DELAWARE -- After a massive data breach back in 2016, ride-sharing company Uber Technologies, Inc. has agreed to change its security practices and make payments to impacted Uber drivers.
In November 2016, Uber learned that hackers received access to some of its drivers' personal information, including drivers' license information. The hack impacted some 600,00 drivers nationwide, among them were drivers in Delaware. According to Uber, the company investigated the matter internally and received assurances from the hackers that they would delete the information. Despite the matter being handled, the company violated Delaware's, along with other states', data privacy laws, requiring the company to notify the drivers impacted by the hack. Delaware officials say Uber failed to report the breach in a timely manner by waiting a year later to the report the hack.
in order to resolve an investigation into Uber’s delay in reporting a data breach to its drivers, violating Delaware’s and others states’ data privacy laws.
“It is critically important that companies protect the sensitive personal information of the people using their services, and that they inform those people in a timely fashion when that information is improperly acquired,” Attorney General Matt Denn said. “This settlement will ensure that Uber improves its data security efforts, and holds Uber accountable for not informing drivers that their information was breached.”
The settlement, which includes Delaware and the attorneys general of the other 49 states and the District of Columbia, was announced on Wednesday. Under the settlement between Delaware and Uber, the company is required to:
- Comply with Delaware data breach and consumer protection laws regarding protecting Delaware residents’ personal information and notifying them in the event of a data breach concerning their personal information;
- Take precautions to protect any user data Uber stores on third-party platforms outside of Uber;
- Use strong password policies for its employees to gain access to the Uber network;
- Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data;
- Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; and
- Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.
In addition, Uber has also agreed to pay $148 million in total to the states affected. Delaware will receive $643,000 for which the Delaware Department of Justice Consumer Protection Unit will use a portion to provide each Uber driver impacted in Delaware with a $100 payment. Eligible drivers will be those Delaware Uber drivers whose driver’s license numbers were accessed during the 2016 breach – there are estimated to be 639 such drivers.
The rest of Delaware’s share of the settlement proceeds will go into the Consumer Protection Fund, which pays for the Attorney General’s work on consumer fraud and deceptive trade practice matters and other consumer-oriented investigations and legal actions.
