SAN FRANCISCO (CBS SF) — San Francisco-based ride-hailing service Uber has reached a $148 million settlement over allegations that it violated state data breach reporting and data security laws, officials announced Wednesday.
California Attorney General Xavier Becerra was highly critical of Uber in announcing the settlement. The ride-hailing service was accused of exposing 57 million users’ data and paying hackers to cover up the breach in 2016 rather than reporting it to proper authorities.
“Uber’s decision to cover up this breach was a blatant violation of the public’s trust,” Becerra said in a statement. “The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law.”
The settlement follows California’s independent investigation of Uber’s conduct alleging that the company failed to inform over 174,000 California drivers of a data breach exposing their personal information, including names and driver’s license numbers.
Rather than notifying the drivers as required by law, Uber covered up the breach and then paid hackers $100,000 in exchange for their silence.
The nationwide settlement, which California helped to lead, calls for a $148 million penalty payment by Uber benefiting all 50 states and the District of Columbia.
California will divide its $26 million share of the settlement between the Attorney General’s Office and the San Francisco District Attorney’s Office.
Becerra also called the settlement historic in its new privacy requirements.
“For the first time in history an A.G.’s office has required a company to implement privacy by design into its products,” he said. “That means that Uber must integrate privacy considerations and protections into every phase of their products development and design.”
In addition to the civil penalties, the settlement also requires that Uber:
- Implement and maintain robust data security practices.
- Comply with state laws in connection with its collection, maintenance, and safeguarding of personal information, as well as reporting of data security incidents.
- Accurately and honestly represent data security and privacy practices to better ensure transparency in how the company’s driver and customer information is safeguarded.
- Develop, implement, and maintain a comprehensive information security program with an executive officer who advises key executive staff and Uber’s Board of Directors.
- Report any data security incidents to states on a quarterly basis for two years.
- Maintain a Corporate Integrity Program that includes a hotline to report misconduct, quarterly reports to the board, implementation of privacy principles, and an annual code of conduct training.