California stands to receive more than three times as much money as any other state from a $148 million settlement with Uber announced Wednesday, stemming from a cover-up of a massive data breach. But drivers who had their private data held ransom in most states won’t see a dime, a review by Inverse of attorneys general documents in 50 states and Washington, D.C., shows.

California Attorney General Xavier Becerra announced at a press conference on Wednesday afternoon that his state would receive more than $26 million in the settlement, with the payoff being split between the San Francisco District Attorney’s Office and the California Department of Justice. In California, 174,000 Uber drivers had their names and driver’s license numbers exposed by hackers, but they won’t see the windfall.

What California and other states have chosen not to do, is find a way to pay the Uber drivers who saw their private data hacked (a leak of driver’s license numbers meets a legal threshold to report the data breach to authorities, and Uber didn’t do that.) Uber’s cover-up was exposed a year later during an unrelated case.

In the case of California and other states, state law requires settlements like this one to go back to the state, not the drivers affected.

“Under California law, civil penalties must be used to fund the enforcement of consumer protection laws,” a representative for the California Attorney General tells Inverse. “Our judgment does not release any individual claims by Uber drivers, and those drivers retain their right to seek relief through the pending class action or other lawsuits.”

Which States Made the Most from $148 Million Uber Settlement?

Here are the states that made out with the most money from the settlement. Of the $148 million, Inverse has accounted for $134 million thus far:

Here is every state that received at least $1 million from the $148 million Uber settlement.
Here is every state that received at least $1 million from the $148 million Uber settlement.

According to statements on attorneys general websites, 17 states plan to find drivers who had their data held ransom by hackers, and pay them $100 each. The other 33 states either have said they won’t pay drivers or didn’t address it in the announcement and haven’t replied to inquiries from Inverse as to why.

In other states like Texas and Ohio, drivers will share in the spoils. Ohio Attorney General Mike DeWine’s office announced $1.2 million of its $5,585,868 share of the settlement would go toward Uber drivers. In Pennsylvania, some 13,500 drivers were affected by the data breach and that state’s attorney general announced that $1.35 million has been set aside for them.

“We came to the conclusion, as many other attorneys general did, that affected Uber drivers in our state should receive payment because not only was their personal information compromised but Uber also waited so long to report it, failing to give them an opportunity to protect themselves earlier,” Kate Hanson, a representative for the the Ohio Attorney General, tells Inverse.

Specifics vary state to state — a growing record of each state’s plan is here — but the attorneys general who agreed to pay drivers also agreed on the $100 amount per driver.

The peculiarities from state to state are as different as the states themselves. For example, the South Carolina Attorney General’s announcement didn’t include how much money the state would receive, or if the drivers would receive $100 payments. Some states were specific down to the cent (Iowa, Mississippi, South Dakota) and specified where the money was headed, while other states (Illinois, California) rounded up and kept details to a minimum.

In What States Will Uber Drivers Get $100?

So, where can Uber drivers expect to see a small payment? These states announced affected drivers would be eligible for $100 pay-outs on Wednesday: Alaska, Arizona, Delaware, Indiana, Louisiana, Maryland, Michigan, Mississippi, Missouri, Nebraska, Nevada, North Carolina, Ohio, Oklahoma, Pennsylvania, Texas, and Vermont.

Which states are sharing the spoils with Uber drivers?
Data current as of 10:14 a.m. Eastern Thursday, September 27, 2018.

Earmarked Money

Meanwhile, officials in Arkansas and New Mexico — like in California — tell Inverse that they cannot reimburse Uber drivers who had their data hacked. In both those states, there are laws that dictate where money in settlements like this should be placed — and it’s not in the pockets of the affected people.

“By law, these funds go into the consumer settlement fund to further the law enforcement and consumer protection efforts of the New Mexico Office of the Attorney General,” David Carl, press secretary for that state’s attorney general, tells Inverse.

The full list of states that won’t be paying Uber drivers or haven’t announced what they plan to do yet include: Alabama, Arkansas, California, Colorado, Connecticut, Florida, Georgia, Hawaii, Idaho, Illinois, Iowa, Kansas, Kentucky, Maine, Massachusetts, Minnesota, Montana, New Hampshire, New Jersey, New Mexico, New York, North Dakota, Oregon, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Virginia, Washington, West Virginia, Wisconsin, and Wyoming. Also included: Washington, D.C.

The Latest Settlement for Uber

The settlement might be seen as consolation for a Federal Trade Commission ruling this April that saw Uber escape without any fines for covering up the fact it paid hackers to delete the data. The FTC instead “somehow opted to just kinda warn Uber not to pull these shenanigans again,” observed the tech blog Gizmodo at the time.

While most of the drivers who saw their private data hacked weren’t covered by their state attorneys general in the data breach case, many have been paid before over Uber’s sloppy practice. In July, the FTC announced it would disperse more than $19 million to drivers. That case involved Uber exaggerating to drivers the amount of money they could make while driving.

New Rules for Uber

As a result of the data breach settlement, Uber must comply with these new rules in each of the 50 states and Washington, D.C.:

  • Comply with the region’s data breach and consumer protection law regarding protecting residents’ personal information and notifying them in the event of a data breach concerning their personal information;
  • Take precautions to protect any user data Uber stores on third-party platforms outside of Uber;
  • Use strong password policies for its employees to gain access to the Uber network;
  • Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data;
  • Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; and
  • Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.

Contact the author: nick@inverse.com.