eWhite House Watch - Full Article

Uber Settles with FTC Over Claims of Misrepresentation of Privacy and Data Security Practices

By: Connor Breza

August 15th, 2017

 

Concluding its investigation, the FTC reached an agreement with Uber Technologies, Inc., settling charges that Uber, the popular ride share app, “deceived consumers by failing to monitor employee access to consumer personal information and by failing to reasonably secure sensitive consumer data stored in the cloud.” According to the FTC’s press release, as stipulated by the terms of the settlement, “Uber has agreed to implement a comprehensive privacy program and obtain regular, independent audits.”

The Complaint alleged that Uber made false or misleading statements “that internal access to consumers’ personal information is closely monitored and audited by data security specialists on an ongoing basis” and that “it would provide reasonable security for customers’ personal information stored in databases.” The complaint further alleges that “The acts and practices of [Uber] as alleged in this complaint constitute unfair or deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a).”

 

According to FTC Acting Chairman Maureen K. Ohlhausen, ¨Uber failed its consumers in two key ways: “First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data.” The Acting Chairman elaborated, stating that, “[t]his case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”

 

The charges against Uber stem from representations it made in November of 2014, following public allegations of “improper access of consumer personal information and, including geolocation data,” assuring that the company had a policy of “prohibiting all employees at every level from accessing a rider or driver’s data.” Uber’s November 18th, 2014 press release further assured consumers that “access to rider and driver accounts is being closely monitored and audited by data security specialists on an ongoing basis.” The complaint indicates that by August of 2015, the steps Uber claimed to have initiated to correct these problems were not being continued appropriately.

 

The FTC complaint further alleges that Uber failed to reasonably secure data stored within its databases and as a result, there was a data breach in May of 2014 in which “an intruder accessed personal information about Uber drivers… including more than 100,000 names and driver’s license numbers that Uber stored in a datastore operated by Amazon Web Services.” The FTC alleges that “Uber did not take reasonable, low cost measures that could have helped the company prevent the breach.” The FTC provided the example that “Uber did not require engineers and programmers to use distinct access keys to access personal information stored in the cloud” allowing them to “use a single key that gave them full administrative access to all the data, and did not require multi-factor authentication for accessing the data.” Additionally, the FTC explained that the company stored sensitive consumer information “in plain readable text in database back-ups stored in the cloud.”

 

The terms of Uber’s agreement with the FTC stipulate that Uber is: 1. Prohibited from misrepresenting how it monitors internal access to consumers’ personal information; 2. Prohibited from misrepresenting how it protects and secures that data; 3. Required to implement a comprehensive privacy program that addresses privacy risks related to new and existing products and services and protects the privacy and confidentiality of personal information collected by the company; and 4. Required to obtain within 180 days, and every two years after that for the next 20 years, independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order.

 

The FTC will decide whether to make the proposed order final after 30 days, during which period the related documents will be on public record and available for public comment.

Leave a Reply