Delaware Attorney General Matt Denn Announces Settlement With Uber Over Data Breach
Ride-sharing company Uber Technologies, Inc. will change its security practices and make payments that will be shared with affected Uber drivers in order to resolve an investigation into Uber’s delay in reporting a data breach to its drivers, violating Delaware’s and others states’ data privacy laws.
The settlement, which includes Delaware and the attorneys general of the other 49 states and the District of Columbia, was announced on Wednesday.
Uber learned in November 2016 that hackers had gained access to some personal information that Uber maintains about its drivers, including drivers’ license information pertaining to approximately 600,000 drivers nationwide. Uber tracked down the hackers and obtained assurances that the hackers deleted the information. However, even though the improper acquisition of some of that information, namely driver’s license numbers for Uber drivers, triggered Delaware’s data breach law requiring them to notify affected Delaware residents, Uber failed to report the breach in a timely manner, waiting until November 2017 to report it.
“It is critically important that companies protect the sensitive personal information of the people using their services, and that they inform those people in a timely fashion when that information is improperly acquired,” Attorney General Matt Denn said. “This settlement will ensure that Uber improves its data security efforts, and holds Uber accountable for not informing drivers that their information was breached.”
The settlement between Delaware and Uber requires the company to:
- Comply with Delaware data breach and consumer protection laws regarding protecting Delaware residents’ personal information and notifying them in the event of a data breach concerning their personal information;
- Take precautions to protect any user data Uber stores on third-party platforms outside of Uber;
- Use strong password policies for its employees to gain access to the Uber network;
- Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data;
- Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; and
- Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.
As part of the settlement, Uber has also agreed to pay $148 million total to the states. Delaware will receive $643,000 and the Delaware Department of Justice Consumer Protection Unit will use a portion of Delaware’s share to provide each Uber driver impacted in Delaware with a $100 payment. Eligible drivers will be those Delaware Uber drivers whose driver’s license numbers were accessed during the 2016 breach – there are estimated to be 639 such drivers. Some of those drivers may not still be driving for Uber today.
The rest of Delaware’s share of the settlement proceeds will go into the Consumer Protection Fund, which pays for the Attorney General’s work on consumer fraud and deceptive trade practice matters and other consumer-oriented investigations and legal actions.
Deputy Attorneys General Christian Douglas Wright and Stephen McDonald led Delaware’s efforts in this investigation.