WASHINGTON, D. C. – Attorney General Karl A. Racine announced that the District of Columbia and all 50 states have reached a nationwide settlement with Uber Technologies, Inc. (Uber) for hiding a data breach in 2016. The breach affected approximately 600,000 drivers nationwide, including more than 7,000 drivers in the District. Under the multistate settlement, Uber is required to strengthen its data security policies and will pay the District more than $2.62 million.

“Uber failed to report a massive data breach in a timely manner as required by District law,” said Attorney General Racine. “In fact, it took Uber one year to inform its drivers and authorities about the breach. Today’s action ensures that Uber will live up to its disclosure obligations in the event of future data breaches and better protects its users’ personal information.”

Uber, a California-based, ride-sharing company, learned in November 2016 that hackers had gained access to some personal information that Uber maintains about its drivers, including drivers’ license information for approximately 600,000 drivers nationwide. Uber tracked down the hackers and obtained assurances that the hackers deleted the information. However, even though the exposure of some of that information triggered District law requiring Uber to notify affected District residents, Uber failed to report the breach to affected drivers or to District and state government officials in a timely manner. In fact, the company did not report it until November 2017, one year after they were informed of the breach.

As part of the nationwide settlement, Uber has agreed to pay $148 million to the states. The District will receive $2,620,711.81. In addition, Uber has agreed to strengthen its corporate governance and data security practices to help prevent a similar occurrence in the future. The settlement includes provisions that, among other things, require Uber to: 

• Disclose data breaches to consumers in a timely manner as legally required: District law requires companies to disclose data breaches to affected consumers in “the most expedient time possible and without unreasonable delay.” The District’s consumer laws also require companies to implement and maintain reasonable security practices to protect sensitive personal information that consumers have given to the company. The settlement requires Uber to comply with these laws in the future.
   
• Strengthen data security policies and procedures: Uber will strengthen its policies and procedures for data security. The measures include strengthening password policies for its employees to gain access to Uber’s network; implementing a strong comprehensive data security policy for all data that Uber collects about its users, including assessing potential risks to that data. Uber will also hire a qualified outside party to assess the company’s data security efforts on a regular basis and recommend security improvements, which Uber will implement.
   
• Implement program for employees to report ethics concerns to company management: Uber will develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company and ensure that those concerns will be heard. As part of the corporate integrity program, the company is required to start a hotline for employees to report misconduct and develop, implement, and maintain an annual training program for employees concerning Uber’s code of conduct. 

A copy of the agreement is available at: http://oag.dc.gov/sites/default/files/2018-09/DC-v-Uber-Technologies-Judgment.pdf

Resources to Protect Your Personal Information
If you believe you may have been the victim of a data breach or that your personal information has been compromised in some way, report it to OAG’s Office of Consumer Protection by calling our Consumer Protection Hotline at 202-442-9828 or submit a complaint online on our Consumer Protection Page. For more information on how to protect your personal information, read our online privacy and identity theft consumer protection resources.