Attorney General Fox Reaches $148 Million Settlement with Uber Over Data Breach
Montana Attorney General Tim Fox announced that he, along with 49 other states and the District of Columbia, has reached an agreement with California-based ride-sharing company Uber Technologies, Inc. (Uber) to address the company’s one year delay in reporting a data breach to its affected drivers.
Uber learned in November 2016 that hackers had gained access to some personal information Uber maintains about its drivers, including drivers’ license information for nearly 600,000 drivers nationwide. Uber tracked down the hackers and obtained assurances they deleted the information. However, even though some of that information, namely drivers’ license numbers for Uber drivers, triggered Montana law requiring them to notify affected Montana residents, Uber failed to report the breach in a timely manner, waiting until November 2017 to report it.
“Montana law requires prompt reporting of data breaches to my office and to individuals whose private information is compromised,” Attorney General Tim Fox said. “In this case, although only 86 Montana Uber drivers were impacted, the company’s failure to report the breach for one full year prevented the State from ensuring the drivers had considered protecting themselves from possible identity theft in a timely manner. This settlement sends a message that companies will pay when they ignore the privacy and reporting requirements of Montana law.”
As part of the nationwide settlement, Uber agreed to pay $148 million to the states. Montana will receive $575,344. In addition, Uber has agreed to strengthen its corporate governance and data security practices to help prevent a similar occurrence in the future.
The settlement between the State of Montana and Uber requires the company to:
• Comply with Montana’s data breach and consumer protection law regarding protecting Montana residents’ personal information and notifying them in the event of a data breach concerning their personal information;
• Take precautions to protect any user data it stores on third-party platforms outside of Uber;
• Use strong password policies for its employees to gain access to the Uber network;
• Develop and implement a strong data security policy for all data Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what it is already doing to protect that data;
• Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; and
• Develop and implement a corporate integrity program to ensure Uber employees can bring ethics concerns they have about any other Uber employees to the company, and that it will be heard.