Uber Agreed to Pay a Record $148 Million to Settle Accusations that it Intentionally Concealed a Major 2016 Data Breach
Uber Technologies, Inc. (Uber) agreed to pay a record $148 million to settle accusations that it intentionally concealed a 2016 data breach that exposed the personal information of 57 million riders and drivers. Uber reached agreement without trial or adjudication of any issue of fact or law, and without admission of any facts alleged or liability of any kind. In many respects, Uber’s alleged handling of the data breach highlights what not to do upon discovering a cyberattack.
According to reports, in November 2016, hackers notified security officials at Uber that they had stolen user information, which included names, email addresses, mobile phone numbers, and drivers’ license information. After providing proof of the massive data breach, the hackers demanded Uber pay a ransom to delete the data and not disclose the breach. Uber ultimately paid the hackers $100,000 to conceal the breach.
In the spring of 2017, Uber’s Board of Directors retained a law firm to investigate Uber’s security team in the wake of unrelated litigation involving the alleged theft of trade secrets related to self-driving cars. The investigators subsequently discovered the breach and ransom payment. Uber didn’t provide notice of the breach until November 2017, a year after the breach. The company later fired the two executives that approved the ransom payment.
The massive data breach and untimely disclosure prompted investigations by the Office of the New York Attorney General, along with numerous other state attorneys general. The recent settlement is the result of a multi-state probe that includes all 50 states, and the District of Columbia. In addition to the multi-million-dollar fine, the settlement requires Uber to adopt model data breach notification and data security practices and a corporate integrity program for employees to report unethical behavior, and hire an independent third party to assess its data security practices.
“This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation,” New York Attorney General Barbara Underwood said. “We’ll continue to fight to protect New Yorkers from weak data security and criminal hackers.”
Learning from Uber’s Cyber Mistakes
Uber has publicly stated that it has already started the process of overhauling its cyber and data security practices. As with other high-profile data breaches, there are a few lessons that other companies can learn from Uber’s mistakes:
Board of Directors Involvement: Board oversight is essential to a successful cybersecurity plan. Board members should regularly review policies and procedures for both protecting data and responding to a potential breach. In addition, security should not be an afterthought, but part of the conversation when planning a new marketing initiative, product, or service. Given that many board members are not cybersecurity experts, it is also essential to seek insight from technology and compliance professionals.
Oversight of Third-Party Vendors: If your vendors don’t take the same cybersecurity precautions, your data will still be at risk. It is imperative to carefully vet every company that has access to your data, including everyone from your cloud storage provider to your office cleaning company. Businesses should also require third-party vendors to meet minimum data security standards and also regularly monitor them for compliance. In most cases, this means conducting a yearly risk assessment to verify that third-parties are actually adhering to security protocols.
Prompt and Honest Breach Notification: Most companies will suffer a cyber incident at some point; what separates them is how they respond. The worst mistake a company can make is attempting to hide a data breach. While failing to notify the proper authorities can result in significant financial penalties, the public relations fallout with consumers is often much greater. When companies poorly handle data breaches, it also gives regulators additional ammunition when seeking to impose strict data privacy standards.
Creating a Compliance Culture: Creating a corporate culture that recognizes the importance protecting intellectual property and confidential business data can go a long way. As with any compliance program, it is essential to set the tone at the top. Everyone from senior management to entry-level workers should understand what to do in the event of a data breach. Practical employee cyber training is also important. By providing real life scenarios, employees can better appreciate their role in mitigating cyber risks.
As the potential risk and liability associated with data breaches continue to grow, businesses must be proactive. Consulting with attorneys knowledgeable in cybersecurity risk analysis and mitigation can help businesses of all sizes navigate the process.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Fernando M. Pinguelo, or the Scarinci Hollenbeck attorney with whom you work, at 201-806-3364.
Breach of Contract Explained: Types and Consequences
Breach of contract disputes are the most common type of business litigation. Therefore, nearly all New York and New Jersey businesses will likely have to deal with a contract dispute at least once. Understanding when to file a breach of contract lawsuit and how long you have to sue for breach of contract is essential […]
How to Dissolve a Corporation in New Jersey: A Step-by-Step Guide
Closing your business can be a difficult and challenging task. For corporations, the process includes formal approval of the dissolution, winding up operations, resolving tax liabilities, and filing all required paperwork. Whether you need to understand how to dissolve a corporation in New York or New Jersey, it’s imperative to take all of the proper […]
Gross Lease vs. Net Lease: Understanding the Key Differences
Commercial leases can take a variety of forms, which is often confusing for both landlords and tenants. Understanding the different types, especially the gross lease structure, is important when selecting the lease that best suits your needs. One key distinction between lease types is how rent is calculated and paid. This article addresses the two […]
What to Do If You Are Impacted by a Retailer Bankruptcy Part 2
Over the past year, brick-and-mortar stores have closed their doors at a record pace. Fluctuating consumer preferences, the rise of online shopping platforms, and ongoing economic uncertainty continue to put pressure on the retail industry. When a retailer seeks bankruptcy protection, a myriad of other businesses are often impacted. Whether you are a supplier, customer, […]
The Current Administration's Proposals for the Financial Services and Banking Industries Will Affect Your Business
Since his inauguration two months ago, Donald Trump’s administration and the Congress it controls have indicated important upcoming policy changes. These changes will impact financial services policies and priorities. The changes will particularly affect cryptocurrency, as well as banking rules and regulations. Key Regulatory Changes in Cryptocurrency For example, in the burgeoning cryptocurrency business environment, […]
Tips for Commercial Landlords Impacted by Wave of Retailer Bankruptcies Part 1
The retail sector has experienced a wave of bankruptcy filings over the last year. Brick-and-mortar businesses in financial distress include big-name brands like Big Lots, Party City, The Container Store, and Vitamin Shoppe. When large retailers seek bankruptcy protection, they are not the only businesses impacted. Landlords can be particularly hard hit. While commercial landlords […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
