An expanded settlement by the Federal Trade Commission with ride-sharing giant Uber Technologies should serve as a lesson to other businesses about what happens when a company fails to disclose a data breach during an ongoing agency investigation.
The settlement comes after the agency learned that Uber did not disclose a 2016 breach which affected nearly 57 million riders. Although it does not impose monetary fines, Uber could face civil penalties if it does not comply with the settlement.
And for the first time in a data security-related agency settlement, the FTC has required Uber to provide it with notice of any future data security breaches for the next 20 years if consumer data is “reasonably believed” to have been subject to unauthorized access.
The FTC’s initial settlement decree with Uber – reached in August 2017 – dealt with a 2014 breach of its cloud storage after an engineer publicly posted an access key on GitHub, a code-sharing site popular with software developers. The FTC then charged that Uber’s practices failed to provide reasonable security. In particular, the FTC identified as problematic Uber’s failures to (1) require programs and engineers who access the cloud-service to use distinct access keys, (2) restrict access to systems based on job functions, and (3) require multi-authentication for access to the cloud-service.
But before the FTC issued the consent in final form, it learned that Uber failed to disclose the 2016 breach.
In the revised complaint issued last week, the FTC alleges that Uber learned in November 2016 that intruders had once again gained access to consumer data on Uber’s third-party cloud provider’s servers by using an access key an Uber engineer had posted on a code-sharing website. Despite the pendency of the FTC’s investigation, Uber did not notify the FTC of this breach until November 2017.
In its new proposed settlement, the FTC has negotiated for an even tighter leash on Uber going forward. Uber must submit all the reports from the required third-party audits of Uber’s privacy program, rather than only the initial report to the FTC. In addition, certain of the recordkeeping requirements have been extended from three to five years and Uber must also provide all copies of subpoenas and other communications with law enforcement related to compliance with the order and all records which call into question Uber’s compliance with the order. Uber also must retain certain records related to bug bounty reports regarding vulnerabilities that relate to potential or actual unauthorized access to consumer data.
In addition, the new order requires Uber to specifically address 1) secure software design, development, and testing, including access key management and secure cloud storage; 2) how Uber reviews and responds to third-party security vulnerability reports, including its bug bounty program; and 3) prevention, detection, and response to attacks, intrusions, or systems failures.