New HampshireDepartment of JusticeOffice of the Attorney General

News Release

For Immediate Release
September 27, 2018

Contact:
Kate Spiner, Director of Communications
603-573-6103
kate.spiner@doj.nh.gov

New Hampshire Joins $148 million Settlement with Uber Over Data Breach

Concord, NH – Attorney General Gordon J. MacDonald announces that New Hampshire joins 49 States and the District of Columbia in a $148 million settlement agreement with California-based ride-sharing company Uber Technologies, Inc. (Uber) following the company's year-long delay in reporting a 2016 data breach to its affected drivers.

New Hampshire will receive $672,822.71 as part of the settlement for the 763 Uber drivers in the state whose personal information was compromised as part of the data breach.

In November 2016, Uber learned that hackers had gained access to driver files, which included the personal and driver's license information for approximately 600,000 drivers nationwide.

New Hampshire law requires that companies dealing with a breach of personal information must notify affected New Hampshire residents within a timely manner. Uber violated the law by failing to report these issues to New Hampshire Uber drivers until November of 2017.

Uber tracked down the hackers and obtained assurances that the hackers deleted the information.

As part of the agreement, Uber offered affected drivers free credit monitoring and identity theft protection and has also agreed to strengthen its corporate governance and data security practices to help prevent a similar occurrence in the future.

The settlement between the state of New Hampshire and Uber requires the company to:

  • Comply with New Hampshire's data breach and consumer protection laws regarding protecting New Hampshire residents' personal information and notifying them in the event of a data breach concerning their personal information;
  • Take precautions to protect any user data Uber stores on third-party platforms outside of Uber;
  • Use strong password policies for its employees to gain access to the Uber network;
  • Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data;
  • Hire an outside qualified party to assess Uber's data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; and
  • Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.

Associate Attorney General James T. Boffetti led efforts in this settlement.

New Hampshire Department of Justice
1 Granite Place South | Concord, NH | 03301
Telephone: 603-271-3658