Attorney General Lawrence Wasden has announced that Idaho, 49 other states and the District of Columbia have all reached an agreement with California-based ride-sharing company Uber Technologies, Inc. The settlement addresses the company’s one-year delay in reporting a data breach to affected drivers.
Uber learned in November, 2016, that hackers had gained access to personal information the company maintains about its drivers. The hacked records included drivers’ license information for about 600,000 Uber drivers across the country. Once aware of the breach, Uber identified the hackers and obtained assurances they had deleted the information. However, Uber failed to report the breach in a timely manner -- waiting until November 2017 to alert the affected drivers, according to a news release from Wasden’s officesecurity
“Unfortunately, hacks like this one have become a regular occurrence,” Wasden said. “When they happen, companies should promptly notify those affected. In this case, Uber waited too long and the company is being held accountable as a result.”
As part of the nationwide settlement, Uber has agreed to pay $148 million to the states. Idaho will receive $631,876. In addition, Uber has agreed to strengthen its corporate governance and data security practices to help prevent a similar occurrence in the future.
The settlement also requires Uber to:
--Comply with data breach and consumer protection laws regarding the safeguarding of Idahoans’ personal information and notify them in the event of a data breach concerning their personal information;
--Take precautions to protect any user data Uber stores on third-party platforms;
--Use strong password policies for its employees to gain access to the Uber network;
--Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data;
--Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; and
--Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns about other Uber employees to the company, and that the concerns will be heard.