All the headlines are screaming about the $148 million Uber will pay, in total, to all 50 U.S. states and the District of Columbia.
However, what our SecureWorld team finds most interesting are the security requirements Uber agreed to in the settlement.
Some of the things have us wondering: Wait, aren't they doing this already?
And others have us wondering: Did Uber really agree to that?
You can decide which is which as you read through the list.
All of this is a part of the national settlement with state attorney generals over the 2016 Uber hack, in which personally identifiable information was taken on 25 million U.S. customers and drivers. Uber paid $100,000 to hackers upon their promise to delete the data and never tell the world about the hack.
Uber finally reported that breach one year later, after new leadership discovered the hack during an intellectual property theft investigation.
Uber statement on breach settlement
Before we get to the Uber security requirements in the breach settlement, we want to let you know about a blog post by Uber Chief Legal Officer Tony West. Can you imagine walking a mile in his shoes?
"My first day at Uber was not typical. Rather than settling into my new workspace and walking the floor to meet my new colleagues, I spent the day calling various state and federal regulators to discuss the 2016 data incident the company had just disclosed.
Our current management team’s decision to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability."
His Uber post is titled Turning the Page on the 2016 Data Breach, and in turning the page, Uber agreed to the following items.
8 cybersecurity elements in the Uber breach settlement
- "Use strong password policies for its employees to gain access to the Uber network"
- "Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data"
- "Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations"
- "Take precautions to protect any user data Uber stores on third-party platforms outside of Uber"
- "Develop, implement, and maintain a comprehensive information security program with an executive officer who advises key executive staff and Uber’s Board of Directors"
- "Report any data security incidents to states on a quarterly basis for two years"
- "Accurately and honestly represent data security and privacy practices to better ensure transparency in how the company’s driver and customer information is safeguarded"
- "Comply with state laws in connection with its collection, maintenance, and safeguarding of personal information, as well as reporting of data security incidents"
State Attorney General statements on Uber settlement
Here are the official statements on the Uber breach settlement for various states. Happy reading. Many of the statements detail how much the state will get and how much Uber drivers affected by the breach will receive.
California Attorney General Statement on Uber Breach Agreement
New York Attorney General Statement on Uber Breach Agreement
Massachusetts Attorney General Statement on Uber Breach Agreement
Michigan Attorney General Statement on Uber Breach Agreement
Washington Attorney General Statement on Uber Breach Agreement
