Alabama to get share of $148M Uber settlement over massive data breach
Alabama will get about $2 million of the $148 million Uber is paying to settle a data breach that the ridesharing company attempted to keep hidden, officials said. Attorney General Steve Marshall on Friday announced Alabama participated in a nationwide settlement with Uber that compels the company to comply with data breach notification laws and to make substantial improvements to its data security measures. All 50 states and the District of Columbia joined the settlement with the California-based ride-sharing company, Uber Technologies Inc., to resolve issues arising from a 2016 data breach involving personal information of Uber drivers that the company failed to report for one year. Because Alabama did not have a data breach notification law in effect at the time of the violations, the State’s participation in this case was based upon the fact that Uber’s conduct violated Alabama’s Deceptive Trade Practices Act. “This situation underscores how important Alabama’s new data breach notification law is for our consumers,” said Marshall. “People have the right to know if their personal information is stolen or compromised in a data breach so that they may exercise vigilance and take any actions possible to protect themselves. Until this year, Alabama was one of only two states without a data breach notification law, and I am pleased we were successful in passing legislation to correct that omission.” Uber learned in November 2016 that hackers had gained access to some personal information that Uber maintains about its drivers, including driver’s license information pertaining to approximately 600,000 drivers nationwide. Uber tracked down the hackers and obtained assurances that the hackers deleted the information even though some of that information, namely the driver’s license numbers for Uber drivers, triggered many state laws requiring them to notify those affected, Uber failed to report the breach in a timely manner, waiting until November 2017 to report it. In addition to the financial payment to the states, the settlement requires Uber to strengthen its corporate governance and data security practices to help prevent a similar occurrence in the future. The settlement — the nation’s the largest data breach settlement to date — requires Uber to: Comply with all state data breach and consumer protection laws regarding the protection of consumers’ personal information and notifying them in the event of a data breach concerning that information; Take precautions to protect any user data Uber stores on third-party platforms outside of Uber; Use strong password policies for its employees to gain access to the Uber network; Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data; Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements, which Uber will then implement; and Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.
State House passes data breach protections for consumers
Before Thursday, Alabama was one of only two states in the nation that did not require a data breach notification. SB318, or the Data Breach Notification Act, passed through the Alabama house with a unanimous 101-0 vote Thursday evening. The bill requires all companies doing business in the state to notify their customers if their personal information has been compromised. “Virtually all of our vital personal information – including Social Security numbers, military IDs, drivers’ licenses, bank account numbers, and medical data – is now online,” said the bill’s sponsor Decatur-Republican state Sen. Arthur Orr. “With this bill, consumers will know if their information has been compromised and what steps a company is taking to recover and protect consumers’ data.” “Tonight, the Alabama House took action to arm Alabama consumers in the event that their personal information is compromised in a data breach,” added state Attorney General Steve Marshall. “Passage of the Alabama Data Breach Notification Act has been a high priority for my office. It is all the more important now, as yesterday the only other state in the country without such a consumer-protection law – South Dakota – enacted a data breach notification law, leaving Alabama alone.” Marshall congratulated Orr and Huntsville-Republican state Rep. Phil Williams, who advanced the bill through the House. “I appreciate the hard work of Williams and Orr in moving the data breach notification bill a step closer toward final passage,” said Marshall. The Alabama Senate passed SB318 by a vote of 24 to 0 earlier in March, the bill now returns to the Senate for a vote on whether to concur with the House changes.
