Settlement with 50 States & DC Also Requires Uber to Adopt Model
Data Breach Notification and Data Security Practices, Corporate Integrity Program;
Hire Independent Third Party to Assess Data Security
NEW YORK — Attorney General Barbara D. Underwood announced an agreement with ride-sharing company Uber Technologies, Inc. (Uber) to settle allegations it intentionally concealed a 2016 data breach in violation of state data breach notification laws.
The settlement, which was reached with all 50 states and the District of Columbia, requires Uber to adopt model data breach notification and data security practices and a corporate integrity program for employees to report unethical behavior, and hire an independent third party to assess its data security practices. It also requires Uber to pay a record penalty of
"New Yorkers deserve to know that their personal information will be protected — period," she said.
Attorney General Underwood. "This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation. We'll continue to fight to protect New Yorkers from weak data security and criminal hackers."
In November 2016, hackers based in the United States and Canada secretly informed security officials at Uber that they had downloaded the personal information of 57 million riders and drivers, 25 million of whom were in the United States and 7.7 million of whom were drivers.
The information stolen included names, email addresses, and mobile phone numbers; drivers' license information pertaining to approximately 600,000 drivers nationwide was also stolen. After providing proof of the massive data breach, the hackers demanded "six figures" to delete the data and not disclose the breach. Uber ultimately paid the hackers $100,000 to conceal the breach.
In the spring of 2017, Uber's Board of Directors directed a law firm to investigate Uber's security team in the wake of unrelated litigation involving the alleged theft of trade secrets related to self-driving cars. As part of this inquiry, the law firm learned of the breach and ransom payment. Upon learning of the breach, the board hired a forensic firm to investigate the breach. Uber ultimately provided notice of the breach in late November 2017, a year after the breach.
General Business Law § 899-aa requires companies that experience a breach involving certain personal information, including driver's license numbers, to provide notice "in the most expedient time possible and without unreasonable delay." By intentionally concealing the breach and failing to disclose it for a year, Uber violated GBL § 899-aa.
As part of the nationwide settlement, Uber has agreed to pay a record penalty of $148 million to the states. New York will receive approximately $5.1 million.
The settlement between New York and Uber requires the company to:
This settlement also addresses and resolves allegations that Uber's conduct violated an earlier 2016 settlement with the Office of the New York Attorney General. In the earlier investigation, the office found that on May 12, 2014, a hacker accessed an Uber database that included names of roughly 50,000 Uber drivers and their driver's license numbers.
Uber discovered the breach in September 2014 but did not provide notice to the affected drivers and the office until February 26, 2015, over five months later. The prior 2016 settlement required Uber to comply with GBL § 899-aa. It also required Uber to adopt protective technologies for the storage, access, and transfer of certain personal information, and credentials related to its access, including the adoption of multi-factor authentication, or similarly protective access control methodologies.
The New York Attorney General independently investigated the current breach, but later joined the multistate investigatory process where it took a leadership position, to effectuate settlement.
The Attorney General's office has also proposed legislation to close gaps in New York's data security laws and comprehensively protect New Yorkers' personal information from data breaches.
The case was handled by Bureau of Internet and Technology.