Hackers stole information on drivers, riders
Iowa Attorney General Tom Miller and attorneys general from 49 states and the District of Columbia have reached an agreement with ride-sharing company Uber Technologies, Inc. to address the company’s one-year delay in reporting a data breach to its affected drivers.
As part of a nationwide settlement, Uber has agreed to pay $148 million to the states. Iowa will receive $612,950.24, which will go to the state’s Consumer Education and Litigation Fund.
California-based Uber learned in November 2016 that hackers had gained access to some personal information that the company maintains about its approximately 600,000 drivers nationwide. Uber tracked down the hackers and obtained assurances that the hackers deleted the information, including drivers’ license numbers.
Some of that personal information triggered an Iowa law requiring them to notify affected Iowa residents. However, Uber failed to report the breach in a timely manner, waiting until November 2017 to report it.
Attorney General Miller alleged in a lawsuit that Uber violated Iowa’s Consumer Fraud Act by representing to its users that the company protects their sensitive personal information, when in fact the hackers were able to gain access to some personal information.
“Failing to report data breaches as soon as possible can harm consumers,” Miller said. “If notified, consumers can take actions such as monitoring and freezing their credit reports to prevent identity theft.”
About 390 Iowa drivers were affected. Uber offered affected drivers free credit monitoring and identity theft protection. Some names and e-mail addresses of riders were also taken, but the data was not considered personal information as defined by Iowa law.
Uber has agreed to strengthen its corporate governance and data security practices to help prevent a similar occurrence in the future.
The settlement filed Wednesday between Iowa and Uber requires the company to:
- Comply with Iowa data breach and consumer protection law regarding protecting residents’ personal information and notifying them in the event of a data breach concerning their personal information;
- Take precautions to protect any user data Uber stores on third-party platforms outside of Uber;
- Use strong password policies for its employees to gain access to the Uber network;
- Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data;
- Hire an outside qualified party to assess Uber’s data security efforts regularly and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; and
- Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.
All 50 states and the District of Columbia are participating in this multistate agreement with Uber.
The Iowa attorney general’s office maintains a list of security breaches on its website. Anyone who encounters a security breach that affects at least 500 Iowa residents must provide written notice to the Attorney General’s Consumer Protection Division director within five business days after notifying affected people.