On September 26, 2018, a record settlement was reached between Uber and the attorneys general of all 50 states and the District of Columbia over the company’s 2016 data breach. While this case presents an extreme example of corporate misconduct on behalf of its former management, this settlement is unique in the imposition of stringent privacy protection requirements that Uber must incorporate into its business practices.
|Uber Settlement Fast Facts
As a result of Uber’s significant delay in reporting the breach and perceived cover up, the settlement requires Uber to:
– Pay a total of $148M to state attorneys general, which includes approximately $100 for each affected driver, with the rest generally going to fund future state AG enforcement action
– Comply with applicable state data breach and consumer protection laws regarding personal and personally identifiable information
– Protect user data stored on third-party platforms, including through the use of data encryption
– Develop, implement, and maintain a comprehensive data security policy for all user data collected with reasonable safeguards to control the risks
– Provide biennial independent third-party assessments of its information security programs for 10 years
– Provide quarterly reports on data security incidents to states for two years
Incident Response Planning
Corporate officers and the board of directors should periodically review and approve their organization’s incident response plan, and incident response team members should receive constant training on their roles and responsibilities under the plan.
In November 2016, prior to major management changes at Uber, Uber learned that hackers had gained access to personal information about its drivers and customers, including driver’s license information on 600,000 of its drivers, and email addresses and phone numbers from 57 million customers worldwide. Instead of notifying affected individuals and law enforcement as required by most state laws, Uber tracked down the hackers and attempted to cover up the data breach by paying the hackers $100,000 to remain silent and destroy the stolen information. Uber failed to report the breach to authorities and affected individuals until it was uncovered in 2017 during an internal investigation by its board of directors. After news of the data breach broke, attorneys general nationwide investigated Uber under their respective consumer protection and state breach notification laws, with some enforcing their statutes for the first time. On September 26, state attorneys general nationwide announced the proposed nationwide settlement, which in some states may still require approval by the applicable court. Under the proposed settlement, an example of which is available here, Uber is required to pay a total of $148 million to the 51 participating attorneys general and its own drivers. But the settlement is unique not just for the magnitude of the fines; for the first time ever, an AG’s office is requiring a company to reform its business practices to include the principles of “Privacy by Design” and to integrate privacy considerations and protections into every phase of its product’s design and development lifecycle. California Attorney General Xavier Becerra stated that “Uber’s decision to cover up this breach was a blatant violation of the public’s trust. The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law. Companies in California and throughout the nation are entrusted with customers’ valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect their data.”
Data Breach Notification Requirements
All 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands now have data breach notification laws. While these laws are largely similar, they each have subtle distinctions regarding the definition of personal data, the level of harm required to trigger a breach, notification obligations to regulators and credit reporting agencies, and the amount of time to notify individuals of the breach. Organizations must ensure they follow the law in each state where the affected individuals are, regardless of the location of the organization. Foley maintains a summary of the applicable laws here.
Impact to Business
To paraphrase former FBI Director James Comey’s 2014 statements about cybersecurity incidents, it is not a matter of if an organization will be the victim of a cybersecurity attack, but when. While acknowledgement of data breaches was once a taboo subject for organizations, it is now simply a recognition that no security practices are fool-proof and that there is always room for improvement. Past actions from regulators suggest that little to no liability occurs when an organization takes its cybersecurity obligations seriously and implements cybersecurity measures that are reasonable, given the size of the organization, the resources it has, and the type of data it handles. However, Uber’s settlements with the state attorneys general shows how an organization’s potential liability can be compounded when it fails to timely comply with its obligations to protect the personal data of consumers and to notify consumers when their personal data has been compromised, and instead attempts to conceal a data breach. And the settlement amount likely tells only part of the story – Uber’s real costs as a result of the breach may be multiple times higher when indirect costs such as those associated with customer churn and reputational harm are included.
Organizations must take a proactive approach in addressing data breaches to avoid any undue delays in investigating and responding to such incidents; they should certainly never attempt to cover up or hide a data breach, especially one that may require reporting under federal, state, or international law. Instead, organizations should ensure that corporate officers and the board of directors fully understand their obligations to protect consumers’ personally identifiable information and to promptly disclose breaches of personally identifiable information as may be required under each state’s laws. The organization’s corporate officers and board of directors must foster a culture of protecting personal data and disclosing security breaches, and should be fully prepared to make all required disclosures even in the face of short-term reputational harm in order to avoid significantly larger liability later. In addition, organizations should continually review their cybersecurity program and incident response policies in order to help avoid a cybersecurity incident and to quickly respond when one occurs.