BALTIMORE, MD – Uber drivers in Maryland will receive payments through a $4.447 million settlement in the wake of a data breach. Attorney General Brian E. Frosh announced the multistate settlement with the ride-sharing company to make up for the company’s one-year delay in reporting a data breach involving the personal information of its drivers.

According to a news release, Uber learned in November 2016 that hackers had gained access to personal information that the company maintains about its drivers, including the driver’s license information of an estimated 600,000 drivers nationwide. Uber tracked down the hackers, and the states allege that Uber negotiated a deal in which Uber paid the hackers to delete the information and to not to disclose that the breach had ever occurred. Uber did not report the breach until November 2017, despite Maryland law requiring prompt breach notification to be provided to both affected individuals and the Attorney General.

“When personal information gets into the wrong hands because of a data breach, the chances of becoming a victim of identity greatly increase,” said Frosh in a news release. “A one year delay in reporting a data breach makes the danger even greater for the victims.”

As part of the nationwide settlement, Uber has agreed to pay $148 million to the states, making it the largest multistate data breach settlement to date. Maryland will receive nearly $5 million. In addition, Uber has agreed to strengthen its corporate governance and data security practices to help prevent a similar occurrence in the future.

Maryland’s share of the settlement will be used to provide each eligible Maryland Uber driver with a $100 payment. Eligible drivers are those whose driver’s license numbers were accessed during the 2016 breach.

The settlement terms require Uber to:

  • Comply with the state’s Consumer Protection Act and Personal Information Protection Act regarding protecting Maryland residents’ personal information and notifying them in the event of a data breach concerning their personal information;
  • Take precautions to protect any user data Uber stores on third-party platforms outside of Uber;
  • Use strong password policies for its employees to gain access to the Uber network;
  • Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data;
  • Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; and
  • Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.

Information on how to protect your identity, or what to do in the event of a data breach can be found in the Maryland Office of Attorney General’s Identity Theft Guide. Consumers who believe they may be a victim of identity theft should contact the Attorney General’s Identity Theft Unit by calling (410) 576-6491 or by sending an email to idtheft@oag.state.md.us.