Uber Technologies Inc. recently settled a lawsuit relating to a data breach at the company. The suit was filed by all 50 states and the District of Columbia, and as part of the nearly $150 million settlement Florida will receive over $8 million.
The data breach in question occurred in November of 2016, and it involved computer hackers who stole the personal information of around 600,000 drivers across the nation. Victims of the hacking were not notified that their data, which included driver license identification numbers, had been exposed until a full year after the breach was exposed.
Instead, the company identified the hackers without the aid of law enforcement. They also contacted them and received assurances that all data had been destroyed and would not be disseminated in any form. They also reportedly paid the thieves a ransom of $100,000 in exchange for these assurances.
Tony West, who is the Chief Legal Officer at Uber, issued a statement in which he insisted that the company’s handling of the incident, including the way it disclosed the breach, was the correct approach. He said that it reflects the company’s commitment to “transparency, integrity, and accountability.”
However, due to Uber’s failure to report the breach in a timely manner, they were in violation of Florida’s Information Protection Act as well as various other laws.
Pam Bondi, who is Florida’s Attorney General, announced Florida’s share of the settlement. She further expressed the hope that it would send an unmistakable message to companies such as Uber that it is vitally important for them to timely report breaches.
Bondi also indicated that the settlement money would be used toward paying for the following:
- Fees for attorneys and other costs relating to investigating the incident and litigating the claim
- Costs relating to establishing a revolving fund for consumer protection enforcement and other forms of enforcement
- The cost of future consumer protection or privacy enforcement, including litigation costs
- The costs of consumer education programs
- Any other uses that are permitted by state law, at the discretion of the Attorney General’s office
One thing that the money will not be used for is directly compensating the victims of the data breach. That is, the Uber drivers themselves.
As part of the settlement, for the following two years Uber must provide Floria with a quarterly report that lists all data security incidents discovered by the company.