CHARLESTON — A multi-state settlement with Uber will result in a settlement with West Virginia for nearly $600,000.
The nationwide settlement, reached at $148 million, addressed Uber’s one-year delay in reporting a data breach to its affected drivers.
In addition to the monetary settlement, Uber must strengthen its corporate governance and data security practices among other requirements aimed at preventing a similar occurrence in the future.
In total, West Virginia will receive $592,800.
Uber, the popular ride-sharing service, is commonly used in Morgantown and Charleston. The service went state-wide last August.
The settlement stems from Uber’s failure to promptly report a data breach it discovered in November 2016.
According to the West Virginia Attorney General’s Office, the breach allowed hackers to gain access to some personal information that Uber maintains about its drivers, including license information pertaining to approximately 600,000 drivers nationwide.
The settlement between West Virginia and Uber requires the company to:
- Comply with West Virginia consumer protection laws regarding the protection of personal information and notification in the event of a data breach concerning personal information;
- Take precautions to protect any user data it stores on third-party platforms outside of Uber;
- Use strong password policies for its employees to gain access to the Uber network;
- Develop and implement a strong security policy for all data that it collects about users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data;
- Hire a qualified, outside party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; and
- Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.
The company conducted an investigation initially, and representatives from Uber said they obtained assurances that the hackers deleted the information they acquired.
However the drivers’ license numbers and other information triggered laws requiring the company to notify those affected. Uber failed to report the incident until November 2017, resulting in the nationwide lawsuit.
All 50 states and the District of Columbia participated in this multi-state agreement with Uber, a California-based company.
