Tierney Blog

Uber Multistate Settlement Demonstrates the Power of State Data Breach Laws

On September 26, 2018, the attorneys general of all 50 states and the District of Columbia announced an agreement to settle allegations that Uber had exposed the data of 57 million users, and then paid hackers to cover up the breach rather than reporting it to proper authorities. Additional details on the breach can be found in the press releases issued by California, New York, or Massachusetts, each of which reportedly helped lead the settlement. Reporting from Bloomberg, which originally broke the story on the breach in November of 2017, can be found here.

As other commentators have recognized, the multistate settlement shows that the proliferation of state data breach laws has given attorneys general the power to come down hard on bad actors. The settlement included a penalty of $148 million, which has been described as the largest penalty ever imposed by state authorities for a data breach. The settlement also required Uber to take measures to prevent future data breaches and reform its corporate culture. It includes requirements that Uber report to states any data security incidents quarterly, develop a data security program with an executive officer, and set up a hotline for reporting misconduct.