Office of the Vermont Attorney General

Vermont to Receive $600,000 in Settlement With Uber Over Data Breach

September 26, 2018

Contact: Ryan Kriger, Assistant Attorney General, (802) 828-3170

MONTPELIER – Attorney General T.J. Donovan announced that Vermont and 49 states and the District of Columbia have reached an agreement with California-based ride-sharing company Uber Technologies, Inc. (Uber). The settlement addresses the company’s one-year delay in reporting a data breach to its affected drivers. Vermont will receive $600,000 as its portion of the settlement. Uber’s payments across the country total $148 million.

Uber learned in November 2016 that hackers had gained access to personal information that Uber maintains about its drivers, including drivers’ license information pertaining to approximately 600,000 drivers nationwide. Uber tracked down the hackers and obtained assurances that the hackers deleted the information. Vermont law requires businesses to notify the Attorney General within 14 days of a security breach, and consumers no more than 45 days after a breach. Uber failed to report the breach in a timely manner, waiting until November 2017 to report it.

Attorney General Donovan stated, “We understand that security breaches happen, and we generally work with businesses to make sure consumers are notified.  If a business fails to report a data breach in a timely manner, however, we take that very seriously.”

This is not the first time Vermont has enforced its notice act against businesses that failed to report a breach in a timely manner. In 2017 Vermont fined Hilton $300,000 and SAManage USA, Inc. $264,000.

Vermont will provide each Uber driver impacted in state with a $100 payment. Eligible drivers are those drivers whose driver’s license numbers were accessed during the 2016 breach.  Some of those drivers may not still be driving for Uber today.  A settlement administrator will be appointed to provide notice and payment to eligible drivers. Details of that process will be announced by this office after the effective date of the settlement.

Uber has also agreed to strengthen its corporate governance and data security practices to help prevent a similar occurrence in the future. The settlement between the Vermont and Uber requires the company to:

  • Comply with Vermont data breach and consumer protection law regarding protecting Vermont residents’ personal information and notifying them in the event of a data breach concerning their personal information;
  • Take precautions to protect any user data Uber stores on third-party platforms outside of Uber;
  • Use strong password policies for its employees to gain access to the Uber network;
  • Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data;
  • Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; and
  • Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.

All 50 states and the District of Columbia are participating in this multistate agreement with Uber.

More information about the Attorney General Donovan’s efforts to protect consumers can be found at http://ago.vermont.gov/about-the-attorney-generals-office/divisions/consumer-resources/

Last modified: October 16, 2018