Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy
  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

“Do What You Say and Say What You Do” — The FTC’s Settlement with Uber

Share
  • Settlement reaffirms the importance for companies to deliver on to the privacy and security promises made to consumers
  • Settlement is yet another reminder of one of the most important components of good data security – controlling access to sensitive information.

The Federal Trade Commission (“FTC”) announced, subject final approval after a 30-day comment period, a consent order with Uber Technologies (“Uber”) settling allegations that Uber misrepresented the extent to which it monitored its employees’ access to personal information about users and drivers and that it took reasonable steps to secure such information.  The consent agreement does not contain monetary penalties, but does prohibit Uber from misrepresenting its privacy and security practices and requires that Uber establish a comprehensive privacy program that includes an independent third-party audit every two years for the next 20 years. The FTC’s complaint highlights practices that the FTC finds fail to provide reasonable security when utilizing the services of a third-party could storage service, Amazon Web Services (“AWS”).

The FTC’s complaint generally describes the personal information Uber collects from drivers as including not only their name and address, but also Social Security number, driver’s license information, bank account information (including domestic routing and bank account numbers), vehicle registration information and insurance information.  From riders, Uber collects, among other things, names, email addresses, detailed trip records and geolocation information.  The real time geolocation data is used to connect driver to rider through their mobile device.  According to the complaint, Uber collects such information from the driver’s mobile device and associates the trip information with the rider.

The FTC’s action centers on conduct that occurred in late 2014 when Uber was the subject of a number of news reports involving allegations of improper access and use of consumer personal information.  In an effort to respond to consumer concerns, Uber issued a public statement that was also posted on its website and described its “strict policy prohibiting all employees at every level from accessing a rider or driver’s data.”    Uber also publicly stated that access to driver and rider data was closely monitored and audited by data security specialists.  In addition, customer service representatives offered assurances with respect to Uber’s security practices in response to consumer inquires.

The complaint alleges that until September 2014 Uber failed to implement reasonable access controls to safeguard personal information, failed to implement reasonable security training and guidance, failed to have a written information security program, and stored sensitive information in plain text.  According to the complaint, it was only after September 2014, when Uber became aware of a data breach that had occurred in May 2014, that Uber took steps to prevent additional unauthorized access.

The complaint further highlights how Uber failed to provide reasonable security to prevent unauthorized access to the personal information of its riders and drivers stored on the AWS servers.  Specifically, the complaint states that Uber did not (i) restrict access to its cloud storage service by suing distinct access keys (versus single access keys), allowing programs and engineers to have full administrative rights to the data, (ii) restrict access to systems based on its employees’ job junctions, and (iii) implement multi-factor authentication.

The FTC’s  proposed decision and order prohibits Uber from misrepresenting how it monitors internal access to consumers’ personal information and how it protects and secures the data.  In addition, Uber is required to implement a comprehensive privacy program that addresses privacy risks related to new and existing products and services, and protects the privacy and confidentiality of the personal information collected.  Consistent with other FTC privacy and data security orders, Uber is required to obtain an independent third-party audit biannually for the next 20 years, certifying that it has a privacy program in place that meets or exceeds the requirements of the order.

The FTC’s settlement with Uber reaffirms the importance for companies to deliver on the privacy and security promises made to consumers.  The settlement is also yet another reminder of one of the most important components of good data security — controlling access to sensitive information.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Receive Email Alerts to New Articles

SUBSCRIBE

August 16, 2017
Written by: Discerning Data Editorial Board
Category: Cybersecurity
Tags: data security, FTC

Post navigation

Previous Previous post: Fact Sheet: NYDFS Cyber Regulations
Next Next post: Recordkeeping Corner: All About Those Presidential Tweets & Self-Destructing Messages

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT