On September 26, 2018, the attorney generals of all 50 states and the District of Columbia (“State AGs”) announced a record-breaking $148 million settlement with Uber Technologies Inc. (“Uber”) over Uber’s alleged failure to disclose a massive data breach in 2016.[1] The settlement holds significant implications for U.S. companies concerned about their cybersecurity measures in the face of increasing incidents of data breaches, as well as intensifying scrutiny by authorities.

State AGs’ Settlement with Uber[2]

In November 2016, hackers based in the United States and Canada provided evidence to security officials at Uber that the hackers had downloaded the personal information (including names, emails, and phone numbers) of 57 million Uber drivers and riders.[3] The hackers then demanded a six-figure ransom payment to delete the data and not disclose the breach, and certain Uber employees authorized paying $100,000 to the hackers and did not disclose the incident to the affected drivers and riders.[4] A few months later, when the breach and payment of ransom was uncovered in the wake of work being performed in an unrelated litigation, Uber’s board of directors hired a forensic firm to investigate the incident and disclosed the breach publicly in November 2017, a year after the breach had occurred.[5]

Following this notice, a number of state attorneys general initiated a ten-month investigation into whether Uber had intentionally concealed its 2016 data breach in violation of state data breach notification laws.[6] The recent settlement, joined by all 50 state attorneys general and the District of Columbia, resolves this investigation.

As a part of the settlement, Uber has agreed to pay $148 million, the largest amount paid in a settlement with state attorneys general in relation to data privacy; the settlement easily exceeds the $18.5 million that Target paid in 2017 in its settlement related to its 2013 data breach. Uber has also agreed to comply with the relevant state data breach and consumer protection laws by, among others, adopting data breach notification and data security practices and hiring an independent third party to assess its data security practices.

Takeaways

The Uber settlement further underscores that cybersecurity—and adequate data security protections and disclosure of data breaches—remains an area of interest for state and federal authorities with no signs of slowing down. Being victim to a successful data breach does not mean a company has committed any violations; rather, a data breach—whether successful or not—is often the event that initiates the process of examining whether a company took appropriate preventative and reactive measures in line with the governing laws and regulations. In the specific case of ransomware attacks, as with Uber, companies must be scrupulous in meeting their disclosure obligations even if they believe the threat of harm has been arguably neutralized. The recent enforcement action calls for the continued focus by companies on preparing for cyber incidents—including through adequate policies, procedures and regular tabletop exercises—as well as proactive incident response.

[1] See, e.g., Press Release, N.Y. State Office of the Attorney General, A.G. Underwood Announces Record $148 Million Settlement With Uber Over 2016 Data Breach (Sept. 26, 2018) [hereinafter “NYAG Press Release”], https://ag.ny.gov/press-release/ag-underwood-announces-record-148-million-settlement-uber-over-2016-data-breach.

[2] See Press Release, SEC, SEC Charges Firm With Deficient Cybersecurity Procedures (Sept. 26, 2018) [hereinafter “SEC Press Release”], https://www.sec.gov/news/press-release/2018-213.

[3] E.g., NYAG Press Release, supra note 1.

[4] E.g., id.

[5] E.g., id.; see also Aisha Al-Muslim, Uber to Pay $148 Million Penalty to Settle 2016 Data Breach, Wall St. J. (Sept. 26, 2018 1:32 pm), https://www.wsj.com/articles/uber-to-pay-148-million-penalty-to-settle-2016-data-breach-1537983127.

[6] E.g., NYAG Press Release, supra note 1; see also Heather Somerville, Uber to Pay $148 Million to Settle Data Breach Cover-Up with U.S. States, Reuters (Sept. 26, 2018 12:02 pm), https://www.reuters.com/article/us-uber-databreach/uber-to-pay-148-million-to-settle-data-breach-cover-up-with-us-states-idUSKCN1M62AJ (noting that the investigation was ten months long).