On August 15, 2017, the FTC announced that it had reached a settlement with Uber, Inc., over allegations that the ride-sharing company had made deceptive data privacy and security representations to its consumers. Under the terms of the settlement, Uber has agreed to implement a comprehensive privacy program and undergo regular, independent privacy audits for the next 20 years.
The FTC’s complaint alleged that Uber made false or misleading representations that the company (1) appropriately controlled employee access to consumers’ personal information and (2) provided reasonable security for consumers’ personal information.
Employee Access to Consumers’ Personal Information
The complaint cited news reports from November 2014 that accused Uber employees of improperly accessing and using consumer personal information, including the use of an internal tracking tool called “God View,” which allowed employees to access the geolocation of individual Uber riders in real time. In its response to these allegations, Uber represented that the company had a “strict policy prohibiting all employees at every level from accessing a rider or driver’s data” except for a “limited set of legitimate business purposes.” Uber also stated that employee access to riders’ personal information was “closely monitored and audited by data security specialists on an ongoing basis.” The FTC alleged that (1) these statements were false or misleading, (2) Uber failed to implement a system that effectively and continuously monitored employee access, and (3) Uber did not respond in a timely fashion when alerted of the potential misuse of consumer personal information.
Data Security Representations
The complaint further alleged that Uber made the following false or misleading representations about the security of riders’ personal information:
- Uber customer service representatives assured riders that the company:
- used “the most up to date technology and services” to protect personal information;
- was “extra vigilant in protecting all private and personal information”; and
- kept personal information “secure and encrypted to the highest security standards available.”
The FTC alleged that, in reality, Uber engaged in practices that failed to provide reasonable security to prevent unauthorized access to Uber riders’ and drivers’ personal information by, among other things:
- failing to implement appropriate administrative access controls and multi-factor authentication on the company’s third-party databases that stored personal information;
- failing to implement reasonable security training and guidance for employees;
- failing to have a written information security program in place; and
- storing sensitive personal information in a third-party storage database in clear, readable text, rather than encrypting the information.
The FTC alleged that these failures resulted in a May 2014 data breach of consumers’ personal information stored in a third-party database. The complaint alleged that the breach was caused by an intruder who used an access key that an Uber engineer had publicly posted to GitHub, a code-sharing website used by software developers.
Under the terms of the settlement agreement, Uber is:
- prohibited from misrepresenting how it monitors internal access to consumers’ personal information;
- prohibited from misrepresenting how it protects and secures that data;
- required to implement a comprehensive privacy program that addresses privacy risks related to new and existing products and services, and protects the privacy and confidentiality of personal information collected by the company; and
- required to obtain within 180 days of the settlement, and every two years after that for the next 20 years, independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order.
Uber’s settlement agreement underscores the importance of having accurate data privacy and security representations that are consistently followed by all company employees.