NJ to Get $3.75 Million Share of Uber Data Breach Settlement
The settlement is the result of a multistate investigation that found Uber paid hackers $100,000 to conceal the breach, which exposed the names, email addresses, and cellphone numbers of 57 million users.
September 27, 2018 at 05:30 PM
5 minute read
The original version of this story was published on The Recorder
Uber on Wednesday agreed to pay a record $148 million in state and local penalties to settle allegations that the company intentionally concealed a major data breach in 2016 that exposed the personal information of 57 million people—including a $3.75 million share for New Jersey.
The settlement comes in the wake of a multistate investigation that found the ride-hailing company paid hackers $100,000 to conceal the breach, which exposed the names, email addresses, and cellphone numbers of those users. Uber did not provide public notice of the breach until a year after it happened in late 2016.
New Jersey was on the multi-jurisdictional investigation's executive committee, according to a release from New Jersey Attorney General Gurbir Grewal's Office.
“This is a significant settlement for New Jersey residents and for Uber users everywhere—not only because the payout is historic, but because it requires that Uber adopt new policies and procedures that will more effectively safeguard the personal information of its riders and drivers in the future,” Grewal said in a statement. “We're also sending a signal to other companies that ignoring consumers' privacy rights comes with a stiff financial penalty.”
The settlement is between Uber, all 50 states, and the District of Columbia.
The company's board of directors were in the dark about the ransom payment until it was discovered by a law firm last spring. The firm was hired to investigate the company's security team in a separate matter but stumbled on the breach during its inquiry. The board then hired a forensic firm to probe what happened with the breach.
Uber said in a November 2017 statement from CEO Dara Khosrowshahi that the breach was carried out by two hackers outside the company. The hackers accessed user data on a third-party, cloud-based service the company uses to store some information. They, however, were not able to download users' Social Security numbers, bank account information, credit card numbers, dates of birth, and trip history, according to the company.
The hackers were able to collect the names, email addresses, and cellphone numbers of the 57 million people that use Uber and the driver's license numbers of about 600,000 drivers, according to the company.
Uber eventually provided notice of the breach after an investigation, but that wasn't until a year after the breach and ransom payment happened.
Uber is based in San Francisco. California's share of the settlement is $26 million, which it will split with the San Francisco district attorney's office. DA George Gascon, who has frequently scrutinized Uber's business practices, joined the investigation into the data breach.
Becerra said Uber violated California laws requiring companies to secure customers' information and to promptly report data breaches affecting more than 500 people to the state Department of Justice. More than a quarter of the 600,000 Uber drivers who had their data exposed live in California.
The money will pay for more consumer enforcement actions, Becerra said.
“Anyone thinking about trying to evade the law, to skirt their responsibility to inform the public or law enforcement that a data breach has occurred … they better report it,” Becerra said. “Don't think that you can hide it and get away with it. You will find yourself in the same position as Uber did.”
Uber Chief Legal Officer Tony West said in a statement on Wednesday that they are working to improve safety and security after the breach and have hired new experts to implement those improvements. He said the company learned from its mistake in 2016. “Our current management team's decision to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability,” West said. “An important component of living up to those principles means taking responsibility for past mistakes, learning from them, and moving forward.”
The company's notice in 2017 launched a nationwide investigation into its conduct in the wake of the breach. California is one of several states that independently investigated the breach before teaming up with other states on the probe.
Uber has also promised to develop a new policy on data security that will assess the potential risk of another breach and implement improvements beyond what's currently in place. The company is required to hire an outside contractor to examine its security efforts regularly and recommend improvements.
Uber will also have to take additional precautions to protect any user data it stores on third-party platforms, such as the one hackers accessed in 2016. If there is another breach, employees must also have an avenue to report any ethics concerns they have about other employees. Those employees will also now be subject to stricter password guidelines to gain access to the company's internal network.
The settlement does not resolve any liability that Uber may have to consumers, Becerra said. Uber is still litigating claims related to the breach in multidistrict litigation before U.S. District Judge Philip Gutierrez in the Central District of California.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllHit by Mail Truck: Man Agrees to $1.85M Settlement for Spinal Injuries
$945K Settlement Reached in Fatal Crash After Truck Driver Fell Asleep at Wheel
3 minute read'That's Insane': Lawyers Weigh In on Fallout From Uber's User Agreement
7 minute readNY's Top Court Mulls Fate of Personal Injury Claims Against NJ Transit Corp.
Trending Stories
- 1What to Know About Naming a Law Firm
- 2Texas Shows the Way Forward in Resolving Mass Tort Gridlock
- 3Ninth Circuit Rules on Inherent Authority and FRCP 37(e)
- 4Where CFPB Enforcement Stops Short on Curbing School Lunch Fees, Class Action Complaint Steps Up
- 5Appellate Court's Decision on Public Employee Pension Eligibility Helps the Judiciary
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250