Connecticut Joins $148M Settlement with Uber over Delayed Data Breach Reporting
Will distribute portion of settlement funds to affected Uber drivers
Connecticut, with 49 other states and the District of Columbia, has reached an agreement with the San Francisco-based ride-sharing company Uber Technologies, Inc., to resolve the states' investigation into the company's one-year delay in reporting a data breach to the states and to its affected drivers, Attorney General George Jepsen announced today.
Uber learned in 2016 that hackers had gained access to some of the personal information that the company maintains about its drivers, including driver's license information for approximately 600,000 drivers nationwide.
While Uber obtained assurances that the hackers deleted the information, Uber failed to report the breach to the attorney general and to the affected drivers until November 2017 – well outside of the requirement under Connecticut law that data breaches involving certain personal information be disclosed to affected individuals and the state without unreasonable delay, and within 90 days of discovery.
"Companies in possession of personal information have a responsibility under Connecticut law to keep that information safe," said Attorney General Jepsen. "When that data is exposed, they have a responsibility to report it within a time period prescribed by law, which Uber clearly and plainly did not do. I believe this settlement is an equitable resolution of the states' claims against Uber, and I'm pleased to announce that Connecticut will be using a portion of its settlement funds to compensate affected Uber drivers who were not properly notified of the potential exposure of their personal information."
"Identity theft is a serious issue, and everyone needs to play their part to help prevent it, including large companies," said Consumer Protection Commissioner Michelle H. Seagull. "When data is compromised, it can pose serious risks that can hurt consumers years into the future. Timely reporting of data breaches and legal compliance is incredibly important for businesses that want to help their customers repair any potential damage from a breach. I am pleased we have reached this settlement, and hope that Uber's practices improve in the future."
Uber has agreed to pay $148 million to the states and will strengthen its corporate governance and data security practices to help prevent a similar occurrence in the future. Connecticut's share of the settlement funds is $4,506,432.22, of which $400,000 will be deposited into the Attorney General's Consumer Protection Fund to support the office's consumer protection work, and $250,000 into the state Department of Consumer Protection's consumer protection enforcement fund.
From Connecticut's remaining settlement funds, the state will provide each eligible Connecticut Uber driver with a $100 payment. Eligible drivers are those drivers whose driver's license numbers were accessed during the 2016 breach, some of whom may not be driving for Uber today. In Connecticut, 3,549 drivers were possibly affected. A settlement administrator will be appointed to provide notice and payment to those eligible; details of that process will be announced at a future time.
The remainder of the state's settlement funds will be deposited into the state's General Fund.
In addition to the financial settlement, Uber will be required to:
• Comply with Connecticut data breach and consumer protection laws;
• Take precautions to protect any user data that Uber stores on third-party platforms;
• Employ strong password policies for employee access on Uber's network;
• Develop and implement a strong data security policy for all data that Uber collects about its users;
• Hire a qualified, independent third-party to assess Uber's data security efforts on a regular basis and report on recommended security improvements; and
• Develop and implement a corporate integrity program to ensure that Uber employees can bring forward any ethics concerns and that those concerns will be heard.
The settlement is not final unless and until it is approved by the court.
Assistant Attorneys General Michele Lucan, John Neumon, and Jeremy Pearlman, head of the Privacy and Data Security Department assisted the Attorney General with this matter.
Please click here to view a copy of Connecticut's complaint and settlement agreement.
Jaclyn M. Severance