Hunton Andrews Kurth and numerous media sources (see, e.g., the Washington Post, the WSJ, The New York Times) reported on Uber's $148 million settlement with the 50 states and Washington, DC for its failure to disclose a 2016 data breach and related cover-up efforts. Ultimately disclosed in November 2017, the settlement terms reportedly generally include changes to its business practices to mitigate the potential for future breaches, "reforming its corporate culture," reporting data security incidents to the states on a quarterly basis for the next two years, and implementing a comprehensive IS program with executive officer oversight.
More specifically, Hunton Andrews Kurth identifies these settlement-imposed undertakings:
- Compliance with applicable breach notification & consumer protection laws regarding protecting personal information
- Implementation of measures to protect user data stored on third-party platforms
- Implementation of stricter internal password policies for employee access to Uber's network
- Development and implementation of an overall data security policy to address the collection & protection of personal information, including assessing potential data security risks
- Implementation of additional data security measures with respect to personal information stored on Uber's network
- Implementation of a corporate integrity program to ensure appropriate reporting channels for internal ethics concerns or complaints
- Engagement of a third-party expert to conduct regular assessments of Uber's data security efforts and make recommendations for improvement, as appropriate
In his post last week on Uber's website, CLO Tony West commented:
Our current management team's decision to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability. An important component of living up to those principles means taking responsibility for past mistakes, learning from them, and moving forward.
|
See also our prior reports on the Home Depot and Target data breach settlements; and numerous additional practical resources on our Cybersecurity topical page. This post first appeared in this week's Society Alert!
|