Uber Technologies, Inc. has agreed to implement a comprehensive privacy program and obtain regular audits to settle Federal Trade Commission allegations that it misled consumers by failing to monitor employee access to consumer personal information and by failing to reasonably secure sensitive consumer data stored in the cloud.
In its complaint, the FTC alleged that Uber falsely represented that it closely monitored employee access to consumer and driver data, and that it deployed reasonable measures to secure personal information that it stored on a third-party cloud provider’s servers.
According to FTC Acting Chairman Maureen K. Ohlhausen, “Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data.” “This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises,” Ohlhausen stated.
In an August 15, 2017 press release, the FTC stated that Uber issued a statement in November 2014 that it had a “strict policy prohibiting” employees from accessing rider and driver data – except for a limited set of legitimate business purposes – and that employee access would be closely monitored on an ongoing basis. As set forth in the press release, in December 2014 Uber developed an automated system for monitoring employee access to consumer personal information, but then stopped using it less than a year after it was put in place.
The FTC’s complaint alleges that Uber, for more than nine months afterwards, rarely monitored internal access to personal information about users and drivers. The complaint also alleges that despite Uber’s claim that data was “securely stored within our databases,” the company’s security practices failed to provide reasonable security to prevent unauthorized access to consumers’ personal information in databases Uber stored with a third-party cloud provider.
As a result, an intruder accessed personal information about Uber drivers in May 2014, including more than 100,000 names and driver’s license numbers that Uber stored in a datastore operated by Amazon Web Services.
The FTC alleges that Uber did not take reasonable measures that could have assisted the company to prevent the breach.
For example, according the FTC, Uber did not require engineers and programmers to use distinct access keys to access personal information stored in the cloud. The FTC alleges that, instead, Uber allowed them to use a single key that gave them full administrative access to all the data, and did not require multi-factor authentication for accessing the data. The FTC also alleges that Uber stored sensitive consumer information, including geolocation information, in plain readable text in database back-ups stored in the cloud.
Under its agreement with the FTC, Uber is:
- prohibited from misrepresenting how it monitors internal access to consumers’ personal information;
- prohibited from misrepresenting how it protects and secures that data;
- required to implement a comprehensive privacy program that addresses privacy risks related to new and existing products and services and protects the privacy and confidentiality of personal information collected by the company; and
- required to obtain within 180 days, and every two years after that for the next 20 years, independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order.
The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment through September 15, 2017, after which the Commission will decide whether to make the proposed consent order final.
The Federal Trade Commission continues to ramp up its privacy and data security enforcement efforts. Contact an advertising lawyer to discuss how your company can ensure that it is taking reasonable steps to protect and secure consumer data.
Richard B. Newman is an Internet marketing compliance and regulatory defense attorney at Hinch Newman LLP focusing on advertising and digital media matters. His practice includes conducting legal compliance reviews of advertising campaigns, representing clients in investigations and enforcement actions brought by the Federal Trade Commission and state Attorneys General, commercial litigation, advising clients on promotional marketing programs, and negotiating and drafting legal agreements.
ADVERTISING MATERIAL. These materials are provided for informational purposes only and are not to be considered legal advice, nor do they create a lawyer-client relationship. No person should act or rely on any information in this article without seeking the advice of an attorney. Information on previous case results does not guarantee a similar future result. Hinch Newman LLP | 40 Wall St., 35th Floor, New York, NY 10005 | (212) 756-8777.