Uber has agreed to pay $148 million to settle allegations from all 50 states that the ride-hailing company failed to notify drivers that hackers had stolen their personal information.
Uber is now taking steps to tighten data security. Nebraska's share of the settlement is $700,000 Uber learned in November 2016 that hackers had gained access to some personal information that Uber maintains about its drivers, including drivers’ license information pertaining to approximately 600,000 drivers nationwide.
Uber tracked down the hackers and obtained assurances that the hackers deleted the information. However, some of that information, triggered Nebraska law requiring them to notify affected Nebraska residents., Uber failed to report the breach in a timely manner, waiting until November 2017 to report it.
Attorney General Doug Peterson says, “For data breaches affecting Nebraska residents, notification by the business whose systems have been breached must be made to the Attorney General and affected Nebraskans as soon as possible and without unreasonable delay. Today’s announcement illustrates that the repercussions for failing to do so will be both swift and severe.”
The settlement between Nebraska and Uber requires the company to:
- Comply with Nebraska’s data breach and consumer protection law regarding protecting Nebraska residents’ personal information and notifying them in the event of a data breach concerning their personal information.
- Take precautions to protect any user data Uber stores on third-party platforms outside of Uber.
- Use strong password policies for its employees to gain access to the Uber network.
- Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data;
- Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations.
- Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.