Uber settles with Mississippi in data breach lawsuit
Published 10:30 am Friday, September 28, 2018
The state of Mississippi will receive a portion of a $148 million nationwide settlement from Uber, following a 2016 data breach, Attorney General Jim Hood announced Wednesday.
Mississippi will receive a total of $716,861.15 after the California-based company Uber Technologies, Inc. failed to address a data breach to its affected drivers for an entire year after becoming aware of the incident.
According to court documents, Uber learned in November 2016 that hackers had gained access to some personal information that Uber maintains about its drivers, including drivers’ license information of approximately 600,000 drivers nationwide, and 1,230 drivers in Mississippi.
The company acknowledged the breach in November 2017, saying it paid $100,000 in ransom for the stolen information to be destroyed. However, the breach triggered Mississippi data breach notification requirements, and Uber failed to report the breach until a year later, a statement from Hood’s office said.
“This settlement should send a message to hacked companies that it is in their best interest to notify impacted Mississippians according to state law,” Hood said in the news release.
Florida and Tennessee have also announced their portion of the settlement, receiving $8.2 million and $1.7 million, respectively.
As part of the settlement, Uber has agreed in detail to strengthen its corporate governance and data security practices to help prevent a similar occurrence in the future. The settlement is subject to court approval.
The settlement between Mississippi and Uber requires the company to:
- Comply with Mississippi data breach and consumer protection law regarding protecting Mississippi residents’ personal information and notifying them in the event of a data breach concerning their personal information
- Take precautions to protect any user data Uber stores on third-party platforms outside of Uber
- Use strong password policies for its employees to gain access to the Uber network
- Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data
- Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations
- Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.
Additionally, a private class action is being litigated in California to address individual monetary claims, which is separate from this settlement.