("The issuance and vacation of protective orders are matters of a
11 trial court's discretion.").
12 VI. CONCLUSION
13 For the reasons stated, the Hearings Officer should invalidate the City's claimed penalty
14 and dismiss this matter. Alternatively, if the Hearings Officer does not agree that the code
15 provision at issue is invalid, the Hearings Officer should invalidate the City's claimed penalty
16 calculation methodology and impose a penalty of $1,000, the amount prescribed by law.
17 DATED: february 12, 2018
18
19
20
21
22
23
24
25
26
PAGE 14- STATEMENT OF GROUNDS FOR ADMINISTRATIVE APPEAL
PERKINS COIE LLP
By: ~~~ ErickJ. Ha ie, B o. 982482 EHaynie@p rkinscoie.com Christopher W. Rich, OSB No. 990954 [email protected]
Telephone: 503.727.2000 Facsimile: 503.727.2222
Attorneys for Rasier, LLC
Perkins Coie LLP 1120 N.W. Couch Street, 10th Floor
Portland, OR 97209-4128 Phone: 503.727.2000
Fax: 503.727.2222
1
0
PeRKINSCOle I /Cf! Third i\wnur.
Seattle. \NI\ 9B I LJ J .. 3099
0 ··· 1.20tiJ59 .8000 G . 1.201d!i9.900U
PerkinsC01e.com
November 22, 2017 Rebecca S. Engrav
D. + 1.206.359.6168
F. +1.206.359.7168
VIA E-MAIL
Leah Treat, Director Mark Williams, Regulatory Division Manager Portland Bureau of Transportation 1120 SW 5th Ave., Suite 800 Portland, OR 97204
[email protected] Mark. [email protected]
Re: Notification of Security Breach
Dear Ms. Treat and Mr. Williams:
We write to inform you of a data security incident at Uber Technologies, Inc. ("Uber"), the parent company of Rasier, LLC. Rasier is a licensed Transportation Network Company in the City of Portland. The incident, which was announced and reported in the media yesterday, has affected the personal information of for-hire drivers in Portland who use Uber's application for trip requests.
Uber yesterday submitted notice of the incident to the Oregon Department of Justice through its online form. A record of the submission is enclosed, but because the notice was submitted electronically, some of the information submitted is not displayed in the enclosed record. Specifically, the Brief Description of the Breach stated:
Uber was contacted by an individual who claimed he had accessed Uber user information. Uber investigated and determined that the individual and another person working with him had obtained access to certain stored copies of Uber databases and files located on Uber's private cloud data storage environment on Amazon Web Services. Uber determined the means of access, shut down a compromised credential, and took other steps intended to confirm that the actors had destroy~d and would not use or further disseminate the information. Uber also implemented additional measures to improve its security posture.
As determined by Uber and outside forensic experts, the accessed files contained user information that Uber used to operate the Uber
November 22, 2017 Page 2
service, including the names and driver's license numbers of about 600,000 Uber drivers in the United States.
Uber is in the process of providing notice to the individuals whose driver's license information was downloaded in this incident. Uber will offer 12 months of credit monitoring and identity theft protection services to these individuals free of charge, and the notice will provide information on how to use such services. A copy of the notice that will be sent to Portland-based drivers is enclosed. 1
Please do not hesitate to contact me with any questions or for more information. My contact information is above.
Sincerely,
Rebecca S. Engrav
Attachments
cc: Office of Mayor Ted Wheeler 1221 SW 4th Ave., Room 340 Portland, OR 97204 Kyle. [email protected]
Office of Commissioner Dan Satzman 1221 SW 4th Ave., Room 230 Portland, OR 97204 Tia. [email protected]
1 Although rider information (including name, email address, and mobile phone number) was present in the downloaded files, none of that information trigger notification under Oregon law. In particular, outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth were downloaded.
• •
• ABOUT us ~ EngJish oRBGo~MENT oF JUSTICE Consumer Protection
Fi hting Fraud. Protecting Oregonians.
Search the Oregon DOJ
ATTORNEY GENERAL CHILD SUPPORT
Motor Vehicles
MENU
Homes& Mortgages
CONSUMER PROTECTION
Phone, Internet &TV
CONSUMER PROTECTION CHARITIES
Sales, Scams & Fraud
ID Theft & Data Breaches
DOJ Home / Consumer Protection / ID Theft & Data Breaches / Report Data Breaches
Report Data Breaches
This submission is required by Oregon Revised Statutes 646A.604.
Scam Alert Network Report Scams & fraud
SCAM ALERT NETWORK
REPORT SCAMS & FRAUD
CRIME VICTIMS MEDIA
Credit, Loans & For Debt Businesses
Note: This form is only for use by businesses and state agencies, which are required to submit a sample notice if they experience a breach of personal information involving more than 250 Oregon
consumers. If you are a consumer who wishes to file a complaint, please use our online complaint
form.
Section 1 - Security Breach
Sample of Consumer Notice
C:\fakepath\Sample Notice.PDF
Files must be less than 100 MB Allowed file types: pdf
*
Breached Organization Name* Uber Technologies, Inc.
Address 1455 Market Street
-!<=required
City San Francisco
State California
Zip Code 94103
Date( s) of Breach (if known)
Start Date
10/13/2016
End Date
11/15/2016
Date( s) of Discovery of Breach
11/14/2016 +
+
Date(s) Individual Notice Provided to Consumers
11/22/2017 +
Was notification delayed because of a law enforcement
investigation?
No
Type of Personal Information Involved in the Breach (select
all that apply) (CTRL +click) Biometric (measurements of physical characteristics used to auther Credit or Debit Card Number Driver's license or State Identification Card Number Financial Account Number Health Insurance Information Medical Information Passport or other number issued by the United States Social Security Number Information
Brief Description of the Breach (1000 Character max)
Uber was contacted by an individual who claimed he had accessed Uber user information. Uber investigated and determined that the individual and another person working with him had obtained access to certain stored copies of Uber
databases and files located on Uber's private cloud data storage environment on Amazon Web Services. Uber determined the means of access, shut down a compromised credential, and took ,.. other steps intended to confirm that the actors had destroyed and ,,;
Report Type Initial Breach Report
Number of Oregon Consumers Affected by the Breach
250 or More Individuals
Approximate Number of Oregonians Affected by the Breach
1173
Approximate Number of Individuals Affected by the Breach
600000
Type of Breach
Other
Was Substitute Notice Given (ORS 646.604(4)(d))? No
Was Media Notice Given?
No
Section 2 - Information For Law Enforcement Purposes The information provided in Section 2 is for Department of Justice use only.
Name of company contact or attorney whom the Attorney
General may contact for further information? Rebecca S. Engrav, Perkins Coie LLP
Address :Check if the address is the same as organization.
1201 Third Ave, Suite 4900
City
Seattle
State Washington
Zip Code 98101
Telephone Number
206-359-6168
Email Address [email protected]
Was a law enforcement agency notified regarding the
breach?
No
Was a police report filed?
No
Submit
- TWEET f SHARE
• In SHARE ri EMAIL
Motor Vehicles
Leasing a Vehicle
Service Contracts
Towing
Other Vehicle Resources
Buying a Vehicle
Q PRINT
Lemon Law
Homes & Mortgages
Mortgage & Foreclosure Fraud
Mortgage Help for Oregon Homeowners
Foreclosure Avoidance Program
Home Maintenance
Phone, Internet & TV
Internet Providers
Cable & Satellite TV
Online Safety
Report a Do Not CallViolation
Sales, Scams & Fraud
Report Scams & Fraud
Join the Scam Alert Network
Search Consumer Complaints
Request Free Fraud Prevention Training
Consumer Protection Materials Order Form
Medicaid Fraud
Free Trial Offers
Door-To-Door Sales
Gift Cards
Timeshares
Employment Scams
Fitness Clubs & Health Spas
Price Gouging
Telemarketing
More Scams & Fraud Resources
ID Theft & Data Breaches
Data Breaches
Identity Theft
Credit, Loans & Debt
Personal Finances
Education Debt
Debt Collection
For Businesses
How to Respond to a Contact From the Oregon DOJ
Resources for Businesses
Connect
W Twitter
• In Linkedln
Contact Consumer Protection
Contact the Oregon DOJ
Email the DOJ Webmaster
Oregon DOJ Privacy Policy
Legal Notice
Oregon Consumer Protection SITE MAP
1455 Market Street Return Mail Processing P.O. Box 589 Claysburg, PA 16625-0589
San Francisco, CA 94103 UBER.com
##D2700-L01-0123456 0001 00000001**************9-0ELZZ123 SAMPLE A SAMPLE APT ABC 123ANYST
~~ ~
ANYTOWN, US 12345-6789 1•I11111IIp111111.1h11 l1l II 1IIIIIIII111I1 111 l1 1l1I11l 1h111I1 h
November 22, 2017
NOTICE OF DATA BREACH
Dear Sample A Sample:
I am writing to let you know about a data security incident at Uber that affected your information. Uber deeply regrets that this happened and we recommend that you closely review the information in this letter.
What Happened In November 2016, Uber learned that unauthorized actors obtained access to a private cloud storage environment used by Uber. They accessed stored copies of Uber databases and files. To the best of our knowledge, the unauthorized access began on October 13, 2016 and ended no later than November 15, 2016.
What The accessed files contained user information that Uber used to operate the Uber Information service, including your name and driver's license number. The files included Was Involved this information for about 600,000 Uber drivers in the United States.
What We Are We have made changes to our data storage environment and security procedures Doing to decrease the chance of a similar occurrence in the future. To assist you, we
are also providing identity theft protection and mitigation services from Experian, including credit monitoring, for twelve (12) months at no cost to you. See details below.
What You Can We recommend enrolling in Experian IdentityWorkssM and reviewing the Do additional information below.
For More If you have any questions regarding this incident or if you desire further Information information or assistance, please contact (844) 439-7669.
Again, and on behalf of everyone at Uber, I am sorry that this happened. Drivers like you are at the heart of our service. Simply put, Uber wouldn't exist without you and we thank you for your partnership.
Sincerely,
Dara Khosrowshahi Chief Executive Officer
0123456
r-.'~'1·~ ~
D2700-L01
Activate Experian IdentityWorkssM
We encourage you to activate the fraud detection tools available through Experian IdentityWorks8M as a complimentary one-year membership. This product provides you with superior identity detection and resolution of identity theft. To start monitoring your personal information please follow the steps below:
• Ensure that you enroll by: February 28. 2018. (Your code will not work after this date.)
• Visit the Experian IdentityWorks website to enroll: www.experianidworks.com/3bcreditone
• Provide your activation code: ABCDEFGHI
Additionally, complimentary Identity Restoration assistance is immediately available to you. If you believe there was fraudulent use of your information and would like to discuss how you may be able to resolve those issues, please reach out to an Experian agent. If, after discussing your situation with an agent, it is determined that identity restoration support is needed then an Experian Identity Restoration agent is available to work with you to investigate and resolve each incident of fraud that occurred (including, as appropriate, helping you with contacting credit grantors to dispute charges and close accounts; assisting you in placing a freeze on your credit file with the three major credit bureaus; and assisting you with contacting government agencies to help restore your identity to its proper condition).
Please note that this offer is available to you for one year from the date of this letter and does not require any action on your part at this time.
The Terms and Conditions for this offer are located at www.ExperianlDWorks.com/restoration. You will also find self-help tips and information about identity protection at this site.
If you have questions about these products, need assistance with identity restoration or would like an alternative to enrolling in Experian IdentityWorks online, please contact Experian's customer care team at (844) 439-7669 by February 28. 2018. Be prepared to provide engagement number as proof of eligibility for the identity restoration services by Experian.
Additional Steps You Can Take
Learn More and Report Suspected Identity Theft
You are encouraged to contact the Federal Trade Commission (FTC), law enforcement, or your state attorney general's office to report incidents of suspected identity theft or to learn about steps you can take to protect yourself from identity theft. You can contact the FTC at:
Federal Trade Commission 600 Pennsylvania Avenue, NW Washington, DC 20580 (877) IDTHEFT (438-4338) www.identitytheft.gov
If you find that your information has been misused, the FTC encourages you to file a complaint with the FTC and to take these additional steps: (1) close the accounts that you have confirmed or believe have been tampered with or opened fraudulently; and (2) file and keep a copy of a local police report as evidence of the identity theft crime.
You can contact the nationwide consumer reporting agencies at:
Equifax P.O. Box 105788 Atlanta, GA 30348 (800) 525-6285 www.equifax.com
Experian P.O. Box 9554 Allen, TX 75013 (888) 397-3742 www.experian.com
2
Trans Union P.O. Box 2000 Chester, PA 19016 (800) 680-7289 www.transunion.com
D2700-L01
You should remain vigilant for incidents of fraud, identity theft, and errors by regularly reviewing your account statements and monitoring free credit reports. If you discover any suspicious or unusual activity on your accounts, be sure to report it immediately to your financial institutions, as major credit card companies have rules that restrict them from requiring you to pay for fraudulent charges that are timely reported.
Obtain Your Credit Reports
You should also monitor your credit reports. You may periodically obtain free credit reports from each nationwide consumer reporting agency. If you discover inaccurate information or a fraudulent transaction on your credit report, you have the right to request that the consumer reporting agency delete that information from your credit report file.
You have rights under the federal Fair Credit Reporting Act (FCRA). These include, among others, the right to know what is in your file; to dispute incomplete or inaccurate information; and to have consumer reporting agencies correct or delete inaccurate, incomplete, or unverifiable information. For more information about the FCRA, please visit www.consumer.ftc.gov/articles/pdf-0096-fair-credit-reporting-act. pdf or www.ftc.gov.
Place a Fraud Alert or Security Freeze on Your Credit Report File
A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you. You should know that it also may delay your ability to obtain credit. You may place a fraud alert in your file by calling just one of the three nationwide consumer reporting agencies listed above. As soon as that agency processes your fraud alert, it will notify the other two agencies, which then must also place fraud alerts in your file. An initial fraud alert will last 90 days. An extended alert stays on your file for seven years. To place either of these alerts, a consumer reporting agency will require you to provide appropriate proof of your identity, which may include your Social Security number. If you ask for an extended alert, you will have to provide an identity theft report.
A security freeze, sometimes called a credit freeze, is designed to prevent credit, loans, and services from being approved in your name without your consent. You should know that it also may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing or other services. Unlike a fraud alert, you must separately place a security freeze on your credit file by sending a request to each of the three major credit reporting agencies listed above. When you place a security freeze on your credit report, you will be provided with a personal identification number, password, or similar device to use if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report to a specific party or parties or for a specific period of time after the freeze is in place. In order to request a security freeze, you will need to provide the following information:
1. Your full name (including middle initial as well as Jr., Sr., II, ill, etc.); 2. Social Security number; 3. Date of birth; 4. If you have moved in the past five (5) years, the addresses where you have lived over the prior five
years; 5. Proof of current address such as a current utility bill or telephone bill; 6. A legible photocopy of a government issued identification card (state driver's license or ID card,
military identification, etc.); 7. If you are a victim of identity theft, a copy of either the police report, investigative report, or
complaint to a law enforcement agency concerning identity theft; 8. If you are not a victim of identity theft, payment by check, money order, or credit card (Visa,
MasterCard, American Express or Discover only). Do not send cash through the mail.
3
0123456
r.·~ ~
D2700-L01
With certain exceptions, a consumer reporting agency may charge you a fee to place a freeze on your credit report, to temporarily lift a freeze on your credit report, or to remove a freeze from your credit report.
IF YOU ARE A MARYLAND RESIDENT: You may obtain information about steps you can take to avoid identity theft from the Maryland Attorney General's Office. This office can be reached at:
Office of the Attorney General Consumer Protection Division 200 St. Paul Place Baltimore, MD 21202 (410) 576-6491 www.oag.state.md. us
IF YOU ARE A NORTH CAROLINA RESIDENT: You may obtain information about preventing identity theft from the North Carolina Attorney General's Office. This office can be reached at:
North Carolina Department of Justice Office of the Attorney General 9001 Mail Service Center Raleigh, NC 27699-9001 (877) 566-7226 http://www.ncdoj.gov
IF YOU ARE A RHODE ISLAND RESIDENT: You have the right to obtain a police report in regard to this incident, and if you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it. Additionally, you may obtain information about preventing identity theft from the Rhode Island Attorney General's Office. This office can be reached at:
Rhode Island Office of the Attorney General 150 South Main Street Providence, RI 02903 (401) 274-4400 http://www.riag.ri.gov/
IF YOU ARE A RESIDENT OF OTHER STATES: Your state attorney general's office and website may also provide relevant information.
4 D2700-L01
2
CllYOF
PORTLAND, OREGON
December 1, 2017
Mr. Dara Khosrowshahi Uber Technologies, Inc 1455 Market Street San Francisco, CA 94103
Dear Mr. Khosrowshahi,
Dan Saltzman, Commissioner · 1221 S.W. 4th Avenue, Room 230
Portland, Oregon 97204 Telephone: (503) 823-4151
Fax: (503) 823-3036 [email protected]
I was alarmed to learn that on Tuesday, November 21 Uber disclosed a year-old data breach that reportedly exposed the personal information of millions ofUber's customers and drivers. According to the November 21 New York Times article, "Uber hid 2016 Breach, paid Hackers to delete stolen data." Uber reportedly paid the hackers $100,000.00 to delete these stolen files, presumably to conceal this data breach from consumers, regulators and the public.
As a permitted Private for Hire company in Portland, Uber Technologies, Inc./Rasier, LLC ("Uber") must protect the type of personal account information that was compromised. Furthermore, Uber Technologies is obligated to notify the City of any data breach in accordance with the Oregon Consumer Identity Theft Protection Act (ORS 646A.600 to 646A.628). The statutory language is very clear on these points:
"No TNC Company or Driver may allow any unauthorized person to intentionally access any records produced by the digital records systems. "'PCC 16.40.240 K3.
The TNC shall notify the City of a known data security breach in the same manner as provided in ORS 646A.600 to ORS 646A.628." PCC 16.40.240 K4.)
As referenced, ORS 646A.604, states " ... The person shall notify the consumer in the most expeditious manner possible, without unreasonable delay, consistent with the legitimate needs of law enforcement described in subsection (3) of this section ·and consistent with any measures that are necessary to determine sufficient contact information for the affected consumer, determine the scope of the breach of security and restore the reasonable integrity, security and confidentiality of the personal information. "
On November 22,··2017 ;the City·ofPortland received a letter from Rebecca Engrav acknowledging the November 14, 2016 breach of 600,000 Uber driver's license information. A. copy of the Notice filed with the Consumer Protection Division of the Oregon Department of Justice was attached. This Notice detailed noting that 1173 of the accounts compromised were Oregon accounts - presumably driver accounts. We have been informed by the Oregon
Department of Justice that the breach notification has since been amended to reflect additional account information related to Oregon Uber drivers. Further, Ms. Engrav asserts in a footnote that while rider information was compromised it does not trigger a notification under Oregon
································-"----Law...Due-ro-the--nature-and-seepe-ofthis-data-breaclnurdi:tber'-riailure-ro-aiercany-reguiatofy _______________________________ _ body or member o_f the public, any information, including the number of customer rider accounts that were compromised in any way, should be disclosed to the City of Portland.
Uber's past actions in the City of Portland have been severely problematic. To now learn that Uber deliberately concealed a massive data breach involving both customer and driver information for a period of over. a year adds to the already strained relationship the City has with Uber. As such, in accordance with PCC 16.40240 L. the City is requesting the following · information:
1. Provide us with the number of drivers whose personal information was compromised in· the breach were permitted by the City of Portland, and how you determined the number
· of Oregon licensed driver accounts that were compromised by this data breach. 2. ·Provide us with the number of Uber riders listing a home address in Portland who had
their name, or e-mail address, or phone number, or other personal information compromised by this data breach.
3. Provide us with an affirmative statement that Uber has not violated any other Portland rules, regulations or Oregon State laws since Portland City Code was adopted in January 2016.
4. Provide us with a copy ofUber's company policy on reporting data and security breaches.
Please provide responses to the inquiries stated above by close of business December 15, 2017.
All subsequent communications regarding this matter shall be directed to City Attorney Tracy Reeve and Senior Deputy City Attorney Ken McGair.
Sincerely,
'011o Dan Saltzman
c: Rebecca Engrav, Perkins Coie Mayor Ted Wheeler Commissioner Chloe Eudaly Commissioner Nick Fish Commissioner Amanda Fritz Attorney General, Ellen Rosenblum
3
. PeRKINSCOle
December 15, 2017
VIA EMAIL: [email protected]
Ken McGair Senior Deputy City Attorney Portland Office of the City Attorney 1221 S.W. 4th Avenue, Room 430 Portland, OR 97204
Re: Uber Data Security Incident
Dear Mr. McGair:
0 )Ui JfiC) 800C G · I ?Ul.l!19 9001:
Rebecca S. Engrav
D. +l.206.359.6168
F. +l.206.359:7168
Thank you for the time your office spent speaking with us on the phone this week regarding Commissioner Saltzman's letter dated December 1, 2017 and, more generally, the Uber data security incident recently announced by the company. We thought it was ve1y productive to share infonnation with you about the facts and circumstances of this incident on our telephone call. We respond below to the specific questions in Commissioner Saltzman 's letter, but we are fmther happy to continue to share infonnation should you have additional questions or desire fmther clarifications.
1. Provide us with the number of drivers whose personal information was compromised in the breach were permitted by the City of Portland, and how you determined the number of Oregon licensed driver accounts that were compromised by this data breach.
Uber does not have a ready means of detennining w uc i of the drivers in the data set were penuitted by the City of Po1tland at the time the files were created (or at the time they were downloaded by outside actors).
Uber detemliued the number of individuals who: (a) had a driver's license number in the downloaded files and b a ear to reside in Ore on, throu h:
Dnvers prov1 e a ·ess 111 onnahon at s1g11up, and Uber oes not contact drivers by mail, so this infonnation may not be c01Tect or cunent in all cases. Uber provided this infonuation to its mailing vendor, who ran the list through National
138078348.l
KenMcGair December 15, 201 7 Page 2
Change of Address and updated addresses accordingly. ill addition, Uber reviewed non-standard address entries to assign a state where paitial address infonnation was available. Where no street address infonnation was available, Uber matched the records to the city in which the driver had signed up to drive to detennine the likely state ofresidence. In total, Uber notified 1391 cfrivers that a ear to live in Ore on, and a roximatel 400 of these have cunent addresses in Po1tland.
an thus Uber cannot say how many Oregon licensed drivers were affected specifically, w nc i may be slightly different from the number above if individuals' state of residence is not the same as state of licensure.
2. Provide us with the number of Uber riders listing a home address in Portland who had their name, or e-mail address, or phone number, or other personal information compromised by this data breach.
Please note that under Oregon law (as well as the laws of all other U.S. states), it is the driver's license number that here triggered breach rep01ting. Under the law of Oregon and other states, exposure of name, email address, and phone number does not constitute a repo1table breach or trigger notification requirements. Thus, Uber has not analyzed the data set to detennine state of residence for the users without a driver's license in the data set. If it were to tly to do so to satisfy general interest and curiosity, there would be challenges. The Uber app does not require riders to provide home address infonnation as palt of the sign-up process. Accordingly, even fmiher analysis using data in Uber's systems would be incomplete.
3. Provide us with an affirmative statement that Uber has not violated any other Portland rules, regulations or Oregon State laws since Po1·tland City Code was adopted in January 2016.
Executives and management at Uber deeply regret that this incident occuned and that Uber did not publicly disclose it at the time. The fact that Uber is now doing so, as well as its tennination of two of the individuals who led the handling of the incident in the fall of 2016, is a clear example of the path being chaited by the new CEO, the new General Counsel, and ctment executives and management. As the new CEO stated in his blog post announcing this incident, "None of this should have happened, and I will not make excuses for it. While I can't erase the past, I can co1ll111it on behalf of eve1y Uber employee that we will leam from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to eam the tl11st of our customers." See https:/Avvvw.uber.com/newsroom/2016-data-incident/. As Uber moves fotward, its executives and management intend to continue to share infom1ation honestly and forthrightly about this and other matters.
138078348-1
KenMcGair December 15, 2017 Page 3
4. Provide us with a copy of Uber's company policy on reporting data and security breaches.
As discussed in our phone conversation on December 13, 2017, we will produce these documents shortly after we finalize in writing an agreement that such materials are to be treated confidentially under the Data Insight Agreement. (Detailed information about data security matters is not normally shared in great detail with the general public as a whole because, if the information gets into the hands of malicious actors, it can give them insight into how to structure a future attack on the systems or data of Uber or another technology company. Thus, the information is appropriately exempt from public records act requests.)
* * * We hope that the above information is of assistance to you. Please let me know if you have further questions or desire additional information.
Very truly yours,
Rebecca S. Engrav
138078348.1
4
POllTll.Ai'llD l!JIJIUAU 01' TllANSPOll"l"ATION
1120 SW Fifth Avenue, Suite SOil Portland, OR 97204 503.823.5185
Fax 503.823.1576 TTY 503.823.6861'! www.portlan!!oregon.gov/transportaitlon
Dan Saltzman Commissioner LHh Treat Director
January 23, 2018
Sent via email as requested to: \f1i;;L1C:i1PQlUlli1;:>(Ci)~!!)ef,yom Raiser, LLC Attn: Rachel Pojunas 700 SW 5th Ave. #4000, 3rd Floor Portland, OR 97204
Dear Rachel:
RECEIVED
JAN 25 2017
PERKINS COIE LLP
On December 15, 2017, Rebecca Engrnv, from Perkins Coie, representing Uber, sent a letter to Portland Senior Deputy City Attorney Ken McGair regarding 'Uber Data Security Incident'. In that letter, Ms. Engrav stated that Uber notified the City and the State of Oregon that 1,391 drivers who live in Oregon were affected by a data breach that occurred in November of 2016. According to the letter, of those 1,391 drivers, approximately 400 nave current addresses in Portland.
We are requesting more information about these drivers. By end of business day on January 26, 2018, please provide the names and driver's license number of each of the possible 1,391 drivers compromised by the data breach who possess a City of Portland Business License. Obviously, these names will better help us determine which drivers have been certified to provide private for hire services in the City of Portland. Once this information has been uploaded to the established secure FTP site, please contact me via phone or email.
Please feel free to contact Senior Deputy City Attorney Ken McGair at 503.823.4047 or me with any questions you may have.
( i' i •.. \,'.I J ~.·
··~r~WHllams Heg'Ulatory Divisions Manager
c: Ken McGair Rebecca Engrav
t!H' Pnt!lund Oru(:r;u of Y.101l'l//(1iJ'nt'ion /ufly 1 Oil'lf)IU~\ i.Vf!h !rt/(' W o{ Ci1li/ N1f;IH~ ,An oj i9<)>.i, ihl' ,;~DA titlr 11, nn(/
1 dn111rJ i,:rut1 tf (''; rn 1d 1egulnr1011<.; uJ olt 111 o.t;t !unir 1'Uld odivilil"'\, ro1 utcnn11rrodrnion\, tornpf(nnr'; nnrf infn11notion, coll (1_)03) i?l.1-<il tVi, cny f'!Y (::;rrn 82.'.J ,(Jr'.N:JJ, 01 use Ou-'8on fiPhW 7 l r
5
2/9/2018 Uber Mail - RE: Uber Call Follow Up
UBER Rachel Pojunas <[email protected]>
RE: Uber Call Follow Up
Rachel Pojunas <[email protected]> Fri, Jan 26, 2018 at 5:58 PM To: "Williams, Mark" <[email protected]> Cc: Rachel Greenberg <[email protected]>, "McGair, Ken" <[email protected]>, "Benson, Dave" <[email protected]>, Candace Kelly <[email protected]>, Matt Neururer <[email protected]>
Hi Mark,
As a follow up to our conversation this afternoon, we have uploaded a file to the ftp site with the names, email addresses, and current driver's license numbers for all Uber driver-partners who (1) received notice of the data breach, and (2) have (or have had) a Portland business license, or have accepted a trip request in Portland. The file name is portland_breached_dl_plus_dl_num.xlsx.
Please let us know if you would like us to also provide for these driver-partners the driver's licenses numbers that were on file at the time of the data breach, or if you have any questions.
Have a wonderful weekend.
Best regards, Rachel
Rachel Pojunas
Senior Counsel (Licensed only in NY and DC)
[email protected] I uber.com
[Quoted text hidden]
https://mail.google.com/mail/u/O/?ui=2&ik=f535e42a37&jsver=5L3RpKOutOI.en.&view=pt&msg=l613556lcd4aa768&search=sent&siml=l6135561cd4aa768 1/1
6
1120 SW Fifth Avenue, Suite 800 Portland, OR 97204 503.823.5185
Fax 503.823.7576 TTY 503.823.6868 www.portlandorcgon.gov/transportation
Dan Saltzman Commissione~· Leah Treat Dii·ector
Raiser, LLC Attn: Matt Neururer 700 SW 5th Ave. #4000, 3rd Floor Portland, OR 97204
BY ELECTRONIC MAIL, US FIRST CLASS MAIL AND CERTIFIED MAIL
January 29, 2018
Re: Penalty for violation of Portland City Code Chapter 16.40.240
Dear Mr. Neururer:
In late November of 2017, we learned that Uber Technologies, Inc. the parent of its wholly owned subsidiary Raiser, LLC (collectively "Uber") was the subject of a massive data breach. This breach impacted millions of drivers and riders across the United States and the world. In a November 22, 2017 letter we received from Perkins Coie, we learned that 1391 Oregon drivers had their personal information disclosed. Uber also reported the data breach to the Oregon Department of Justice Department of Consumer and Business Services Consumer Protection section ("Oregon DOJ'') as required by ORS 646A.604. The notice to both the City and the Oregon DOJ noted that the breach began on October 13, 2016 and ended on November 15, 2016. Uber discovered the breach on November 14, 2016.
A breach of a consumer's personal information occurs when a consumer's name is disclosed in combination with any one or more identifying elements [(ORS 646A.602(1 )(a), (11 )]. In the November 22, 2017 report submitted to the Oregon DOJ and the City, Uber did not dispute this and identified that the names and Driver's License or State Identification Card Numbers of approximately 60 million accounts were accessed, noting that 1, 1731 were Oregonians.
According to media reports and Uber's own reporting of the breach, Uber's leadership knew about the breach for at least a year. In addition, Uber paid $100,000 to recover the lost records. Finally, Uber failed to notify either the State of Oregon or the City of Portland as required by Oregon Law and Portland City Code (16.40.240, K. 4) until sending the November 22, 2017 letter, more than a year after the initial breach and its discovery.
1 In its initial report to the DOJ and City Uber reported 1,173 Oregonians affected by the breach. In a follow up letter from Perkins Coie to the City on December 15, 2017 this number was revised to 1,391.
llPage
Uber has had a difficult relationship with the City of Portland dating back to December 2014. In 2014, Uber used a tactic that has become widely known and reported as Greyballing to thwart regulators while Uber was attempting to illegally establish operations in Portland. The failure to report the data breach to those affected and the state and City as required by state law and City Code shows a continuing disregard for Portland laws and regulatory structure for private for-hire operators. It is a clear violation of the data reporting requirement in Portland City Code 16.40.240 K.4. which provides:
16.40.240 TNC Company Operating Responsibilities and Prohibitions
K. Digital Record Requirements. Secure, digital records with contact information from TNC Drivers and TNC passengers shall be maintained by the TNC. Such records shall provide a verifiable way to identify drivers and riders for investigatory purposes. Secure digital records must be maintained in accordance with the following requirements:
4. The TNC shall notify the City of a known data security breach in the same manner as provided in ORS 646A.600 to ORS 646A.628.
M. Failure to comply with any provision in Section 16.40.240 is a Class B violation subject to penalties provided in Sections 16.40.930 through 16.40.950.
In accordance with Portland City Code 16.40.930, we are imposing a fine of $3,475,000.00. Each violation is a separate offense which carries a penalty. As noted, the violations for failure to report a breach of personal information is a Class B violation. In total, Uber has noted 1,391 violations subject to penalty. The violations began on November 14, 2016. Under the penalty table provided in 16.40.930, a first offense of a Class B violation is punishable by a $1000 penalty. The second offense of this Class B violation is punishable by a $1500 penalty. The third, and each subsequent offenses are Class B violations punishable by a $2500 penalty. The penalty for violations of PCC 16.40.24 K.4. breaks down as follows:
1st driver 2nd driver
1389 drivers
$1,000.00 $1,500.00 $ 2,500.00
$ 1,000.00 $ 1,500.00
$ 3,472,500.00 $ 3,475,000.00
The penalty for these violations could also include suspension or revocation of Uber's operating permit. Despite the volume of violations, we are not suspending or revoking the operating permit at this time.
Please Remit Payment to: City of Portland - Accounting Division Attn: General AR PO Box 5066 Portland, OR 97208-5066
(Check or money orders only)
21Page
If you believe that this determination is not consistent with City Code, you may request an appeal before a Code Hearings Officer under the provisions of Portland City Code Chapter 22.10. To arrange a hearing, the Code Hearings Office must receive your written request no later than 10 business days after the date of this determination. Your written request must include a description of what you believe makes this determination invalid along with copies of any evidence you wish to submit. Hand-deliver your written request to:
City of Portland Code Hearings Office 1900 SW 4th Avenue Room 3100 Portland, OR 97201 Monday - Friday from 8:30am to 12:00pm and 1 :OOpm to 4:30pm http://www.portlandoregon.gov/hearings/ Phone 503-823-7307 Fax 503-823-434 7
You will receive an acknowledgement from the Code Hearings Office if you submit an appeal request. Please note that if you request an appeal, the decision in this letter will be stayed until the Hearings Officer makes a final determination.
Sincerely,
Leah Treat
cc: Dave Benson, Parking Group Manager Mark Williams, Regulatory Division Manager Matthew Erickson - Program Manager Ken McGair, Sr. Deputy City Attorney Rebecca Engrav, Perkins Coie
3IPage