ALBANY – Uber Technologies, Inc. will be required to pay a record $148 million penalty as the company and all 50 states and the District of Columbia reached a settlement, according to an announcement Wednesday from New York Attorney General Barbara Underwood.
Uber allegedly concealed a 2016 data breach intentionally, in violation of state data breach notification laws. The settlement also requires Uber to adopt model data breach notification and data security practices and a corporate integrity program for employees to report unethical behavior, and hire an independent third party to assess its data security practices.
“New Yorkers deserve to know that their personal information will be protected – period,” said Attorney General Underwood. “This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation. We’ll continue to fight to protect New Yorkers from weak data security and criminal hackers.”
Pennsylvania Attorney General Josh Shapiro, meanwhile, said his office will receive $5.7 million from Uber.
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this data breach,” Shapiro said. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and keep quiet. That is outrageous corporate misconduct, and today’s settlement holds them accountable and requires real changes in their corporate behavior.”
Underwood said that in November 2016, hackers based in the United States and Canada secretly informed security officials at Uber that they had downloaded the personal information of 57 million riders and drivers, 25 million of whom were in the United States and 7.7 million of whom were drivers.
The information stolen reportedly included names, email addresses, and mobile phone numbers; drivers’ license information pertaining to approximately 600,000 drivers nationwide was also stolen. After providing proof of the massive data breach, the hackers demanded “six figures” to delete the data and not disclose the breach. Uber ultimately paid the hackers $100,000 to conceal the breach, according to the allegations.
In the spring of 2017, Uber’s Board of Directors directed a law firm to investigate Uber’s security team in the wake of unrelated litigation involving the alleged theft of trade secrets related to self-driving cars. As part of this inquiry, the law firm learned of the breach and ransom payment. Upon learning of the breach, the board hired a forensic firm to investigate the breach. Uber ultimately provided notice of the breach in late November 2017, a year after the breach.
General Business Law § 899-aa requires companies that experience a breach involving certain personal information, including driver’s license numbers, to provide notice “in the most expedient time possible and without unreasonable delay.” By intentionally concealing the breach and failing to disclose it for a year, Uber violated GBL § 899-aa.
As part of the nationwide settlement, Uber has agreed to pay a record penalty of $148 million to the states. New York will receive approximately $5.1 million.
The settlement between New York and Uber requires the company to:
Comply with New York’s data breach and consumer protection laws regarding protecting New York residents’ personal information and notifying them in the event of a data breach concerning their personal information;
Take precautions to protect any user data Uber stores on third-party platforms outside of Uber;
Use strong password policies for its employees to gain access to the Uber network;
Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data;
Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; and
Develop and implement a corporate integrity program to ensure that Uber employees can report any ethics concerns they have about any other Uber employees to the company.
This settlement also addresses and resolves allegations that Uber’s conduct violated an earlier 2016 settlement with the Office of the New York Attorney General. In the earlier investigation, the office found that on May 12, 2014, a hacker accessed an Uber database that included names of roughly 50,000 Uber drivers and their driver’s license numbers.
Uber discovered the breach in September 2014 but did not provide notice to the affected drivers and the office until February 26, 2015, over five months later. The prior 2016 settlement required Uber to comply with GBL § 899-aa. It also required Uber to adopt protective technologies for the storage, access, and transfer of certain personal information, and credentials related to its access, including the adoption of multi-factor authentication, or similarly protective access control methodologies.
The New York Attorney General independently investigated the current breach, but later joined the multistate investigatory process, where it took a leadership position, to effectuate settlement.
