Scarinci Hollenbeck, LLC, LLCScarinci Hollenbeck, LLC, LLC

Firm Insights

Key Lessons from Uber’s Record Data Breach Settlement

Author: Scarinci Hollenbeck, LLC

Date: December 12, 2018

Key Contacts

Back

Uber Agreed to Pay a Record $148 Million to Settle Accusations that it Intentionally Concealed a Major 2016 Data Breach

Uber Technologies, Inc. (Uber) agreed to pay a record $148 million to settle accusations that it intentionally concealed a 2016 data breach that exposed the personal information of 57 million riders and drivers. Uber reached agreement without trial or adjudication of any issue of fact or law, and without admission of any facts alleged or liability of any kind. In many respects, Uber’s alleged handling of the data breach highlights what not to do upon discovering a cyberattack

Key Lessons from Uber’s Record Data Breach Settlement
Photo courtesy of Dan Gold (Unsplash.com)

According to reports, in November 2016, hackers notified security officials at Uber that they had stolen user information, which included names, email addresses, mobile phone numbers, and drivers’ license information. After providing proof of the massive data breach, the hackers demanded Uber pay a ransom to delete the data and not disclose the breach. Uber ultimately paid the hackers $100,000 to conceal the breach. 

In the spring of 2017, Uber’s Board of Directors retained a law firm to investigate Uber’s security team in the wake of unrelated litigation involving the alleged theft of trade secrets related to self-driving cars. The investigators subsequently discovered the breach and ransom payment.  Uber didn’t provide notice of the breach until November 2017, a year after the breach. The company later fired the two executives that approved the ransom payment.

The massive data breach and untimely disclosure prompted investigations by the Office of the New York Attorney General, along with numerous other state attorneys general. The recent settlement is the result of a multi-state probe that includes all 50 states, and the District of Columbia. In addition to the multi-million-dollar fine, the settlement requires Uber to adopt model data breach notification and data security practices and a corporate integrity program for employees to report unethical behavior, and hire an independent third party to assess its data security practices.

“This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation,” New York Attorney General Barbara Underwood said. “We’ll continue to fight to protect New Yorkers from weak data security and criminal hackers.”

Learning from Uber’s Cyber Mistakes

Uber has publicly stated that it has already started the process of overhauling its cyber and data security practices. As with other high-profile data breaches, there are a few lessons that other companies can learn from Uber’s mistakes:

  • Board of Directors Involvement: Board oversight is essential to a successful cybersecurity plan. Board members should regularly review policies and procedures for both protecting data and responding to a potential breach. In addition, security should not be an afterthought, but part of the conversation when planning a new marketing initiative, product, or service. Given that many board members are not cybersecurity experts, it is also essential to seek insight from technology and compliance professionals.
  • Oversight of Third-Party Vendors: If your vendors don’t take the same cybersecurity precautions, your data will still be at risk. It is imperative to carefully vet every company that has access to your data, including everyone from your cloud storage provider to your office cleaning company. Businesses should also require third-party vendors to meet minimum data security standards and also regularly monitor them for compliance. In most cases, this means conducting a yearly risk assessment to verify that third-parties are actually adhering to security protocols.
  • Prompt and Honest Breach Notification: Most companies will suffer a cyber incident at some point; what separates them is how they respond. The worst mistake a company can make is attempting to hide a data breach. While failing to notify the proper authorities can result in significant financial penalties, the public relations fallout with consumers is often much greater. When companies poorly handle data breaches, it also gives regulators additional ammunition when seeking to impose strict data privacy standards.
  • Creating a Compliance Culture: Creating a corporate culture that recognizes the importance protecting intellectual property and confidential business data can go a long way. As with any compliance program, it is essential to set the tone at the top. Everyone from senior management to entry-level workers should understand what to do in the event of a data breach. Practical employee cyber training is also important. By providing real life scenarios, employees can better appreciate their role in mitigating cyber risks.

As the potential risk and liability associated with data breaches continue to grow, businesses must be proactive. Consulting with attorneys knowledgeable in cybersecurity risk analysis and mitigation can help businesses of all sizes navigate the process.

If you have questions, please contact us

If you have any questions or if you would like to discuss the matter further, please contact me, Fernando M. Pinguelo, or the Scarinci Hollenbeck attorney with whom you work, at 201-806-3364.

No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.

Scarinci Hollenbeck, LLC, LLC

Related Posts

See all
Corporate Transactions: Best Practices for Successful Deals post image

Corporate Transactions: Best Practices for Successful Deals

Corporate transactions can have significant implications for a corporation and its stakeholders. For deals to be successful, companies must act strategically to maximize value and minimize risk. It is also important to fully understand the legal and financial ramifications of corporate transactions, both in the near and long term. Understanding Corporate Transactions The term “corporate […]

Author: Dan Brecher

Link to post with title - "Corporate Transactions: Best Practices for Successful Deals"
How to Conduct a Fair and Legal Employee Termination in 2025 post image

How to Conduct a Fair and Legal Employee Termination in 2025

Ongoing economic uncertainty is forcing many companies to make tough decisions, which includes lowering staff levels. The legal landscape on both the state and federal level also continues to evolve, especially with significant changes to the priorities of the Equal Employment Opportunity Commission (“EEOC”) under the Trump Administration. Terminating an employee is one of the […]

Author: Angela A. Turiano

Link to post with title - "How to Conduct a Fair and Legal Employee Termination in 2025"
Admin Dissolution for Annual Report: What You Need to Know post image

Admin Dissolution for Annual Report: What You Need to Know

While filing annual reports may seem like a nuisance, failing to do so can have significant ramifications. These include fines, reputational harm, and interruption of your business operations. In basic terms, “admin dissolution for annual report” means that a company is dissolved by the government. This happens because it failed to submit its annual report […]

Author: Dan Brecher

Link to post with title - "Admin Dissolution for Annual Report: What You Need to Know"
What Is Antitrust Litigation Law? post image

What Is Antitrust Litigation Law?

Antitrust laws are designed to ensure that businesses compete fairly. There are three federal antitrust laws that businesses must navigate. These include the Sherman Act, the Federal Trade Commission Act, and the Clayton Act. States also have their own antitrust regimes. These may vary from federal regulations. Understanding antitrust litigation helps businesses navigate these complex […]

Author: Robert E. Levy

Link to post with title - "What Is Antitrust Litigation Law?"
Dissolving Your Business: Essential Legal Steps to Protect Your Interests post image

Dissolving Your Business: Essential Legal Steps to Protect Your Interests

If you’re considering closing your business, it’s crucial to understand that simply shutting your doors does not end your legal obligations. Unless you formally dissolve your business, it continues to exist in the eyes of the law—leaving you exposed to ongoing liabilities such as taxes, compliance violations, and potential lawsuits. Dissolving a business can seem […]

Author: Christopher D. Warren

Link to post with title - "Dissolving Your Business: Essential Legal Steps to Protect Your Interests"
The Role of Corporate Restructuring in Mergers & Acquisitions post image

The Role of Corporate Restructuring in Mergers & Acquisitions

Contrary to what many people think, corporate restructuring isn’t all doom and gloom. Revamping a company’s organizational structure, corporate hierarchy, or operations procedures can help keep your business competitive. This is particularly true during challenging times. Corporate restructuring plays a critical role in modern business strategy. It helps companies adapt quickly to market changes. Following […]

Author: Dan Brecher

Link to post with title - "The Role of Corporate Restructuring in Mergers & Acquisitions"

No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.

Sign up to get the latest from our attorneys!

Explore What Matters Most to You.

Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.

Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.

Let`s get in touch!

* The use of the Internet or this form for communication with the firm or any individual member of the firm does not establish an attorney-client relationship. Confidential or time-sensitive information should not be sent through this form.

Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!