Attorney General Brnovich Reaches $148 Million Settlement With Uber Over Data Breach

PHOENIX -- Arizona Attorney General Mark Brnovich announced that he, along with his counterparts in the other 49 states and the District of Columbia, reached an agreement with California-based ride-sharing company Uber Technologies, Inc. (Uber) to address the company’s one-year delay in reporting a data breach to its affected drivers. 

As part of the nationwide settlement, Uber has agreed to pay $148 million to the states. Arizona will receive $2,738,794.47. In addition, Uber has agreed to strengthen its corporate governance and data-security practices.

From its portion of the settlement recovery, Arizona will provide each Uber driver impacted in the state with a $100 payment. A settlement administrator will be retained to provide notice and payment to eligible drivers. Details of that process will be announced by this Office after the effective date of the settlement.

“Arizonans have a right to know when their personal information is taken,” said Attorney General Mark Brnovich. “Not only does this settlement provide restitution for harmed drivers, but Uber must also now implement new data-security practices to help prevent a similar occurrence in the future. This settlement sends a strong message to other companies: if you don’t disclose a major data breach to consumers, there will be consequences.”

Uber learned in November 2016 hackers gained access to some personal information the company maintains about its drivers, including driver’s license information pertaining to approximately 600,000 drivers nationwide. That triggered Arizona law requiring Uber to notify affected Arizona residents, but Uber failed to do so in a timely manner, instead waiting until November 2017 to report the breach.  

The settlement between the state of Arizona and Uber also requires the company to:

  • Comply with Arizona data-breach and consumer-protection law regarding residents’ personal information and notify residents in the event of a data breach concerning their personal information.
  • Develop and implement a strong overall security policy for data that Uber collects about its users, including assessing potential risks to the security of the data and implementing additional security measures.
  • Take precautions to protect any user data Uber stores on third-party platforms outside of Uber.
  • Use strong password policies for its employees to gain access to the Uber network.
  • Hire an outside, qualified party to assess Uber’s data-security efforts on a regular basis.
  • Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company and to ensure that such concerns will be heard.

All 50 states and the District of Columbia are participating in this multistate agreement with Uber. For Arizona, the investigation was handled by Assistant Attorneys General Rebecca Eggleston, John Gray, and Bryce Clark.