Uber Agrees to Pay $148 Million Settlement to Resolve Allegations from 2016 Data Breach Cover Up

Data Breach

Written By ESR News Blog Editor Thomas Ahearn

On September 26, 2018, California Attorney General Xavier Becerra and San Francisco District Attorney George Gascón announced that Uber Technologies, Inc. agreed to a $148 million nationwide settlement to resolve allegations that the transportation network company (TNC) violated state data breach reporting and reasonable data security laws in connection with a 2016 data breach that exposed the driver and customer data of 57 million users and paying hackers to cover up the breach rather than reporting it to proper authorities, according to a press release on the Attorney General’s website.

“Uber’s decision to cover up this breach was a blatant violation of the public’s trust,” Attorney General Becerra stated in the press release about the Uber data breach settlement. “The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law. Companies in California and throughout the nation are entrusted with customers’ valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect their data.”

The settlement follows an independent investigation of Uber by California that found the company failed to inform more than 174,000 California drivers that a data breach exposed personal information including names and driver’s license numbers. Instead of notifying the drivers as required by law, Uber covered up the breach and paid hackers $100,000 in exchange for their silence. The company failed to notify law enforcement and the public of the data breach until it was uncovered by an internal review by Uber’s Board of Directors November 2017. In addition to civil penalties, the settlement requires that Uber:

  • Implement and maintain robust data security practices.
  • Comply with state laws in connection with its collection, maintenance, and safeguarding of personal information, as well as reporting of data security incidents.
  • Accurately and honestly represent data security and privacy practices to better ensure transparency in how the company’s driver and customer information is safeguarded.
  • Develop, implement, and maintain a comprehensive information security program with an executive officer who advises key executive staff and Uber’s Board of Directors.
  • Report any data security incidents to states on a quarterly basis for two years.
  • Maintain a Corporate Integrity Program that includes a hotline to report misconduct, quarterly reports to the board, implementation of privacy principles, and an annual code of conduct training.

The nationwide data breach settlement calls for a $148 million payment by Uber to benefit all 50 states and the District of Columbia. California will divide its $26 million share of the settlement between the California Attorney General’s Office and the San Francisco District Attorney’s Office. The settlement also includes additional terms to prevent future breaches, reform Uber’s corporate culture, and marks the first time the Attorney General has required a company to incorporate “privacy-by-design,” a practice of integrating privacy considerations and protections into product development and design.

“We wholeheartedly support innovative business models, but new ways of engaging in business cannot come at the expense of public safety or consumer privacy. This settlement today demonstrates what happens when all of us in law enforcement work together. My office will continue to collaborate closely with the Attorney General to protect consumers both in San Francisco, and the rest of California,” District Attorney Gascón stated in the press release available at https://oag.ca.gov/news/press-releases/california-attorney-general-becerra-san-francisco-district-attorney-gasc%C3%B3n.

Also on September 26, 2018, in post entitled “Turning the Page on the 2016 Data Breach” in the Uber newsroom, Uber Chief Legal Officer Tony West wrote: “Our current management team’s decision to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability. An important component of living up to those principles means taking responsibility for past mistakes, learning from them, and moving forward.” The post is at https://www.uber.com/newsroom/2016-data-breach-settlement/.

In an Uber newsroom post entitled “Turning the Page on the 2016 Data Breach” written on November 21, 2017, Uber Chief Executive Officer (CEO) Dara Khosrowshahi wrote: “None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.The post is available at https://www.uber.com/newsroom/2016-data-incident.

Data breach events seem to be constantly in the news. On September 7, 2017, nationwide credit reporting agency Equifax announced a massive data breach incident had impacted approximately 143 million Americans – almost half of the country –  a number that grew to include 145.5 million people. The need for background screening firms to ensure information security in the wake of data breach events with Uber, Equifax, and others was one of the “ESR Top Ten Background Check Trends” for 2018 selected by Employment Screening Resources® (ESR), which is headquartered in the San Francisco area.

ESR Offers Data Breach Protection in Background Check Process

Employment Screening Resources® (ESR) – a leading global background check firm – protects the privacy, security, and confidentiality of consumer information during background checks. ESR is accredited by the National Association of Professional Background Screeners (NAPBS®), undergoes annual SSAE 18 SOC 2® Type 2 audits, adheres to the Privacy Shield Framework, offers General Data Protection Regulation (GDPR) compliant processes, and won the 2018 TekTonic Award from HRO Today Magazine for innovative and disruptive background screening technology. To learn more, visit www.esrcheck.com.

NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

© 2018 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.