Under the terms of the nationwide settlement, secured by Attorney General Shapiro and 50 other Attorneys General, the Pennsylvania Office of the Attorney General will receive $5.7 million from Uber.
The company will also be required to take significant steps to change its corporate practices to better protect and secure its employees’ information and other data.
In November 2016, Uber learned that hackers had gained access to some personal information Uber maintains about its drivers, including drivers’ license information for about 600,000 drivers nationwide.
Instead of reporting the breach to law enforcement and impacted individuals, Uber tracked down the hackers and obtained assurances that the hackers deleted the information – and made payments to ensure their silence.
At least 13,500 Pennsylvania Uber drivers were affected by the breach.
Since some of the compromised information – specifically driver’s license numbers – is considered personally identifiable information (PII), Uber was required to notify impacted individuals under the Pennsylvania Breach of Personal Information Notification Act.
However, Uber failed to report the breach until November 2017.
In March, Attorney General Shapiro directed his Bureau of Consumer Protection to file a lawsuit against Uber for violating Pennsylvania’s data breach notification law. The lawsuit was the first time Attorney General Shapiro sued under that statute.
The Pennsylvania Attorney General’s case against Uber was settled as part of the national settlement announced today, which will require to pay $148 million to the 51 participating Attorneys General and Uber drivers.
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this data breach,” Attorney General Josh Shapiro said. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and keep quiet. That is outrageous corporate misconduct, and today’s settlement holds them accountable and requires real changes in their corporate behavior.”
Among the significant changes and reforms to Uber’s business practices involving its drivers and riders required by the settlement:
-- Comply with Pennsylvania’s data breach and consumer protection law regarding protecting Commonwealth residents’ personal information and notifying residents in a timely manner of any data breach concerning their personal information.
-- Take precautions to protect any user data Uber stores on third-party platforms outside of Uber.
Implement stricter password policies for its employees to gain access to the Uber network.
-- Develop and deploy an overall data security policy for all data that Uber collects about its users, including assessing any potential risks to the security of the data — and implementing any additional security measures as needed to best protect that data.
-- Hire an outside, qualified third-party party to assess Uber’s data security efforts regularly and draft a report with recommended security improvements – which Uber is required to implement.
-- Implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.
As a result of the settlement, each impacted Pennsylvania Uber driver will receive a $100 payment. Approximately $1.35 million will go to these drivers. A settlement administrator will be appointed to provide notice and payment to eligible drivers.
“Being an Uber driver was a part-time job to me, a way to make some extra money,” said Chris Davis, a former attorney and local pastor in Centre County. “When I found out about the breach, I was angry and mad they hid it so long. I discovered inquiries had been made into my credit in the western United States – places I had never been. I worked hard for what I have and did not want scammers to be able to take my money and property. I’m glad Attorney General Josh Shapiro fought for people like me and held Uber accountable for the harm they caused.”
The remainder of the settlement for Pennsylvania – $4.35 million – will go to the Attorney General’s Public Protection Section and Bureau of Consumer Protection, to be used to conduct future investigations and outreach to protect Pennsylvanians from violations of consumer protection law.
“The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes,” Attorney General Shapiro said. “That’s why my Bureau of Consumer Protection took action, and it is why we are also continuing to lead an ongoing national investigation into the Equifax breach.”
All 50 state Attorneys General and the District of Columbia are participating in this multistate agreement with Uber. The settlement, in the form of a Consent Petition, has been submitted and requires court approval to become final.
Attorney General Shapiro recommended any Uber drivers in Pennsylvania who believe they were impacted by the breach to monitor their credit report to protect themselves from any further vulnerability.