FOR IMMEDIATE RELEASE
September 26, 2018
UBER AGREES TO PAY $148 MILLION IN MULTI-STATE SETTLEMENT
Uber agrees to strengthen security practices after data breach
SALT LAKE CITY – Today, Attorney General Sean Reyes and Utah Department of Commerce Executive Director Francine Giani jointly announced that Utah would receive nearly $900,000 from Uber Technologies, Inc. (Uber) in a settlement agreement over a one-year delay in reporting a data breach to affected drivers. Uber will pay Utah, the other 49 states, and the District of Columbia a total of $148 million in addition to strengthening its corporate governance and data security practices to prevent similar occurrences in the future.
Uber learned in November 2016 that hackers gained access to personal information involving the ride-sharer’s drivers, including drivers’ license information. The data breach involved approximately 600,000 drivers nationwide, about 2,500 from Utah. Uber tracked down the hackers and obtained assurances that the hackers deleted the information. Utah’s law requires Uber to notify affected Utah residents, but Uber failed to report the breach until November 2017.
Attorney General Reyes stated, “I’m a fan of Uber, but that doesn’t keep us from doing our job. Protecting Utahns, their data, and identities is one of the top priorities of my office. Working with the Utah Department of Commerce and colleagues from other states, we were able to achieve a fair resolution without protracted litigation.” Deputy Attorney General David Sonnenreich added, “prompt reporting of data breaches is important so that victims have the information they need to better protect themselves from identity theft.”
“Sadly data breaches have become a constant headline in our highly connected lives,” said Francine Giani, Executive Director for the Utah Department of Commerce. “We hope Uber’s case sends a message to the business community to be swift in alerting the public when consumer information is compromised. The Department of Commerce is grateful for the partnership with the Attorney Generals’ Office in settling Utah’s claim.”
The settlement requires Uber to: 1) comply with Utah data breach and consumer protection law about Utah residents’ personal information and notifications in the event of a data breach; 2) take precautions to protect any user data Uber stores on third-party platforms outside of Uber; 3) use strong password policies for its employees to gain access to the Uber network; 4) develop and implement a strong data security policy for all data that Uber collects about its users, assess potential risks to the security of the data, and implement additional security measures beyond what Uber is doing to protect the data; 5) hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with recommended security improvements, and 6) develop and implement a corporate integrity program to ensure that ethics concerns brought by Uber employees about other employees will be heard.
Utah joins the other 49 states and the District of Columbia in this multistate agreement with Uber.
# # #
- You can find a copy of the Complaint, Proposed Judgment, and additional court documents here:
Photo by Antonio DiCaterina