Attorney General Josh Stein Reaches $148 Million Settlement With Uber Over Data Breach

(RALEIGH) Attorney General Josh Stein today announced that he has reached an agreement with the ride-sharing company Uber Technologies, Inc. (Uber) to address the company’s one-year delay in reporting a data breach to its affected drivers.

“Data breaches are increasingly becoming a major problem for North Carolinians,” said Attorney General Josh Stein. “Notifying my office and the public allows people to take necessary precautions to protect their information. In failing to do so, Uber put its drivers at risk. I will continue to fight for people’s data privacy, including working to pass the Act to Strengthen Identity Theft Protections, which will further strengthen our state’s laws.”

As part of the nationwide settlement, Uber has agreed to pay $148 million to the states. North Carolina will receive $3,661,800.27. In addition, Uber has agreed to strengthen its corporate governance and data security practices to help prevent a similar occurrence in the future.

North Carolina will provide each Uber driver impacted in state with a $100 payment. Eligible drivers are those drivers whose driver’s license numbers were accessed during the 2016 breach. Some of those drivers may not still be driving for Uber today. A settlement administrator will be appointed to provide notice and payment to eligible drivers. This office will announce details of that process after the effective date of the settlement.

Under the settlement, Uber will be required to:

  • Comply with North Carolina data breach and consumer protection law regarding protecting North Carolina residents’ personal information and notifying them in the event of a data breach concerning their personal information;
  • Take precautions to protect any user data Uber stores on third-party platforms outside of Uber;
  • Use strong password policies for its employees to gain access to the Uber network;
  • Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data;
  • Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; and
  • Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.

All 50 states and the District of Columbia are participating in this multistate agreement with Uber.