On September 26, 2018, Uber Technologies Inc. (“Uber”) agreed to a settlement (the “Settlement”) with all 50 U.S. state attorneys general (the “Attorneys General”) in connection with a 2016 data breach affecting the personal information (including driver’s license numbers) of approximately 607,000 Uber drivers nationwide, as well as approximately 57 million consumers’ email addresses and phone numbers. The Attorneys General alleged that after Uber learned of the breach, which occurred in November 2016, the company paid intruders a $100,000 ransom to delete the data. The Attorneys General alleged that Uber failed to promptly notify affected individuals of the incident, as required under various state laws, instead notifying affected customers and drivers of the breach one year later in November 2017.
As reported by the Pennsylvania Office of the Attorney General, the Settlement will require Uber to pay $148 million to the Attorneys General, which will be divided among the 50 states. In addition, Uber must undertake certain data security measures, including:
- comply with applicable breach notification and consumer protection laws regarding protecting personal information;
- implement measures to protect user data stored on third-party platforms;
- implement stricter internal password policies for employee access to Uber’s network;
- develop and implement an overall data security policy to address the collection and protection of personal information, including assessing potential data security risks;
- implement additional data security measures with respect to personal information stored on Uber’s network;
- implement a corporate integrity program to ensure appropriate reporting channels for internal ethics concerns or complaints; and
- engage a third-party expert to conduct regular assessments of Uber’s data security efforts and make recommendations for improvement, as appropriate.
The Settlement is pending court approval. In a statement, California Attorney General Xavier Becerra said, “Uber’s decision to cover up this breach was a blatant violation of the public’s trust. The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law.”
We previously reported that the Federal Trade Commission modified a 2017 settlement with Uber after learning of the company’s response to the 2016 breach.
Update: In addition, as reported by Law360, on November 27, 2018, Uber was fined by both the UK Information Commissioner’s Office (“ICO”) and the Dutch Data Protection Authority (“DPA”). The ICO’s fine of £385,000 was a result of Uber’s failure to protect its customers’ personal information. The Dutch DPA fined Uber €600,000 “for violating the Dutch data breach regulation,” which requires notification of the breach within 72 hours.