Uber settles Federal Trade Commission complaint that it engaged in deceptive claims about privacy and data security protections

August 17, 2017 |

The Federal Trade Commission (“FTC”) has entered into a agreement with Uber Technologies (“Uber”) arising from the FTC’s formal complaint that Uber had failed to fulfill its claims that it monitored employee access to consumer and driver data.

As the media release and the complaint makes clear Uber did what many organisations with a poor privacy and data security culture did, put in place cosmetic protections in the face of complaint about privacy intrusive behaviour.  As often is the case with reluctant compliance the systems put in place to monitor employees’ access to consumer and driver data were discontinued after a year.  Uber also made a common mistake of storing personal information with a third party provider whose systems were inadequate and was subsequently hacked.  As a result there was a data breach involving 100,000 names being accessed.

As a result of these breaches the FTC took action and Uber has paid a very heavy price for its poor compliance practices.  It has entered into an agreement to enter into a privacy program which will be assessed every 2 years for a total of 20 years.

Even with its limited remit in the privacy and data protection area the FTC is proving to be a very active and effective regulator.  Much more effective than in other common law countries with the possible exception of the Information Commissioner’s Office in the United Kingdom.  It is also unsparing in requiring malefactors to enter into stringent undertakings and agreements.

The media release provides:

Uber Technologies, Inc. has agreed to implement a comprehensive privacy program and obtain regular, independent audits to settle Federal Trade Commission charges that the ride-sharing company deceived consumers by failing to monitor employee access to consumer personal information and by failing to reasonably secure sensitive consumer data stored in the cloud.

In its complaint, the FTC alleged that the San Francisco-based firm failed to live up to its claims that it closely monitored employee access to consumer and driver data and that it deployed reasonable measures to secure personal information it stored on a third-party cloud provider’s servers.

“Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data,” said FTC Acting Chairman Maureen K. Ohlhausen. “This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”

In the wake of news reports alleging Uber employees were improperly accessing consumer data, the company issued a statement in November 2014 that it had a “strict policy prohibiting” employees from accessing rider and driver data – except for a limited set of legitimate business purposes – and that employee access would be closely monitored on an ongoing basis.

In December 2014, Uber developed an automated system for monitoring employee access to consumer personal information, but the company stopped using it less than a year after it was put in place. The FTC’s complaint alleges that Uber, for more than nine months afterwards, rarely monitored internal access to personal information about users and drivers.

The FTC’s complaint also alleges that despite Uber’s claim that data was “securely stored within our databases,” Uber’s security practices failed to provide reasonable security to prevent unauthorized access to consumers’ personal information in databases Uber stored with a third-party cloud provider. As a result, an intruder accessed personal information about Uber drivers in May 2014, including more than 100,000 names and driver’s license numbers that Uber stored in a datastore operated by Amazon Web Services.

The FTC alleges that Uber did not take reasonable, low-cost measures that could have helped the company prevent the breach. For example, Uber did not require engineers and programmers to use distinct access keys to access personal information stored in the cloud. Instead, Uber allowed them to use a single key that gave them full administrative access to all the data, and did not require multi-factor authentication for accessing the data. In addition, Uber stored sensitive consumer information, including geolocation information, in plain readable text in database back-ups stored in the cloud. 

Under its agreement with the Commission, Uber is:

  • prohibited from misrepresenting how it monitors internal access to consumers’ personal information;
  • prohibited from misrepresenting how it protects and secures that data;
  • required to implement a comprehensive privacy program that addresses privacy risks related to new and existing products and services and protects the privacy and confidentiality of personal information collected by the company; and
  • required to obtain within 180 days, and every two years after that for the next 20 years, independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order.

The Commission vote to issue the administrative complaint and to accept the consent agreement was 2-0. The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through September 15, 2017, after which the Commission will decide whether to make the proposed consent order final.

Under the Agreement Uber must:

..establish and implement, and thereafter maintain, a comprehensive privacy program that is reasonably designed to (1) address privacy risks related to the development and management
of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of Personal Information
That program must be in place for 20 years and reviewed after 180 days and then every two years with each assessment being required to:
  1. set forth the specific privacy controls that Respondent has implemented and maintained during the reporting period;
  2. explain how such privacy controls are appropriate to Respondent’s size and complexity, the nature and scope of Respondent’s activities, and the sensitivity of the Personal Information;
  3. explain how the privacy controls that have been implemented meet or exceed the protections required by the Provision of this Order titled Mandated Privacy Program;and
  4. certify that the privacy controls are operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of Personal Information and that the controls have so operated throughout the reporting period.

Unfortunately the Australian Privacy Commissioner does not follow this rigorous approach to breaches and non compliance and impose rigorous conditions to enforceable undertakings.  The comparison is stark.  It may be that a 10 or 20 year compliance period is foreign to the Australian experience but the real focus needs to effect real change.

As always with these settlements there has been significant coverage with Uber agrees to 20 years of privacy audits following FTC charges, Uber Must Submit to Regular Audits After in Wake of Customer Privacy and Data Charges and Uber settles U.S. allegations over data privacy.

 

One Response to “Uber settles Federal Trade Commission complaint that it engaged in deceptive claims about privacy and data security protections”

  1. Uber settles Federal Trade Commission complaint that it engaged in deceptive claims about privacy and data security protections | Australian Law Blogs

    […] Uber settles Federal Trade Commission complaint that it engaged in deceptive claims about privacy an… […]

Leave a Reply