The FTC had alleged that the company "failed to live up to its claims that it closely monitored employee access to consumer and driver data and that it deployed reasonable measures to secure personal information it stored on a third-party cloud provider’s servers."
“Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data,” said FTC Acting Chairman Maureen Ohlhausen in announcing the settlement. “This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”
Ohlhausen said the action shows the agency's continued commitment to privacy and security. She said the FTC investigation was prompted by 2014 news reports on access to Uber data, after which Uber assured users information was secure, which FTC's investigation showed was not the case.
She said there were three takeaways from the settlement:
1. Companies must honor their promises on how they will protect information. "Companies will be held accountable for their promises," she said.
2. The FTC is particuarly concerned about sensitive information, like geolocation information.
3. Data must be secured at every point in the "life cycle," regardless of whether it is on a company server or in the cloud.
The FTC did not levy any fine. Ohlhausen explained that typically it can only get money at the beginning for consumer redress, when it points to financial harm, like fraud, which was not the case. But she added that if there was a violation of the order, the FTC could seek civil penalties.
The FTC also alleged that "despite Uber’s claim that data was 'securely stored within our databases,' Uber’s security practices failed to provide reasonable security to prevent unauthorized access to consumers’ personal information in databases Uber stored with a third-party cloud provider."
The result was that a May 2014 data breach in which info about more than 100,000 drivers was accessed that had been stored in a database operated by Amazon.
According to the settlement, Uber is:
- "prohibited from misrepresenting how it monitors internal access to consumers’ personal information;
- "prohibited from misrepresenting how it protects and secures that data;
- "required to implement a comprehensive privacy program that addresses privacy risks related to new and existing products and services and protects the privacy and confidentiality of personal information collected by the company; and
- "required to obtain within 180 days, and every two years after that for the next 20 years, independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order."
The vote to settle was 2-0—the FTC is down to two members, Republican chair Ohlhausen and Democrat Terrell McSweeny. Unlike the FCC, the FTC can take action with only two commissioners, though obviously it must be bipartisan.
(Photo via Jeff Kubina's Flickr. Image taken on June 20, 2017 and used per Creative Commons 2.0 license. The photo was cropped to fit 16x9 aspect ratio.)