Attorney General Ken Paxton and his counterparts from 49 other states and the District of Columbia today announced a $148 million settlement with California-based ride-sharing company Uber Technologies, Inc. over its one-year delay in reporting a data breach regarding Uber drivers.
Uber learned in November 2016 that hackers gained access to some personal information that the company maintains about its drivers, including drivers’ license information pertaining to approximately 600,000 drivers nationwide. Uber tracked down the hackers and obtained assurances that they deleted the information. However, Uber failed to report the breach in a timely manner in accordance with state law and waited until November 2017 to report it or inform affected drivers that their drivers’ license information had been unlawfully accessed.
“Instead of notifying its drivers of the data breach in a timely manner, Uber violated Texas law by concealing the incident for a full year,” Attorney General Paxton said. “Withholding that information deprived many Texans the opportunity to protect themselves from identity theft and fraud – crimes with serious consequences for consumers and businesses. Today’s settlement ensures that Uber will follow the law in the future and sends a message that my office will go after companies that do not take seriously their legal obligations to protect the personal information of Texans.”
As part of the $148 nationwide settlement, Texas will receive more than $6.4 million, most of which will be returned to Uber drivers across the state. In addition, Uber agreed to strengthen its corporate governance and data security practices to help prevent a similar occurrence in the future.
With this settlement award, Texas will provide eligible Uber Texas drivers with a $100 payment. Eligible drivers are those whose driver’s license numbers were accessed during the 2016 breach. Some of those drivers may no longer be driving for Uber but are still eligible. A settlement administrator will be appointed to provide notice and payment to eligible drivers. Details of that process will be announced by this office after the effective date of the settlement.
The settlement between the state of Texas and Uber requires the company to:
- Comply with the Texas Identity Theft Enforcement and Protection Act, regarding protecting Texas residents’ personal information and notifying them in the event of a data breach concerning their personal information;
- Take precautions to protect any user data Uber stores on third-party platforms outside of Uber;
- Use strong password policies for its employees to gain access to the Uber network;
- Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data;
- Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; and
- Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.
All 50 states and the District of Columbia are participating in this multistate agreement with Uber.