On September 26, the California Attorney General announced that a global ride-sharing company reached a joint settlement with all 50 state Attorneys General and the District of Columbia for $148 million to resolve allegations that the company failed to safeguard user data and to notify authorities after a 2016 data breach. As previously covered by InfoBytes, in November 2017, the company disclosed, via press release, a 2016 data breach that exposed the personal data of 57 million riders and drivers, where hackers obtained approximately 600,000 driver names and license numbers, along with rider names, email addresses, and mobile phone numbers. During subsequent state investigations, authorities discovered that, after the company discovered the breach, it paid hackers $100,000 to delete the acquired data and to keep silent about the breach.
According to the California announcement, the $148 million settlement benefits all 50 states and the District of Columbia, with California receiving $26 million. In addition to the penalty, the settlement allegedly requires the company to implement various conduct provisions, including (i) integrating privacy considerations and protections into the development and design of products; (ii) implementing and maintaining robust data security practices and accurately representing them; (iii) developing and maintaining a comprehensive information security program; (iv) reporting data security incidents to states on a quarterly basis for two years; and (v) maintaining a “Corporate Integrity Program.”