Enter to open, tab to navigate, enter to select
Uber Agrees to $148 Million Data Breach Settlement with State Attorneys General
Practical Law Legal Update w-016-8114 (Approx. 3 pages)
Uber Agrees to $148 Million Data Breach Settlement with State Attorneys General
by Practical Law Data Privacy Advisor
| Published on 27 Sep 2018 • USA (National/Federal) |
Uber Technologies, Inc. has agreed to pay $148 million to settle investigations by all 50 state attorneys general and the District of Columbia into the company's failure to disclose a massive data breach in 2016. The precedent-setting privacy settlement follows a related agreement with the FTC that did not require any monetary payments, but required Uber to implement more robust privacy and data security protections.
On September 26, 2018, Uber Technologies, Inc. issued a press release announcing it reached a settlement with the attorneys general from all 50 states and the District of Columbia over its alleged coverup of a 2016 data breach that exposed personal information from 57 million accounts.
Earlier this year, Uber reached an agreement with the FTC arising from the same incident, revising an initial agreement from August 2017 (see Legal Update, Uber Agrees to Expanded FTC Privacy and Data Security Settlement).
The settlement with the State Attorneys General includes requirements that Uber:
- Pay $148 million to be distributed among the states and the District of Columbia in varying amounts.
- Report any data security incidents that occur on a quarterly basis to the State Attorneys General for two years.
Uber must also develop, implement, and maintain:
- Specific data security safeguards, including:
- an encryption policy that addresses electronic transmission of personal information and database backups; and
- prohibitions on using any third-party's cloud-based service or platform for code development unless a senior executive evaluates and documents that the third-party's data security measures and access controls meet certain minimum requirements.
- A written comprehensive information security program for ten years, which must contain administrative, technical, and physical safeguards appropriate to Uber's size, the nature and scope of its activities, and the personal information's sensitivity. The program must:
- regularly identify internal and external risks that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of personal information;
- implement safeguards to control these risks;
- regularly test, monitor, evaluate, and assess the safeguards' effectiveness;
- include ongoing workforce training; and
- designate a security executive.
- An incident response and data breach notification plan for ten years.
- A corporate integrity program for ten years, which requires Uber to:
- create a method for employees to report ethical concerns or policy violations;
- assign an executive or officer to report any incidents or complaints to Uber's board of directors;
- incorporate privacy-by-design principles to review proposed changes to Uber's products, applications, and data collection methods;
- include annual workforce training program; and
- require Uber's security executive to advise Uber's CEO or chief legal officer of security risks.
The agreement also requires an independent, third party to conduct information security program assessments biennially for ten years, which Uber must document and send to the State Attorneys General.