NASHVILLE - Tennesseee Attorney General Herbert Slatery says he and counterparts across the country have reach a $148 million settlement with ride-sharing service Uber over the California-based company's year-long delay in in reporting a data breach to its affected drivers.
Tennessee is expected to receive nearly $1.7 million , in the 50-state settlement which Slatery said will be directed into the state's general fund.
According to Slatery's office, Uber learned in November 2016 that hackers had gained access to personal information the company maintains about its drivers. That driver license information pertained to an estimated 600,000 drivers nationwide.
Uber tracked down the hackers, agreed to pay them $100,000, and obtained assurances that the hackers deleted the information.
But Slatery said Tennessee law required the company to notify anyone here promptly about breaches involving driver licenses. Uber failed to report the breach in a timely manner, waiting until November 2017, a year later, to do so, according to Slatery.
In addition to the $148 million settlement, Uber has agreed to strengthen its corporate governance and data security practices to help prevent a repeat of such occurrences. The list of steps required include:
Comply with Tennessee data breach and consumer protection law regarding protecting residents' personal information and notifying them in the event of a data breach concerning their personal information.
Take precautions to protect any user data that Uber stores on third-party platforms outside of Uber.
Use strong password policies for its employees to gain access to the Uber network.
Develop and implement a "strong" data security policy for all data that Uber collects about its users. That includes assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is now doing to protect the data.
Hire an outside "qualified party" to assess Uber's data security efforts on a regular basis and provide a report with any recommended security improvements. Uber would have to implement any such security improvement recommendations.
Develop and implement a "corporate integrity program" to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company and be assured they will be heard.