(COLUMBUS, Ohio)—Ohio Attorney General Mike DeWine today announced a nationwide settlement with Uber over its delay in notifying affected drivers about a 2016 data breach. The attorneys general of all 50 states and the District of Columbia are participating in the settlement.
Uber has agreed to pay $148 million to the states and to maintain a comprehensive data security program to protect the personal information of Uber riders and drivers.
“People deserve and need to know when their personal information is breached so that they can protect themselves,” Attorney General DeWine said. “This settlement will help protect Uber drivers’ and riders’ personal information, and it underscores the importance of companies providing prompt, appropriate notice about data breaches.”
As part of the settlement, Attorney General DeWine is setting aside more than $1.2 million to provide each eligible Ohio Uber driver with a $100 payment. Eligible Ohio drivers are those who drove or applied to drive for Uber prior to November 2016 and whose driver’s license numbers were accessed during the 2016 breach. (Some eligible drivers may no longer be driving for Uber.) An outside settlement administrator will be appointed to distribute the payments to eligible drivers in the coming months.
In November 2016, Uber learned that hackers had gained access to certain information, including the names and driver’s license numbers of about 600,000 Uber drivers nationwide, including more than 12,000 in Ohio. The breach triggered laws in Ohio and other states requiring the company to notify affected individuals, but Uber waited until November 2017 to report it.
Uber has agreed to strengthen its corporate governance and data security practices to help prevent a similar occurrence in the future. The settlement requires Uber to:
- Take steps to protect any user data that Uber stores on third-party platforms;
- Require strong password policies for Uber employees;
- Develop and implement a strong overall data security policy for all data that Uber collects about its users; and
- Hire a qualified outside party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements.
As a co-lead state in the multistate investigation that led to the settlement, Ohio will receive $5,585,868 of the total settlement. Settlement funds will be used to provide payments to eligible Ohio Uber drivers and to fund consumer protection efforts.
In addition to enforcement actions, Attorney General DeWine has taken several other steps to promote cybersecurity and protect consumers’ personal information.
“We’re focused on taking innovative approaches to encouraging strong cybersecurity practices and protecting consumers,” Attorney General DeWine said.
Attorney General DeWine led the effort to urge Ohio lawmakers to pass the Data Protection Act, which encourages businesses to adopt proven cybersecurity measures. The legislation, which Governor John Kasich signed into law in August, takes effect on Nov. 2. It is based on recommendations from the Attorney General’s CyberOhio Advisory Board. Attorney General DeWine formed the CyberOhio initiative to foster a legal, technical, and collaborative cybersecurity environment to help Ohio’s businesses thrive and protect consumers’ personal information. In addition to its legislative work, CyberOhio organizes summits to encourage collaborative learning between technology, business, law, and government sectors and hosts workshops to encourage, develop, and inspire a new generation of cybersecurity leaders.
For consumers whose personal information has been used fraudulently, Attorney General DeWine’s office also provides an Identity Theft Unit, which was established in 2012 to help victims correct the effects of identity theft. The unit has helped clear millions of dollars in fraudulent charges.
For more information about cybersecurity or identity theft, individuals should contact the Ohio Attorney General’s Office at www.OhioProtects.org or 800-282-0515.