CYBER RISK CLIENT ALERT: What Companies can Learn from Uber’s Recent $148 Million Settlement

by

On September 26, 2018, Uber Technologies, Inc. (Uber) reached a joint settlement with all 50 states and Washington, D.C.’s attorney generals to pay a record breaking $148 million for its 2016 data breach and subsequent cover-up.

This story begins in November 2016 when hackers accessed 600,000 Uber drivers’ license information as well as personal data, including names, e-mail addresses, and cell phone numbers for 57 million riders worldwide.  Making a bad situation worse, instead of reporting the breaches as required by laws in all states, Uber paid the hackers $100,000 in ransom to destroy the information.  The drivers and riders affected by the data breach as well as the greater public were unaware of the breach or the ransom payment until November 2017.

But this is not the first time Uber’s data privacy and security practices have been compromised resulting in negative publicity for Uber.  In 2014, over 100,000 driver names and license numbers were hacked and in 2015, Uber was fined $20,000 for violating its own policy prohibiting employees from accessing drivers’ and passengers’ personal information.  In September 2017 (just two months before announcing its latest data breach), Uber announced that it settled with the Federal Trade Commission (FTC) over allegations related to its privacy and data security practices.  The 2017 settlement with the FTC required Uber to, among other things, refrain from making any misrepresentation about the quality and level of its privacy and data security practices, undergo third-party audits of its privacy practices, and keep detailed accounting, personnel, and consumer complaint records for 20 years.  The FTC has since decided to expand its preexisting settlement reached last year to include new remedial measures as a result of the 2016 hacking and cover-up.

The current $148 million settlement will be divided to each state based on the number of drivers affected in each state.  Illinois, for example, is receiving $8.5 million, which attorney general Lisa Madigan plans to apportion $100 to each affected Uber driver in Illinois.  In addition to the monetary reparations, the settlement requires Uber’s data security program to undergo regular audits and implement a corporate integrity program ensuring employees are able to report ethics concerns about the company. The settlement requires Uber to adhere to state consumer protection laws and, perhaps most importantly, immediately notify authorities in the event of a breach. The settlement comes in the form of consent decrees, adding an additional layer of enforcement in the event Uber fails to comply with the settlement.

The day the settlement was announced Uber’s chief legal officer, Tony West, posted in a blog post: “We know that earning the trust of our customers and the regulators we work with globally is no easy feat. After all, trust is hard to gain and easy to lose. We’ll continue to invest in protections to keep our customers and their data safe and secure, and we’re committed to maintaining a constructive and collaborative relationship with governments around the world.”

West recounts that on his first day at Uber, he spent his time calling regulators to discuss the 2016 data “incident” (as he calls it).  Shortly before West joined Uber and just before Uber publicly announced the 2016 data “incident”, Uber made a different announcement – they found a replacement for Uber’s former CEO and co-founder Travis Kalanick. Uber’s former CEO resigned after a tumultuous 2017 year of inquiry into among other things, their data privacy practices. Dara Khosrowshahi, former Expedia CEO, became Uber’s current CEO in August of 2017 initiating a large-scale brand revitalization for Uber.  Since Khosrowshahi’s induction to Uber, the company came clean about the 2016 data breach and ransom payment, launched its biggest advertisement campaign to-date, and announced its intentions to go public in 2019. 

Uber’s handling of its latest data breach provides important reminders for any company handling sensitive information. First, comply with the requirements of the law, or in the case of data securities, all laws, which vary in certain respects, but which must be followed. Second, the cover up is always as bad if not worse than the underlying wrong and explains in large part why Uber’s penalties were so high. Third, if poorly handled, data breaches have more than monetary consequences - they have significant impact on a company’s brand equity. Uber will be spending considerable time, effort, and money to get past the toll the hacking and ransom payment have taken on Uber’s reputation.

Get Updates By Email

Blog Contributors