On September 26, 2018, a record settlement was reached between Uber and the attorneys general of all 50 states and the District of Columbia over the company’s 2016 data breach. While this case presents an extreme example of corporate misconduct on behalf of its former management, this settlement is unique in the imposition of stringent privacy protection requirements that Uber must incorporate into its business practices.
Uber Settlement Fast Facts
As a result of Uber’s significant delay in reporting the breach and perceived cover up, the settlement requires Uber to:
- Pay a total of $148M to state attorneys general, which includes approximately $100 for each affected driver, with the rest generally going to fund future state AG enforcement action
- Comply with applicable state data breach and consumer protection laws regarding personal and personally identifiable information
- Protect user data stored on third-party platforms, including through the use of data encryption
- Develop, implement, and maintain a comprehensive data security policy for all user data collected with reasonable safeguards to control the risks
- Provide biennial independent third-party assessments of its information security programs for 10 years
- Provide quarterly reports on data security incidents to states for two years
All 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands now have data breach notification laws. While these laws are largely similar, they each have subtle distinctions regarding the definition of personal data, the level of harm required to trigger a breach, notification obligations to regulators and credit reporting agencies, and the amount of time to notify individuals of the breach. Organizations must ensure they follow the law in each state where the affected individuals are, regardless of the location of the organization. Foley maintains a summary of the applicable laws here.
Incident Response Planning
An incident response plan consists of policies and procedures that are executed when a data breach occurs. It provides a single point of reference for personnel to follow to mitigate the effects and prevent the recurrence of a data breach, including a description of the responsibilities to make notifications to the affected individuals, regulators, the media, and other third parties as may be required under various breach notification laws.
Corporate officers and the board of directors should periodically review and approve their organization’s incident response plan, and incident response team members should receive constant training on their roles and responsibilities under the plan.
Organizations must take a proactive approach in addressing data breaches to avoid any undue delays in investigating and responding to such incidents; they should certainly never attempt to cover up or hide a data breach, especially one that may require reporting under federal, state, or international law. Instead, organizations should ensure that corporate officers and the board of directors fully understand their obligations to protect consumers' personally identifiable information and to promptly disclose breaches of personally identifiable information as may be required under each state’s laws. The organization’s corporate officers and board of directors must foster a culture of protecting personal data and disclosing security breaches, and should be fully prepared to make all required disclosures even in the face of short-term reputational harm in order to avoid significantly larger liability later. In addition, organizations should continually review their cybersecurity program and incident response policies in order to help avoid a cybersecurity incident and to quickly respond when one occurs.