$148 Million Settlement Reached with Uber for Data Breach

TALLAHASSEE, Fla.—Attorney General Pam Bondi, along with the 49 other attorneys general and the District of Columbia, today reached a settlement with Uber Technologies, Inc. for allegedly failing to comply with the Florida Information Protection Act and other related laws. In November 2016, Uber learned that hackers gained access to some personal information the company maintains about its drivers, including drivers’ license information. Uber subsequently tracked down the hackers and obtained assurances that the hackers deleted and never distributed the information. While reportedly no sensitive information was disseminated, the breach triggered Florida’s law requiring Uber to notify affected Florida residents. Uber waited a year, until November 2017, before reporting the data breach.

“Data breaches need to be dealt with in a very urgent and responsive manner,” said Attorney General Bondi. “Not only are they often serious crimes, but people with compromised information need to be alerted immediately, so they can take steps to guard against identity theft and financial losses. Hopefully, this settlement will send the clear message that faster reporting is essential.”

In July 2014, Florida passed FIPA to ensure that each Florida resident victimized by a data breach receives notice, so they can take protective action. Florida, with three other states, initiated the Uber investigation with 46 states and the District of Columbia joining.

As part of the nationwide settlement, Uber agreed to pay $148 million to the states and the District of Columbia. Florida will receive $8,246,606. In addition, Uber agreed to strengthen its corporate governance and data security practices to help prevent a similar occurrence in the future.

In addition to requiring compliance with FIPA, the settlement between the Florida Attorney General’s Office and Uber requires the company to:
· Take precautions to protect any user data Uber stores on third-party platforms outside of Uber;
· Use strong password policies for its employees to gain access to the Uber network;
· Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data;
· Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; and
· Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.

All 50 states and the District of Columbia are participating in this multistate agreement with Uber. This settlement is pending judicial approval.

To view a copy of the complaint, click here

To view a copy of the proposed consent judgment, click here