Uber, the California-based ride sharing company, has reached the settlement with all 50 states and the District of Columbia.
The Nebraska Attorney General’s Office reported the settlement reached after Uber delayed for a year to tell its drivers hackers had gained access to some of their personal information. Uber learned in 2016 personal information had been obtained on about 600,000 of its drivers nationwide. It didn’t report the breach until November of last year.
Uber also has agreed to strengthen its corporate governance and data security practices to help prevent a similar occurrence in the future, according to the AG office.
The office reports the settlement between Nebraska and Uber requires the company to:
· Comply with Nebraska’s data breach and consumer protection law regarding protecting Nebraska residents’ personal information and notifying them in the event of a data breach concerning their personal information;
· Take precautions to protect any user data Uber stores on third-party platforms outside of Uber;
· Use strong password policies for its employees to gain access to the Uber network;
· Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data;
· Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; and
· Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.