Ride-sharing company Uber Technologies, Inc. will change its security practices and make payments that will be shared with affected Uber drivers in order to resolve an investigation into Uber’s delay in reporting a data breach to its drivers, violating Delaware’s and others states’ data privacy laws.

The settlement, which includes Delaware and the attorneys general of the other 49 states and the District of Columbia, was announced on Wednesday.

Uber learned in November 2016 that hackers had gained access to some personal information that Uber maintains about its drivers, including drivers’ license information pertaining to approximately 600,000 drivers nationwide. Uber tracked down the hackers and obtained assurances that the hackers deleted the information. However, even though the improper acquisition of some of that information, namely driver’s license numbers for Uber drivers, triggered Delaware’s data breach law requiring them to notify affected Delaware residents, Uber failed to report the breach in a timely manner, waiting until November 2017 to report it.

“It is critically important that companies protect the sensitive personal information of the people using their services, and that they inform those people in a timely fashion when that information is improperly acquired,” Attorney General Matt Denn said. “This settlement will ensure that Uber improves its data security efforts, and holds Uber accountable for not informing drivers that their information was breached.”

The settlement between Delaware and Uber requires the company to:

• Comply with Delaware data breach and consumer protection laws regarding protecting Delaware residents’ personal information and notifying them in the event of a data breach concerning their personal information;
• Take precautions to protect any user data Uber stores on third-party platforms outside of Uber;
• Use strong password policies for its employees to gain access to the Uber network;
• Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data;
• Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; and
• Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.

As part of the settlement, Uber has also agreed to pay $148 million total to the states. Delaware will receive $643,000 and the Delaware Department of Justice Consumer Protection Unit will use a portion of Delaware’s share to provide each Uber driver impacted in Delaware with a $100 payment. Eligible drivers will be those Delaware Uber drivers whose driver’s license numbers were accessed during the 2016 breach – there are estimated to be 639 such drivers. Some of those drivers may not still be driving for Uber today.

The rest of Delaware’s share of the settlement proceeds will go into the Consumer Protection Fund, which pays for the Attorney General’s work on consumer fraud and deceptive trade practice matters and other consumer-oriented investigations and legal actions.

Deputy Attorneys General Christian Douglas Wright and Stephen McDonald led Delaware’s efforts in this investigation.

The Consumer Protection Unit (CPU) of the Delaware Department of Justice is pursuing criminal charges against a Sussex County-based contractor accused of defrauding multiple Delaware homeowners.

Charges currently pending against Sergio Izzo, Jr., 32, of Lewes, include 4 counts of Theft, 2 counts of Issuing a Bad Check, 2 counts of Home Improvement Fraud, 2 counts of Unlawful Use of a Payment Card, 2 counts of Forgery Second Degree, 2 counts of Criminal Impersonation, and 1 count of Providing False Statements to Hinder an Investigation. Izzo conducted business as Izzo & Son Turf Company, LLC, based in Long Neck.

Allegations in the cases are the Izzo accepted payment from several different victims for home improvement work that he then did not substantially complete, and did not provide refunds. The charges also related to allegations that unauthorized charges were made to customer credit cards, and that he accepted delivery of materials from a building supply company and failed to pay for them.

DOJ Consumer Protection urges other homeowners who believe they may have a similar complaint about Izzo or Izzo & Son Turf Company, LLC, or have information to share with authorities, to contact DOJ Special Investigator Dan Daly at (302)752-3215.

Generally, DOJ Consumer Protection advises Delawareans hiring a contractor for home improvement work to be alert for scams, and help avoid them by doing homework before hiring a contractor:

• Contractors should always be bonded and maintain all required licenses for mechanical work
• Get references and follow up on them
• Talk to friends and neighbors about a contractor’s reputation
• Never pay for the work in cash or in full up front

If consumers suspect they are a victim of home improvement fraud, they should contact their local law enforcement agency to make a police report.

In all cases, defendants are presumed innocent until and unless proven guilty.

The Delaware Department of Justice Consumer Protection Unit is alerting residents that a phone scam regarding missed jury duty service is again making its way through Delaware, including recently in Kent County.

In the most recent scam, consumers receive a call from a live person claiming to be calling from a court office (such as the “Kent County Civil Processing Unit”) and that bench warrants have been issued for the consumer’s arrest due to their failure to appear for jury duty. Consumers have reported that were told that, in order to avoid arrest, they must to pay a fine via a money order or gift card purchased at a convenience store or pharmacy. The scam has included someone who refers to themselves as a major and who provides a number with a (302) area code to call back when they are ready to provide the payment.

According to Delaware’s courts, Delawareans eligible for jury duty are always notified about their obligation to serve jury duty by mail; never by telephone. If you do receive a call about jury duty, you can check to see if you have been summoned by calling Delaware Superior Court Jury Services at 302-255-0800 for New Castle County, 302-735-1901 for Kent County, and 302-855-7055 for Sussex County.

DOJ also reminds residents to be extra diligent about this or other telephone scams by:

• Never agreeing to pay any fine or other money over the phone, including by purchasing a money order or gift card at a store and providing the number to someone over the phone or by email. Government agencies do not take payments this way.
• Not answering calls from unknown numbers or unfamiliar persons. Scams can be “spoofed” to appear to be coming from a local number, even though the call is originating from out of state or overseas.
• Hanging up on aggressive callers, particularly those who threaten arrest.

The Attorney General encourages consumers who believe they may have been scammed to call the toll-free Consumer Hotline at 1-800-220-5424 or email the Attorney General’s Consumer Protection Unit at consumer.protection@delaware.gov. If you receive a call but have not paid any money to the scammers, you can report the phone number to the National Do Not Call Registry and file a complaint, www.donotcall.gov.

Amendments to Delaware’s data security breach notification law that went into effect Saturday require companies to notify the Delaware Attorney General when they experience a breach affecting the personal information of more than 500 Delaware residents, and the Delaware Department of Justice’s Consumer Protection Unit has launched an online portal to assist consumers, businesses, and other individuals and organizations who are involved in, or want to learn more about, data security breaches affecting Delaware residents.

Since 2005, any person who conducts business in Delaware, and who owns, licenses, or maintains personal information of Delaware residents, has had to provide notice to Delaware residents when the personal information of those Delaware residents has been subject to a security breach. Amendments to Delaware law passed in 2017, sponsored by Rep. Paul Baumbach and Sen. David Sokola, and backed by the Consumer Protection Unit, greatly expanded the definition of “personal information” to protect more sensitive information, and now require persons to provide notice to the Delaware Attorney General when a security breach affects more than 500 Delaware residents. Prior to the amendments, businesses and other organizations which suffered security breaches were not required to provide notice to the Delaware Attorney General, regardless of how many Delaware residents were affected.

A new webpage is now available on the Attorney General’s website, at https://attorneygeneral.delaware.gov/fraud/cpu/securitybreachnotification/, with the following resources:

• Online Reporting of Data Security Breaches — Any person, including businesses, organizations, and government agencies, who needs to provide notice of a data security breach to the Delaware Attorney General will be able to do so using either a web form available on the new webpage, or a fillable PDF form also available on the webpage that can be emailed directly to the Consumer Protection Unit’s dedicated email address for notifications (security.breach.notification@delaware.gov). Use of these resources is voluntary, and persons required to provide notice to the Attorney General can still send written notice through the mail.
• Data Security Breach Notice Database — A database will allow consumers to see which entities have reported data security breaches to the Attorney General, when those breaches occurred, and the approximate number of Delaware residents affected by those breaches.
• Model Form for Providing Notice to Consumers and Other Affected Persons — Delaware’s Data Security Breach Notification Law does not require a specific form of notice in order to notify Delaware residents that their personal information was involved in a data security breach, but to provide assistance and guidance to persons required to provide notice to Delaware residents, the Consumer Protection Unit is making available a Model Data Security Breach Notification Form that will help provide Delaware residents with clear, easy-to-read, and accessible information regarding the data security breach.
• Links to Online Cybersecurity Resources — The webpage will also include links to helpful resources on cybersecurity issues, including the Delaware Department of Technology and Information, the Delaware Small Business Development Council, the Federal Trade Commission, and the U.S. Department of Homeland Security.

“Data security breaches, whether due to simple human error, criminal conduct by hackers, or something else, can have long-lasting and significant effects on the Delawareans whose personal information is stolen,” Attorney General Matt Denn said. “It’s important that businesses and other organizations that suffer these breaches promptly notify consumers and law enforcement, including my office. These new online resources will make it easy to let my office know what’s happened, so that we can ensure appropriate action is taken to protect and help Delawareans affected by data security breaches.”

With people already making summer vacation plans, the Consumer Protection Unit of the Delaware Department of Justice warns Delawareans to be careful when looking for a vacation rental. Scammers operating rental schemes find legitimate rental postings and capture the information and photos of the property, and then list it on Craigslist or other online advertising platforms. Unsuspecting consumers looking for a good deal on a vacation rental find the bogus posting, send a deposit, and receive confirmation of their rental only to arrive to find other people in the home, unable to gain access, or otherwise turned away from the property they believed they had rented.

Scams also can occur with regards to long term leases for homes or apartments, where scammers may even have changed to locks illegally on a property and allow someone to move in, even though they are not the true owner.
All consumers should be diligent before entering into any type of lease for a rental property or providing any deposit or rental payment by taking these steps first:

• Consider working with a licensed realtor or property management company when possible;
• If using an online search engine or website, research whether the property appears on other websites or listing platforms and make contact with the listing agents to determine which is the legitimate advertisement;
• Research who the true owner of the property is by doing a parcel search online: In Delaware, one can search New Castle County properties at http://www3.nccde.org/parcel/search/; Kent County properties at http://kent400.co.kent.de.us/PropInfo/PIName.HTM, and Sussex County properties at, https://sussexcountyde.gov/zoning-and-sales-information;
• Carefully review the posting, advertisement or lease for misspellings and grammatical errors;
• If you are looking at a rental through an online listing site, you should familiarize yourself with the site’s policies for detecting and dealing with potentially fraudulent listings;
• Never pay any security deposit or rental payment in cash—always use a check, money order or credit card—and demand a receipt;
• For long-term leases:
  o Demand a written lease in advance, that includes the identification and contact information of the landlord, as well as identification of the bank where your security deposit (if applicable) will be held;
  o When possible, request a walk-through before agreeing to rent or paying any deposit;
  o Talk to neighbors to learn more about the property and the owners—be cautious of properties with a recently deceased owner or foreclosure;
  o If you meet the person claiming to be the landlord, request to see their credentials, such as a business card or realtor’s license, and identification; you should also make note of the make and model of their car and the license plate number.

Consumers who believe they may have been scammed should contact their local police department and file a report. They can also call the Attorney General’s toll-free Consumer Hotline at 1-800-220-5424 or email the Consumer Protection Unit of DOJ at consumer.protection@delaware.gov. If the listing was posted on an online platform, such as Craigslist, the consumer should also file complaints with the online platform and with federal law enforcement at www.ic3.gov.