Uber Data Breach Settlement: Colorado To Get $2.1 million

DENVER, CO – Colorado will get part of a 50-state $148 million settlement with Uber Technologies, Inc. for allegedly failing to report a data breach to affected drivers in 2016-17.

Attorney General Cynthia Coffman said Colorado would receive $2.1 million of the settlement.

According to the lawsuit, Uber learned in November, 2016 that hackers had gained access to personal information about its drivers, including drivers’ license information for more than 12,000 Colorado drivers. But the company allegedly waited a year to announce the data breach, making it public in November, 2017.

Under Colorado law, Uber was required to notify the affected drivers in a timely manner.

"Uber concealed this data breach from its drivers for a full year, in violation of Colorado law," said Coffman in a statement. "Consumers deserve a quick heads up when their information has been compromised so they can take steps to protect themselves from criminals. Instead, Uber took the law into its own hands, further disadvantaging its drivers. This settlement sends a strong message that companies like Uber who fail to follow Colorado’s data breach notification law will face expensive consequences."

Uber has agreed to "strengthen its corporate governance and data security practices to help prevent a similar occurrence in the future," the AG's office said.

The settlement between the State of Colorado and Uber requires the company to:

• Comply with Colorado’s data breach and consumer protection law.
• Take precautions to protect any user data Uber stores on third-party platforms.
• Use strong password policies for its employees.
• Develop and implement a strong overall data security policy for all data that Uber collects.
• Hire an outside qualified party to assess Uber’s data security efforts on a regular basis.
• Develop and implement a "corporate integrity program" for Uber employees to bring forward any ethics concerns.

Image via Shutterstock