• Settlement reaffirms the importance for companies to deliver on to the privacy and security promises made to consumers
  • Settlement is yet another reminder of one of the most important components of good data security – controlling access to sensitive information.

The Federal Trade Commission (“FTC”) announced, subject final approval after a 30-day comment period, a consent order with Uber Technologies (“Uber”) settling allegations that Uber misrepresented the extent to which it monitored its employees’ access to personal information about users and drivers and that it took reasonable steps to secure such information.  The consent agreement does not contain monetary penalties, but does prohibit Uber from misrepresenting its privacy and security practices and requires that Uber establish a comprehensive privacy program that includes an independent third-party audit every two years for the next 20 years. The FTC’s complaint highlights practices that the FTC finds fail to provide reasonable security when utilizing the services of a third-party could storage service, Amazon Web Services (“AWS”).

The FTC’s complaint generally describes the personal information Uber collects from drivers as including not only their name and address, but also Social Security number, driver’s license information, bank account information (including domestic routing and bank account numbers), vehicle registration information and insurance information.  From riders, Uber collects, among other things, names, email addresses, detailed trip records and geolocation information.  The real time geolocation data is used to connect driver to rider through their mobile device.  According to the complaint, Uber collects such information from the driver’s mobile device and associates the trip information with the rider.

The FTC’s action centers on conduct that occurred in late 2014 when Uber was the subject of a number of news reports involving allegations of improper access and use of consumer personal information.  In an effort to respond to consumer concerns, Uber issued a public statement that was also posted on its website and described its “strict policy prohibiting all employees at every level from accessing a rider or driver’s data.”    Uber also publicly stated that access to driver and rider data was closely monitored and audited by data security specialists.  In addition, customer service representatives offered assurances with respect to Uber’s security practices in response to consumer inquires.

The complaint alleges that until September 2014 Uber failed to implement reasonable access controls to safeguard personal information, failed to implement reasonable security training and guidance, failed to have a written information security program, and stored sensitive information in plain text.  According to the complaint, it was only after September 2014, when Uber became aware of a data breach that had occurred in May 2014, that Uber took steps to prevent additional unauthorized access.

The complaint further highlights how Uber failed to provide reasonable security to prevent unauthorized access to the personal information of its riders and drivers stored on the AWS servers.  Specifically, the complaint states that Uber did not (i) restrict access to its cloud storage service by suing distinct access keys (versus single access keys), allowing programs and engineers to have full administrative rights to the data, (ii) restrict access to systems based on its employees’ job junctions, and (iii) implement multi-factor authentication.

The FTC’s  proposed decision and order prohibits Uber from misrepresenting how it monitors internal access to consumers’ personal information and how it protects and secures the data.  In addition, Uber is required to implement a comprehensive privacy program that addresses privacy risks related to new and existing products and services, and protects the privacy and confidentiality of the personal information collected.  Consistent with other FTC privacy and data security orders, Uber is required to obtain an independent third-party audit biannually for the next 20 years, certifying that it has a privacy program in place that meets or exceeds the requirements of the order.

The FTC’s settlement with Uber reaffirms the importance for companies to deliver on the privacy and security promises made to consumers.  The settlement is also yet another reminder of one of the most important components of good data security — controlling access to sensitive information.