WBK Industry News - Federal Regulatory Developments

Major Ride-Sharing Company Settles with States over 2016 Data Breach

A major ride-sharing company reached an agreement with the attorneys general of all 50 states and the District of Columbia to pay $148 million and tighten its data security in order to settle all legal inquiries regarding its October 2016 data breach.  Such inquiries focused on whether the company violated data breach notification laws when it did not inform consumers about the data compromise.

The company learned in November 2016 that hackers, in October of the same year, had accessed drivers’ and users’ personal data housed on a third-party cloud-based service.  However, the company did not disclose the data breach to the authorities or the public until November 2017, at which point it stated that it had paid $100,000 in ransom for the stolen information to be destroyed.  The stolen personal data included millions of drivers’ and users’ names, email addresses, and mobile phone numbers worldwide, as well as the driver’s license information for about 600,000 company drivers in the United States.

The settlement payout will be divided among the states based on the number of company drivers in each state.

Additionally, under the settlement, the company will, among other things:

  • comply with state consumer protection laws meant to safeguard personal information,
  • immediately notify authorities in case of future breaches,
  • establish methods to protect user data stored on third-party platforms,
  • create strong password-protection policies,
  • develop and implement a corporate integrity program for employees to report unethical behavior, and
  • hire an independent third party to assess the company’s security practices.

The company’s article on the settlement may be found here.