By Jody Coultas, J.D.
Uber Technologies, Inc. agreed to expand a proposed settlement it reached with the FTC in August 2017 in relation to charges that it deceived consumers about its privacy and data security practices based on the failure to disclose an additional breach in 2016, the FTC announced. Due to Uber’s misconduct related to the 2016 breach, Uber will be subject to additional requirements and the possibility of civil penalties if it fails to notify the FTC of certain future incidents involving unauthorized access of consumer information (In the Matter of Uber Technologies, Inc., FTC File No. 152 3054).
In its complaint, the FTC noted that various news reports in November 2014 suggested that (1) Uber had been improperly accessing personal information, including the geolocation data, of its riders and drivers; (2) an Uber executive had advocated that the company should hire opposition researchers to look into the personal lives of critics of Uber’s business practices; and (3) that Uber used an internal aerial tool tracking the personal information of its riders and drivers. Following negative consumer reaction to these disclosures, Uber posted a policy statement on its website stating that it had a strict policy prohibiting employees at every level from accessing rider or driver data, and that rider and driver accounts would be closely monitored on an ongoing basis by data security basis. Uber later also posted a security statement stating that personal and usage information was securely stored in its databases, protected by encryption, firewalls and other security protections.
Despite these assurances, the FTC complaint alleged, Uber violated the FTC Act by failing to closely monitor and audit its employees’ access to rider and rider accounts, and failing to timely respond to automated alerts concerning the potential misuse of consumer personal information. In addition, the FTC alleged, Uber failed to provide reasonable security to safeguard its cloud-based data held by a third-party, Amazon’s S3 Datastore, and did not react for four months to a data breach that allowed intruders to access rider and driver names, driver’s license numbers, bank account information and Social Security Numbers.
The proposed consent agreement (1) prohibited Uber from misrepresenting how it monitors internal access to consumers’ personal information; (2) prohibited Uber from misrepresenting how it protects and secures that data; (3) required Uber to implement a comprehensive privacy program that addresses privacy risks related to new and existing products and services and protects the privacy and confidentiality of personal information collected by the company; and (4) required Uber to obtain within 180 days, and every two years after that for the next 20 years, independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order.
After the announcement of the proposed settlement, the FTC learned that Uber had failed to disclose a data breach that occurred during the FTC’s investigation in 2016 and withdrew its acceptance of the 2017 agreement. A revised complaint alleges that Uber learned in November 2016 that intruders had again accessed consumer data the company stored on its third-party cloud provider’s servers by using an access key an Uber engineer had posted on a code-sharing website. The breach included more than 25 million names and email addresses, 22 million names and mobile phone numbers, and 600,000 names and driver’s license numbers of U.S. Uber drivers and riders. Uber did not disclose the breach to the FTC or the public until November 2017.
The revised complaint alleges that Uber paid the hackers $100,000 through its third-party "bug bounty" program. The bug bounty program was created to provide financial rewards to parties who responsibly disclose security vulnerabilities rather than those who maliciously exploit vulnerabilities to access consumers’ personal information.
Uber must disclose certain future incidents involving consumer data and submit all the reports from the required third-party audits of Uber’s privacy program, rather than only the initial such report under the revised settlement. Also, Uber must retain certain records related to bug bounty reports regarding vulnerabilities that relate to potential or actual unauthorized access to consumer data.
Attorneys: Benjamin R. Rossen for the FTC. Rebecca S. Engrav (Perkins Coie LLP) for Uber Technologies, Inc.
Companies: Uber Technologies, Inc.
MainStory: TopStory Privacy ConsumerProtection FederalTradeCommissionNews CyberPrivacyFeed
Interested in submitting an article?
Submit your information to us today!Learn More