SALT LAKE CITY (News4Utah) – The State of Utah will receive nearly $900,000 from Uber in a settlement agreement over a one-year delay in reporting a data breach to affected drivers.
Uber Technologies will pay Utah, the other 49 states, and the District of Columbia a total of $148 million in addition to improving its data security practices to prevent similar occurrences in the future.
Uber learned in November 2016 that hackers gained access to personal information involving the ride-sharer’s drivers, including drivers’ license information. The data breach involved approximately 600,000 drivers nationwide and about 2,500 from Utah.
The Attorney General’s Office said Uber tracked down the hackers and obtained assurances that the hackers deleted the information, but state law requires Uber to notify affected Utah residents which it failed to do until November 2017.
“We hope Uber’s case sends a message to the business community to be swift in alerting the public when consumer information is compromised,” said Francine Giani, Executive Director for the Utah Department of Commerce.
The AG’s Office said the settlement requires Uber to:
- Comply with Utah data breach and consumer protection law about Utah residents’ personal information and notifications in the event of a data breach
- Take precautions to protect any user data Uber stores on third-party platforms outside of Uber
- Use strong password policies for its employees to gain access to the Uber network;
- Develop and implement a strong data security policy for all data that Uber collects about its users, assess potential risks to the security of the data, and implement additional security measures beyond what Uber is doing to protect the data
- Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with recommended security improvements
- Develop and implement a corporate integrity program to ensure that ethics concerns brought by Uber employees about other employees will be heard.