Today Attorney General Cynthia H. Coffman announced that Colorado has joined with 49 other states and the District of Columbia in a $148M settlement with Uber Technologies, Inc., (Uber) to address the company’s one-year delay in reporting a data breach to its affected drivers.
“Uber learned in November 2016 that hackers had gained access to personal information that Uber maintains about its drivers, including drivers’ license information pertaining to more than 12,000 Colorado drivers and approximately 600,000 drivers nationwide. Uber claims that they tracked down the hackers and obtained assurances that the hackers deleted the stolen information. Under Colorado law, Uber was required to notify the affected drivers in a timely manner. Uber failed to report the breach until one year later, November 2017.
“Uber concealed this data breach from its drivers for a full year, in violation of Colorado law,” said Attorney General Coffman. “Consumers deserve a quick heads up when their information has been compromised so they can take steps to protect themselves from criminals. Instead, Uber took the law into its own hands, further disadvantaging its drivers. This settlement sends a strong message that companies like Uber who fail to follow Colorado’s data breach notification law will face expensive consequences.”As part of the nationwide settlement, Uber has agreed to pay $148 million to the states. Colorado will receive $2.1 million. In addition, Uber has agreed to strengthen its corporate governance and data security practices to help prevent a similar occurrence in the future.
The settlement between the State of Colorado and Uber requires the company to:Comply with Colorado’s data breach and consumer protection law regarding protecting Colorado residents’ personal information and notifying them in the event of a data breach concerning their personal information;Take precautions to protect any user data Uber stores on third-party platforms outside of Uber;Use strong password policies for its employees to gain access to the Uber network;Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data;Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; andDevelop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that those concerns will be heard.
All 50 states and the District of Columbia are participating in this multistate agreement with Uber