Chicago —(ENEWSPF)—September 27, 2018
By: Rosemary Piser
Attorney General Lisa Madigan announced yesterday that she led the Attorneys General of all 50 states and the District of Columbia in reaching a $148 million settlement agreement with California-based ride-sharing company Uber Technologies Inc. (Uber) to address the company’s one-year delay in reporting a data breach to approximately 600,000 drivers nationwide.
Uber had learned in November 2016 that hackers had gained access to personal information that Uber maintains about its drivers, including drivers’ license information. The data breach triggered Illinois’ breach notification law that required Uber to notify affected Illinois residents, but Uber failed to report the breach in a timely manner, instead waiting over a year to report it.
At the announcement, Attorney General Madigan said, “Uber completely disregarded Illinois’ breach notification law when it waited more than a year to alert people to a serious data breach. While Uber is now taking the appropriate steps to protect the data of its drivers in Illinois and across the country, the company’s initial response was unacceptable. Companies cannot hide when they break the law.”
As part of the nationwide settlement, Illinois will receive nearly $8.5 million. In addition, Uber has agreed to strengthen its data security practices and corporate governance to help prevent a similar occurrence in the future.
Madigan’s office will provide a $100 payment to each Illinois Uber driver whose information was accessed during the 2016 breach. Some of those drivers may no longer be driving for Uber. A settlement administrator will be appointed to provide notice and payment to eligible drivers. Details of that process will be announced by Madigan’s office after the effective date of the settlement.
The settlement between Illinois and Uber requires the company to:
- Comply with Illinois data breach and consumer protection laws regarding safeguarding Illinois residents’ personal information and notifying them in the event of a data breach concerning their personal information;
- Take precautions to protect any user data Uber stores on third-party platforms outside of Uber;
- Use strong password policies for its employees to gain access to the Uber network;
- Develop and implement a strong and comprehensive data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional, necessary security measures to protect the data;
- Hire a qualified and independent outside party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements;
- Implement any security improvement recommendations made in the outside assessment; and
- Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.
Joining Madigan in the settlement were the Attorneys General of the 49 other states and the District of Columbia.