The advice we always give to clients regarding privacy policies is: “say what you do and do what you say.” It seems simple, but simplicity can be deceiving. Companies want to reassure consumers that their personal data is safe and secure; however, in today’s world, no one can make fail-safe representations of security. Uber’s recent settlement with the FTC illustrates this problem.
Uber claimed in privacy policies and statements that it “closely” monitored internal access to consumers’ personal information on an ongoing basis and provided “reasonable” security for consumers’ personal information stored in its databases. Uber stated that “we use standard, industry-wide commercially reasonable security practices”; “we use the most up to date technology”; “we’re extra vigilant in protecting all private and personal information”; and “all your personal information… is kept secure and encrypted to the highest security standards available.”
The FTC alleged that Uber violated Section 5 of the FTC Act by failing to live up to these statements. For example, the FTC claimed that Uber did not take reasonable measures to prevent a data breach because Uber did not implement basic access controls, such as multi-factor authentication, to safeguard data stored in the cloud, and Uber failed to encrypt certain consumer personal information and stored such information in plain readable text. Even though Uber claimed to use the best technology available to protect consumer data, the FTC alleged that Uber failed to take certain low-cost measures that could have helped prevent a data breach. And while Uber at one point developed an automated system for monitoring access to consumer personal information, the FTC said the company stopped using this system and rarely monitored internal access to personal information. As a result of Uber’s failure to comply with its privacy statements, the company suffered a data breach and an intruder was able to access consumers’ personal information.