Uber to pay $1.85 million to Arkansas after data security breach
California-based ride-sharing company Uber Technologies Inc. has reached a settlement agreement with Arkansas, 49 other states and the District of Columbia and will pay $148 million to the states after not immediately disclosing a data security breach that involved nearly 600,000 drivers nationwide.
Arkansas Attorney General Leslie Rutledge announced Wednesday (Sept. 26) that Uber will pay Arkansas $1.85 million to address the company’s one-year delay in reporting the breach to affected drivers. In Arkansas, the breach impacted 934 drivers. In November 2016, Uber learned that hackers had gained access to personal information that Uber maintains about its drivers, including drivers’ license information, but the company didn’t notify drivers until November 2017. Arkansas law required Uber to notify affected residents.
“Uber needs to ensure that it is taking every precaution to protect driver and customer data on its website and mobile app,” Rutledge said. “Data breaches can open consumers up to identity theft and have lasting negative impacts on an individual’s credit.”
Along with the payment to states, Uber agreed to strengthen its corporate governance and data security practices to help prevent another breach. Following are other requirements of the company:
- Comply with Arkansas data breach and consumer protection law regarding protecting Arkansas residents’ personal information and notifying them of a data breach related to their personal information
- Take precautions to protect user data Uber has on third-party platforms
- Use strong password policies for employees to access its network
- Develop and implement a strong data security policy for all data it collects on users, including assessing risks to the security of data and implementing additional security measures
- Hire an outside qualified party to regularly assess Uber’s data security efforts and create a report with recommended security improvements. Uber will implement the recommendations.
- Develop and implement a corporate integrity program allowing the company’s employees to notify the company of ethics concerns about other Uber employees and that they will be heard.
All 50 states and the District of Columbia participated in the agreement with Uber.