By Forum Staff
Ride sharing company Uber Technologies, Inc. recently reached a deal with all 50 states and the District of Columbia that requires Uber to pay a record penalty of $148 million to settle allegations that it intentionally concealed a 2016 data breach in violation of state data breach notification laws, according to New York Attorney General Barbara Underwood.
The pact also requires Uber to adopt model data breach notification and data security practices and a corporate integrity program for employees to report unethical behavior, and hire an independent third party to assess its data security practices, Underwood noted.
Two years ago, hackers based in the U.S. and Canada secretly informed security officials at Uber that they had downloaded the personal information of 57 million riders and drivers, 25 million of whom were in the U.S. and 7.7 million of whom were drivers. The information stolen included names, email addresses, and mobile phone numbers; drivers’ license information pertaining to approximately 600,000 drivers nationwide was also stolen. After providing proof of the massive data breach, the hackers demanded “six figures” to delete the data and not disclose the breach. Uber ultimately paid the hackers $100,000 to conceal the attack.
In the spring of 2017, Uber’s Board of Directors directed a law firm to investigate Uber’s security team in the wake of unrelated litigation involving the alleged theft of trade secrets related to self-driving cars. As part of this inquiry, the law firm learned of the breach and ransom payment. Upon learning of the breach, the board hired a forensic firm to investigate it. Uber ultimately provided notice of the breach in late November 2017, a year after it occurred.
Underwood pointed out that general business law requires companies that experience a breach involving certain personal information, including driver’s license numbers, to provide notice “in the most expedient time possible and without unreasonable delay.” By intentionally concealing the breach and failing to disclose it for a year, Uber violated the law, Underwood said.
The settlement between the Empire State and Uber requires the company to fork over $5.1 million and:
• Comply with New York’s data breach and consumer protection laws regarding protecting residents’ personal information and notifying them in the event of a breach concerning their personal information;
• Take precautions to protect any user data Uber stores on third-party platforms outside of Uber;
• Use strong password policies for its employees to gain access to the Uber network;
• Develop and implement a strong overall data security policy for all data that Uber collects about its users;
• Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; and
• Develop and implement a corporate integrity program to ensure that Uber employees can report any ethics concerns they have about any other Uber employees to the company.
“This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation,” Underwood added.
