W.Va. AG Reaches $148M Settlement in Uber Data Breach

CHARLESTON — West Virginia Attorney General Patrick Morrisey reached a $148 million, multistate settlement with Uber to address the ride-sharing company’s one-year delay in reporting a data breach to its affected drivers.

West Virginia will receive approximately $592,800 from the nationwide settlement, which also requires Uber to strengthen its corporate governance and data security practices among other requirements aimed at preventing a similar occurrence in the future.
“Every entity must work to ensure it protects data collected from its consumers, clients and employees alike,” Attorney General Morrisey said. “Every entity, regardless of its size, must realize hackers are relentless and therefore make data security a top priority and promptly notify those affected when an unauthorized intrusion occurs.”
The settlement stems from Uber’s failure to promptly report a data breach it discovered in November 2016.
The breach allowed hackers to gain access to some personal information that Uber maintains about its drivers, including license information pertaining to approximately 600,000 drivers nationwide.
Uber tracked down those responsible and obtained assurances that the hackers deleted the information, however the drivers’ license numbers and other information triggered laws requiring the company to notify those affected. Uber failed to report the incident until November 2017.
The settlement between West Virginia and Uber requires the company to:
  • Comply with West Virginia consumer protection laws regarding the protection of personal information and notification in the event of a data breach concerning personal information;
  • Take precautions to protect any user data it stores on third-party platforms outside of Uber;
  • Use strong password policies for its employees to gain access to the Uber network;
  • Develop and implement a strong security policy for all data that it collects about users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data;
  • Hire a qualified, outside party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; and
  • Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.
All 50 states and the District of Columbia participated in this multistate agreement with Uber, a California-based company also known as Uber Technologies Inc.
Comments powered by Disqus