In a pair of settlements, ride-sharing company Uber agreed to pay a $20,000 fine for failing to report a data breach in a timely manner as required by New York law and promised to change its policies and procedures to better protect the privacy of riders.
New York Attorney General Eric T. Schneiderman was behind both actions. In 2014 he opened an investigation when it was revealed that employees could access the company's tracking system, dubbed "God View," which allowed real-time monitoring of information about affiliated vehicles, drivers, and passengers. In one instance, a reporter said an Uber executive met her when she stepped out of a vehicle with the comment, "There you are. I was tracking you."
The system was intended to help the operations team track supply and demand for rides, but the AG looked into the "inappropriate access and display" of rider geolocation information. During the course of the investigation, Uber eliminated the use of personal information from God View and agreed to make changes to its policies and practices with regard to data security.
Going forward, the company will maintain and store GPS-based location information in a password-protected environment and encrypt the data in transit. Access to the aerial-view system will be limited to designated employees with a legitimate business purpose. The policy will be enforced by technical access controls and through a formal authorization and approval process.
More generally, Uber will designate at least one employee to coordinate and supervise its privacy and security program and conduct annual employee training for workers responsible for handling private information. Protective technologies for the storage, access, and transfer of private information—with credentials required for access—will be added, with regular assessments of the effectiveness of the company's data security measures.
In a separate agreement with Schneiderman's office, the company will pay a $20,000 fine for failing to report a data breach in a timely manner. New York General Business Law Section 899-aa mandates that businesses provide notice of a breach "in the most expedient time possible and without reasonable delay." But Uber waited until February 26, 2015 to share with affected drivers and the AG's office that it discovered a breach in September 2014. A company engineer posted an access ID on a site accessible to the general public and an unaffiliated third party accessed the database, which contained information including Uber driver names and driver's license numbers.
To read the AG's press release about the settlements, click here.
Why it matters: The Federal Trade Commission isn't the only privacy regulator in town. State Attorneys General are increasingly turning their attention to data security issues, as demonstrated by the New York AG's actions. "This settlement protects the personal information of Uber riders from potential abuse by company executives and staff, including the real-time locations of riders in an Uber vehicle," Schneiderman said in a statement about the deals. "We are committed to protecting the privacy of consumers and customers of any product in New York State, as well as that of employees of any company operating here. I strongly encourage all technology companies to regularly review and amend their own policies and procedures to better protect their customers' and employees' private information."