Uber has had a rough ride when it comes to data privacy and security. In 2014, a security breach resulted over 100,000 driver names and license numbers being hacked. Then, in 2015, Uber was fined $20,000 after an investigation by the New York Attorney General into charges that company executives used an internal aerial tracking tool, referred to as the "God View," that displayed the personal information of Uber passengers. This violated Uber's assertion that "all employees at every level" were prohibited from viewing the personal information of drivers and passengers (except where necessary for legitimate business purposes). Now, the car service has settled with the Federal Trade Commission (FTC) over allegations relating to Uber's privacy and data security practices, agreeing to implement a detailed written program and to test it through third party audits for 20 years.
In its complaint, the FTC alleged that:
- Uber did not continuously monitor and audit its employees' access to the personal information of both Rider and Driver accounts since November 2014. The FTC's order broadly defines personal information as "individually identifiable information collected or received, directly or indirectly" by the company about consumers, including name, address, email, telephone number, Social Security number, driver's license, bank account number; personal identifiers used on devices, and "precise geo-location data of an individual or mobile device, including GPS-based, WiFi-based, or cell-based location information."
- Uber failed to follow up on automated alerts concerning the potential misuse of consumer personal information, and for approximately six months, only monitored access to account information belonging to select internal high-profile users, such as Uber executives.
- Customer service personnel hyped the strength of Uber's security practices when talking to consumers, including claiming that personal information "will be stored safely and used only for purposes you've authorized." However, the company failed to take reasonable steps to prevent access to driver and passenger personal information by Uber employees, and allowed multiple employees to use a single key that provided broad administrative access to files of sensitive personal information.
Pursuant to the terms of the settlement, Uber must refrain from making any misrepresentation about the quality and level of its privacy and data security practices. In addition, the company must implement and maintain a comprehensive privacy program that protects the personal information of drivers and passengers and addresses "privacy risks related to the development and management of new and existing products and services for consumers." Uber will be required to undergo third-party audits of its privacy program initially and biennially, using individuals with at least three years of experience who are approved by FTC staff. Uber must also keep detailed accounting, personnel, and consumer complaint records for the next 20 years, plus all underlying records relied upon to prepare the independent assessments for three years, and all records demonstrating non-compliance with the order for 5 years.
Acting FTC Chairman Maureen Ohlhausen said, "Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees' access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data. Even if you're a fast-growing company, you can't leave consumers behind: you must honor your privacy and security promises."
The Uber order adds to a growing body of consent agreements involving alleged privacy and security lapses. The proposed consent order will be subject to public comment for 30 days (until September 15, 2017), and comments may be submitted electronically here.