A.G. UNDERWOOD ANNOUNCES RECORD $148 MILLION SETTLEMENT WITH UBER OVER 2016 DATA BREACH
Settlement with 50 States & DC Also Requires Uber to Adopt Model Data Breach Notification and Data Security Practices, Corporate Integrity Program; Hire Independent Third Party to Assess Data Security
Attorney General Barbara D. Underwood today announced an agreement with ride-sharing company Uber Technologies, Inc. (Uber) to settle allegations it intentionally concealed a 2016 data breach in violation of state data breach notification laws. The settlement, which was reached with all 50 states and the District of Columbia, requires Uber to adopt model data breach notification and data security practices and a corporate integrity program for employees to report unethical behavior, and hire an independent third party to assess its data security practices. It also requires Uber to pay a record penalty of $148 million.
“New Yorkers deserve to know that their personal information will be protected – period,” said Attorney General Underwood. “This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation. We’ll continue to fight to protect New Yorkers from weak data security and criminal hackers.”
In November 2016, hackers based in the United States and Canada secretly informed security officials at Uber that they had downloaded the personal information of 57 million riders and drivers, 25 million of whom were in the United States and 7.7 million of whom were drivers. The information stolen included names, email addresses, and mobile phone numbers; drivers’ license information pertaining to approximately 600,000 drivers nationwide was also stolen. After providing proof of the massive data breach, the hackers demanded “six figures” to delete the data and not disclose the breach. Uber ultimately paid the hackers $100,000 to conceal the breach.
In the spring of 2017, Uber’s Board of Directors directed a law firm to investigate Uber’s security team in the wake of unrelated litigation involving the alleged theft of trade secrets related to self-driving cars. As part of this inquiry, the law firm learned of the breach and ransom payment. Upon learning of the breach, the board hired a forensic firm to investigate the breach. Uber ultimately provided notice of the breach in late November 2017, a year after the breach.
General Business Law § 899-aa requires companies that experience a breach involving certain personal information, including driver’s license numbers, to provide notice “in the most expedient time possible and without unreasonable delay.” By intentionally concealing the breach and failing to disclose it for a year, Uber violated GBL § 899-aa.
As part of the nationwide settlement, Uber has agreed to pay a record penalty of $148 million to the states. New York will receive approximately $5.1 million.
The settlement between New York and Uber requires the company to:
- Comply with New York’s data breach and consumer protection laws regarding protecting New York residents’ personal information and notifying them in the event of a data breach concerning their personal information;
- Take precautions to protect any user data Uber stores on third-party platforms outside of Uber;
- Use strong password policies for its employees to gain access to the Uber network;
- Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data;
- Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; and
- Develop and implement a corporate integrity program to ensure that Uber employees can report any ethics concerns they have about any other Uber employees to the company.
This settlement also addresses and resolves allegations that Uber’s conduct violated an earlier 2016 settlement with the Office of the New York Attorney General. In the earlier investigation, the office found that on May 12, 2014, a hacker accessed an Uber database that included names of roughly 50,000 Uber drivers and their driver’s license numbers. Uber discovered the breach in September 2014 but did not provide notice to the affected drivers and the office until February 26, 2015, over five months later. The prior 2016 settlement required Uber to comply with GBL § 899-aa. It also required Uber to adopt protective technologies for the storage, access, and transfer of certain personal information, and credentials related to its access, including the adoption of multi-factor authentication, or similarly protective access control methodologies.
The New York Attorney General independently investigated the current breach, but later joined the multistate investigatory process, where it took a leadership position, to effectuate settlement.
The Attorney General’s office has also proposed legislation to close gaps in New York’s data security laws and comprehensively protect New Yorkers’ personal information from data breaches.
The case was handled by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell, under the supervision of Bureau Chief Kim A. Berger. The Bureau of Internet and Technology is overseen by Executive Deputy Attorney General for Economic Justice Manisha M. Sheth.