LAWRENCE G. WASDEN STATE of IDAHO, Through ATTORNEY
Total Page:16
File Type:pdf, Size:1020Kb
LALAWRENCEWREN CE G. WASDEN Idaho Attorney General BRETT T. DELANGE, ISB #3628 Filed: 10/15/2018 13:30:44 Consumer Protection Division Chief Fourth Judicial District, Ada County Christopher Rich, Clerk of the Court JANE E. HOCHBERG, ISB #5465 By: Deputy Clerk - Masters, Beth Consumer Protection Division Lead Deputy 954 W. Jefferson, 2ND FloorFloor•- P. O.0. Box 83720 Boise, Idaho 83720-0010 (208) 334-2424 •- (208) 334-4151 (Fax) [email protected] [email protected]@ag.idaho.gov Attorneys for Plaintiff State of Idaho IN THE DISTRICT COURT OF THE FOURTH JUDICIAL DISTRICT OF THE STATEST ATE OF IDAHO, IN AND FOR THE COUNTY OF ADA STATE OF IDAHO, through ATTORNEY GENERAL ) LAWRENCE G. WASDEN, ) ) CV01-18-18081 PlaintiffPlaintiff,, ) CASE NO. _____ _ _ ) VS.vs. ) ) UBER TECHNOLOGIES, INC., ) CONSENT JUDGMENT Defendant. ) ---------- ----------)) CONSENT JUDGMENT Plaintiff, the State ofofldaho,Idaho, by Lawrence G. Wasden,Wasden, Attorney General of the State of Idaho, has filedfiled a Complaint for a permanent injunction and other relief in this matter pursuant to the Idaho Consumer Protection Act, Idaho Code§§Code §§ 48-601 et seq., and the Idaho Identity TheftThefi Act, Idaho Code§§Code §§ 28-51-101 et seq., alleging Defendant, UBER TECHNOLOGIES, INC. ((“UBER”)"UBER") committed violations of Idaho laws. Plaintiff and UBER have agreed to the CourtCourt’s' s entry of this Consent Judgment without trial or adjudication of0f any issue of0f fact or0r law, and without admission of any facts alleged or CONSENT JUDGMENT -1 liability of any kindkind.. Preamble The Attorneys General of the states and commonwealths of Alabama, Alaska, Arizona,Arizona, 1 Arkansas, California, Colorado, Connecticut, Delaware, FloridaFlorida,, Georgia, HawaiiHawaii', , Idaho, 2 Illinois, Indiana, Iowa, Kansas, KentuckyKentucky,, Louisiana, Maine, MarylandMarylandz,, Massachusetts, MichiganMichigan,, MinnesotaMinnesota,, MississippiMississippi,, Missouri, MontanaMontana,, Nebraska, NevadaNevada,, New HampshireHampshire,, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, 3 Pennsylvania, Rhode Island, South Carolina, South DakotaDakota,, TennesseeTennessee,, Texas, UtahUtah3,, VermontVermont,, VirginiaVirginia,, Washington,Washington, West VirginiaVirginia,, WisconsinWisconsin,, WyomingWyoming,, and the District of Columbia (collectively(collectively,, the "“AttorneysAttorneys GeneralGeneral,”," or the "“States”)States") conducted an investigation under their 4 respective State Consumer Protection Acts and Personal Information Protection ActsActs“ regarding the data breach involving UBER that occurred in 2016201 6 and that UBER announced in 2017.201 7. PLtieSParties 1. The Attorney General is charged with enforcement of the Idaho Consumer Protection Act and the Identity Theft Act. 2. UBER is a Delaware corporation with its principal place of0f business at 1455 Market StreetStreet,, San FranciscoFrancisco,, California 9410394103.. 1' Hawaii is represented by ititss OfficeOffice of Consumer ProtProtection.ection. For simplicity purposepurposes,s, the entire group will be rreferredeferred to as the "“AttorneysAttorneys GeneralGeneral,”," or individually as "“AttorneyAttorney General.General.”" Such dedesignations,signations, howeverhowever,, as they pertain tot0 HawaiiHawaii,, shall refer to the Executive Director of the State of Hawaii OfficeOffice of0f ConConsumersumer ProtectionProtection.. 2 The use ofofthe the designationdesignationss "“AttorneysAttorneys GeneralGeneral”" or "“AnomeyAttorney GeneralGeneral,”," as they pertain to MarylandMaryland,, shall refer to the Consumer Protection DiviDivisionsion of the OfficeOffice of the Maryland Attorney General. 3 Claims pursuant to the Utah Protection of Personal Information Act are brought under the direct enforcement authority of the Attorney General. Utah Code § 13-44-301(1)13-44-3010).. ClaimClaimss pursuant to the Utah ConConsumersumer Sales PracticePracticess Act are brought by the Attorney General aass counsel for the Utah Division of ConConsumersumer ProtectionProtection,, pursuant to the DivisionDivision’s's enforcement authoritauthority.y. Utah Code §§§§ 13-2-1 and 6. 4 State law citationcitationss (UDAP and PIPPIPAs) As) -— SeeSee AppendixAppendix AA.. CONSENT JUDGMENT -2 3. As used hereinherein,, any reference to "UBER"“UBER” or "“Defendant”Defendant" shall mean UBER TECHNOLOGIESTECHNOLOGIES,, INC.INC.,, including all ofofits its officers,officers, directorsdirectors,, affiliatesaffiliates,, subsidiaries and divisions, predecessors, successors and assigns doing business in the United States. However, any affiliateaffiliate 0ror subsidiary created as a result of0f an acquisition by UBER after the Effective Date shall not be subject tot0 any requirement of this Consent Judgment until ninety (90) days afterafier the acquisition closescloses.. Findings 4. The Court has jurisdiction over the subject matter of0f the complaint filedfiled herein and over the parties t0to this Consent Judgment. 5. At all times relevant t0to this mattermatter,, UBER engaged in trade and commerce affecting consumers in the StatesStates,, including in Idaho, in that UBER is a technology company that provides a ride hailing mobile application that connects drivers with riders. Riders hail and pay drivers using the UBER platform. mOrder NOW THEREFORETHEREFORE,, on the basis of these findingsfindings,, and for the purpose of0f effecting this Consent Judgment,Judgment, IT IS HEREBY ORDERED AS FOLLOWS: I. DEFINITIONS 1..—‘ "“CoveredCovered ConductConduct”" shall mean UBER'sUBER’s conduct related to the data breach involving UBER that occurred in 2016 and that UBER announced in 2012017.7. 2. "“DataData Security IncidentIncident”" shall mean any unauthorized access tot0 Personal Information owned, licensedlicensed,, or maintained by UBERUBER.. 3. "“EffectiveEffective DateDate”" shall be October 25,25 , 2018. 4. "“Encrypt,”Encrypt," "“Encrypted,”Encrypted," or "Encryption“Encryption”" shall mean rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology CONSENT JUDGMENTJUDGMENT-3-3 generally accepted in the fieldfield of information security. 55.. "Personal“Personal InformationInformation”" shall have the definitiondefinition as set forth in the Idaho Identity TheftThefi Act, Idaho Code§Code § 28-51-104(5).28-51—104(5). 6. "Riders“Riders and DriversDrivers”" or0r,, as applicableapplicable,, "Rider“Rider or0r Driver"Driver” shall mean any individual natural person who is a resident ofldaho0f Idaho who uses UBERUBER’S's ride hailing mobile applications to request or receive transportation (i.e., riders) or0r tot0 provide transportation individually or through partner transportation companies (i.e.(i.e.,, drivers),dn'vers), other than in connection with Uber Freight or similar services offered by UBER to commercial enterprises. 7. "Security“Security Executive"Executive” shall be an executive or officerofficer with appropriate background and experience in information security who is designated by UBER as responsible for the Information Security Program. The title of such individual need not be Security Executive. II.lI. INJUNCTIVE RELIEF 8. The injunctive terms contained in this Consent Judgment are being entered pursuant tot0 the Idaho Consumer Protection Act,Act, Idaho Code § 48-606(148—606(1)(b), )(b ), and the Idaho Identity Theft ActAct,, Idaho Code § 28-51-107. Uber shall implement and thereafter maintain the practices described belowbelow,, including continuing those of the practices that it has already implemented. 9. UBER shall comply with the Idaho Consumer Protection Act and Idaho Identity Theft Act in connection with its collectioncollection,, maintenancemaintenance,, and safeguarding of Personal InfonnationInformation.. 10. UBER shall not misrepresent the extent to which UBER maintains andand/or/or protects the CONSENT JUDGMENT -4 privacyprivacy,, securitysecurity,, confidentialityconfidentiality,, or0r integrityintegn'ty ofof anyany PersonalPersonal InformationInformation collectedcollected fromfrom oror aboutabout RidersRiders andand DriversDrivers.. 11.1 1. UBERUBER shallshall complycomply withwith thethe reportingreporting andand notificationnotification requirementsrequirements ofof thethe IdahoIdaho IdentityIdentity TheftTheft Act.Act. 1212.. SpecificSpecific DataData SecuritySecurity Safeguards.Safeguards. NoNo laterlater thanthan ninetyninety (90)(90) daysdays afterafter thethe EffectiveEffective DateDate andand forfor aa periodperiod oftenof ten (10)(10) yearsyears thereafterthereafter,, UBERUBER shall:shall: a.a. ProhibitProhibit thethe useuse of0f anyany cloud-basedcloud-based serviceservice or0r platformplatform fromfrom aa thirdthird partyparty forfor developingdeveloping oror collaboratingcollaborating onon codecode containingcontaining anyany plainplaintext text credentialcredential ifif thatthat credentialcredential providesprovides accessaccess toto aa systemsystem,, service,service, oror locationlocation thatthat containscontains PersonalPersonal InformationInformation of0f aa RiderRider or0r DriverDriver unless:unless: 1i.. UBERUBER hashas takentaken reasonablereasonable stepssteps tot0 evaluateevaluate thethe datadata securitysecurity measuresmeasures andand accessaccess controlscontrols providedprovided byby thethe serviceservice oror platfonnplatform asas implementedimplemented byby UBER;UBER; 11ii.. UBERUBER hashas determineddetennined thatthat thethe datadata securitysecurity measuresmeasures